Facebook does not support https://letsencrypt.org/ SSL certificate - What can be done?!

Hi,

Facebook not supporting SSL certificate in the webhook registration and I guess that in the application / canvas page creation.

There is a problem with your configuration, not letsencrypt : https://www.ssllabs.com/ssltest/analyze.html?d=montbot.com&latest the chain issue means you don’t provide the correct list of intermediates certificates

Hi Tom,

Thanks for the rapid reply.
Can you provide more details regrading the chain. I don't have additional
certificates for my domain.

Thanks for your help.

Eyal

‏בתאריך יום שבת, 13 באוגוסט 2016, Tom letsencrypt@discoursemail.com כתב:

tdelmas https://community.letsencrypt.org/users/tdelmas
August 13

There is a problem with your configuration, not letsencrypt :
SSL Server Test: montbot.com (Powered by Qualys SSL Labs) the
chain issue means you don't provide the correct list of intermediates
certificates

Visit Topic
https://community.letsencrypt.org/t/facebook-does-not-support-https-letsencrypt-org-ssl-certificate-what-can-be-done/18939/2
or reply to this email to respond.

To unsubscribe from these emails, click here
https://community.letsencrypt.org/email/unsubscribe/49b5c49fac4fe9fce3757ba47484c7ffaffef2c98d57361336a7f2014442c130
.

Best Regards,
Eyal.

Use either fullchain.pem or cert.pem + chain.pem.

Thanks very much !

כתב:

Osiris https://community.letsencrypt.org/users/osiris
August 13

Use either fullchain.pem or cert.pem + chain.pem.

Visit Topic
https://community.letsencrypt.org/t/facebook-does-not-support-https-letsencrypt-org-ssl-certificate-what-can-be-done/18939/4
or reply to this email to respond.

To unsubscribe from these emails, click here
https://community.letsencrypt.org/email/unsubscribe/58144a9d2d6e9cd46cfac9c8db332069c7dc1738ae8e6ee63a375e67a968d06c
.

Best Regards,
Eyal.

While you’re at it, please fix your OpenSSL Padding Oracle vulnerability (CVE-2016-2107).

Thanks

The fix, can be found here:
https://gist.githubusercontent.com/ArturT/bc8836d3bedff801dc324ac959050d12/raw/1b9835fb3585d77bb8955e83d38c0210770058b5/Fix%20OpenSSL%20Padding%20Oracle%20vulnerability%20(CVE-2016-2107)%20-%20Ubuntu%2014.04

Uch, manually compiling and installing a library, that’s quite the ugly fix… :scream:

You sure there isn’t another way on a Digital Ocean VM? Wasn’t apt-get update & dist-upgrade enough? Because although the Ubuntu Xenia openssl package isn’t 1.0.2h, but “only” g, the 1.0.2g-1ubuntu4.1 does have the patch for CVE-2016-2107 onboard!
This was already so on 28 Apr 2016 (a long time before the blog was written, June 7)…

Even the 1.0.2d from Ubuntu 15.10 (Wily) was patched on the same date

So I would urge every one to look closely to what you’re doing. Distro’s like Debian/Ubuntu are very security active, patching packages with security updates without incrementing minor version numbers (probably because of compatability-things with other packages). Doing radical steps like compiling from source outside of your package manager is most likely not necessary and will only complicate upgrading steps in the future!

Please forget that “fix” immediately. Downloading source archives via FTP without verification and running code from it as root? What were you thinking?

Good point, didn't even think about that.. You can download the source from a unsecured (e.g. FTP) source, but then you'd have to verify the download through a secured source, e.g. the SHA256 hash, or PGP signature (both URLs with HTTPs)..

At worst, @eyalzoref's server is now compromised by some rootkit which was hidden in the MitM'd and manipulated OpenSSL source :disappointed_relieved:

Wow… You are defenatly right guys.
It was the first thing that popped up when I Googled it, that’s the link:

What do you suggest to do now?

Thanks,
Eyal

כתב:

If you’ve got the (original) openssl-1.0.2h.tar.gz still lying around, you can verify the SHA256 hash. That way you at least know you’ve got a safe library installed.

How to revert to Ubuntus own apt OpenSSL from a manually installed one: don’t know.

How did you know they were vulnerable to that? Did you just know that from the build's info, or did you use a tool? (if it's the latter, I'm interested in knowing which one)

1 Like

If you didn’t know about ssllabs.com by now…

Ah. Just clicked the link above – I didn’t know they put a warning box if a server has a problem (never saw that before).

I’ve used a few commercial tools that did security checks every night and would notify us on a fail. I figured the poster used something similar, and might be a better alternative to what I’ve used.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.