Digital Asset Links Failure with LetsEncrypt Certificate


#1

Hi I am getting an with Digital Asset Links failure on domains using LetsEncrypt certificate.

The same does not happen when using a certificate from ACM on AWS.

What is the reason? Are we doing something wrong?


#2

I don’t know much about Digital Asset Links. A few obvious questions:

  • If you try to visit the HTTPS sites you’ve set up this way with an ordinary web browser, do they trust the certificate? If not, there’s definitely something wrong with the configuration of the web server.
  • Can you try using a test like https://www.ssllabs.com/ssltest/ to see whether they detect any serious problems (it’s not essential to score an A or A+ but their advice is helpful and very bad scores can indicate there’s a problem even if it seems to work in the web browser you try).

It is possible that the DAL system doesn’t trust Let’s Encrypt, but we should rule out other problems first.


#3

The browser does not report any issues. It trusts the certificate.

Following is the report for the the domain which uses LetsEncrypt Certififcate


#4

And following is the report for the domain which uses the certificate provided by ACM on AWS.


#5

I had to post 3 times because of:


#6

The only difference I see in the results is that the LetsEncrypt Certificate works only in browser that support SNI. Could this be the problem?


#7

SNI will matter if the server offers several different web sites (different certificates) on the same IP address. In this case if the Digital Asset Link service didn’t know how to use SNI it would be shown the wrong certificate and fall.

It is also possible that DAL genuinely doesn’t trust Let’s Encrypt. This is likely to be an oversight rather than an intentional decision. In particular if DAL relies on a Java backend we know older Java versions don’t trust Let’s Encrypt. Current releases do.

Either way I’m afraid there might be nothing you can do except ask them (Google?) to fix it. I’m sure the Let’s Encrypt team would be happy to talk to them if they need any specific technical reassurance but most likely they just need to update something in their service. I know some Googlers but it’s a big company, so I doubt I can help further.


#8

Thanks @tialaramex for the prompt response. Will update how we solved it, if we choose to do so.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.