Can't HTTP POST - SSL error

From what I can see:

curl -Iki design.aishowhouse.com
HTTP/1.1 308 Permanent Redirect
Server: openresty/1.15.8.1

it's running on openresty
which is based off nginx
[I personally don't use it but]
I would try looking for your vhost config file in
/etc/nginx/

Our client is getting errors when doing POST to that domain, and doing either post/get from postman (just to root domain) gives ssl expired error

Port 25? 465? 587? 993?
I'm not psychic - help me out! - LOL

Sorry :joy: no specific port, so I guess it's 443 when SSL

That is strange...
I do see the expected chain:

---
Certificate chain
 0 s:/CN=www.cevaz.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Same as:

---
Certificate chain
 0 s:/CN=community.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Can you use Win7 Chrome 94 to get to (this site)?:
https://community.letsencyrpt.org/

Windows builds that path for you - it isn't always what the server is sending.

You can't force it - your web server can offer it / suggest it.
But ultimately the client/software decides what it wants to do./build/see/use.

You said "POST"
But I'm not sure if you mean "e-mail" or an HTML POST request.

I mean http post request. But if I just dk a GET to the domain in postman, no port defined, I get the error.

I had to take this conversation out of that (way-too-long) topic.

1 Like

Can you show a picture of the error?
Is there any detail in there?

Sorry, I was on my phone all last night. I really appreciate your help, so I'll try to include more and better info now!

Running:

openssl s_client -connect app.kreditdata.dk:443 -servername app.kreditdata.dk

I'm getting:

Certificate chain
 0 s:CN = app.kreditdata.dk
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

So that could mean my chain still includes the old one, but in my ca-certificates.conf that cert is removed.
Trying in postman I get this, just trying a GET request on app.kreditdata.dk (no specified port):
image

Hi,

There is temporary workaround: Settings > General > SSL Certificate verification (disable it)

Postman is built on Electron, which is combination of Chromium (bits of Google Chrome) and NodeJS.

They have acknowledged the issue here:

And there is a fix in the works for the underlying BoringSSL library integration with Electron:

This is quite an interesting issue, given the prevalence of Electron for everything.

3 Likes

Aha - this is great information, thanks a lot!
So we're probably back to this being an issue on my clients end when they try to access our API.

2 Likes

@emilnygaard
If you aren't serving any older Android devices, you could choose the trust path that ends at the self-signed trusted root "ISRG Root X1".

1 Like

Another alternative if you need broad client support (especially for old android versions etc) is to switch CA (Zero SSL etc).

The current choice with Let's Encrypt means you can choose between two chains and they both have pros and cons.

My own preference for APIs is to run Cloudflare, which proxies and provides a provisioned cert in front but you also get basic analytics on API calls etc.

1 Like

I have the same problem! We are running an API within WordPress which connects our products to our licensing system. When I do the following GET request in Postman, I'm getting an cert expired error:

https://agency.enwikuna.de/wp-json/

But when I open the URL manually, everything is fine when checking the certificate. The SSL check also shows the correct chain.

When doing a request within WordPress (PHP), I'm also getting this error:

cURL error 60: SSL certificate problem: certificate has expired

Every customer has the problem as well! This has a huge impact on our products and system, and I don't see a fast solution here...

I took @webprofusion's suggestion and popped Cloudflare in front of our endpoint. The certificate they provide does not include the expired cert, and works for us - at least for now :slight_smile:

But we don't use Cloudflare on our page and we don't want to use it at all :frowning:

1 Like

Alright, then the solution might be to get a new cert that doesn't use the old root in the chain, as far as I understand.

1 Like

Looks like the only solution for now... Thanks for your confirmation!