Recent SSL issue when verifying assertion

47 views
Skip to first unread message

James Shore

unread,
Mar 7, 2016, 10:38:49 PM3/7/16
to dev-id...@lists.mozilla.org
My logins started failing today when I try to verify the Persona assertion: “unable to verify the first certificate.”

When I use the command-line `http` tool to do a HTTP GET https://verifier.login.persona.org <https://verifier.login.persona.org/>, I get the following error:

SSLError: EOF occurred in violation of protocol (_ssl.c:590)

But when I load the same URL in Firefox, everything works fine. What could be happening here? I haven’t deployed new code. Is there a server-side config change that’s affecting me in some way?

Thanks,
Jim

--
James Shore - The Art of Agile
recipient of Gordon Pask Award for Contributions to Agile Practice
co-author of The Art of Agile Development

voice: +1 503-267-5490
email: jsh...@jamesshore.com
blog: http://jamesshore.com

stephen...@gmail.com

unread,
Mar 7, 2016, 11:41:46 PM3/7/16
to
Sorry, Jim - I don't have a solution, but wanted to note that Mozilla sites are also affected by something, starting around 7:56p PDT (perhaps earlier).

This is affecting MozTrap, One and Done, Mozillians, One and Done, and probably other sites, on dev, staging, and production.

When we use the "requests" library in Python to verify the cert, we throw:

SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

- Stephen

John Morrison

unread,
Mar 8, 2016, 12:23:44 AM3/8/16
to dev-id...@lists.mozilla.org
On 03/07/16 20:41, stephen...@gmail.com wrote:
Hi, we had a misconfiguration in a change on the backend. Should be
better now. How's it look to you?

John
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity

Daniel Thorn

unread,
Mar 8, 2016, 3:59:53 PM3/8/16
to stephen...@gmail.com, dev-id...@lists.mozilla.org
I updated the ssl certs today, it will be rolled back soon.

On Monday, March 7, 2016, <stephen...@gmail.com> wrote:

> On Monday, March 7, 2016 at 7:38:49 PM UTC-8, James Shore wrote:
> > My logins started failing today when I try to verify the Persona
> assertion: "unable to verify the first certificate."
> >
> > When I use the command-line `http` tool to do a HTTP GET
> https://verifier.login.persona.org <https://verifier.login.persona.org/>,
> I get the following error:
> >
> > SSLError: EOF occurred in violation of protocol (_ssl.c:590)
> >
> > But when I load the same URL in Firefox, everything works fine. What
> could be happening here? I haven't deployed new code. Is there a
> server-side config change that's affecting me in some way?
> >
> > Thanks,
> > Jim
> >
> > --
> > James Shore - The Art of Agile
> > recipient of Gordon Pask Award for Contributions to Agile Practice
> > co-author of The Art of Agile Development
> >
> > voice: +1 503-267-5490
> > email: jsh...@jamesshore.com <javascript:;>
> > blog: http://jamesshore.com
>
> Sorry, Jim - I don't have a solution, but wanted to note that Mozilla
> sites are also affected by something, starting around 7:56p PDT (perhaps
> earlier).
>
> This is affecting MozTrap, One and Done, Mozillians, One and Done, and
> probably other sites, on dev, staging, and production.
>
> When we use the "requests" library in Python to verify the cert, we throw:
>
> SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> - Stephen
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org <javascript:;>
> https://lists.mozilla.org/listinfo/dev-identity
>


--
-Daniel Thorn
Mozilla Services Operations Engineer

Stephen Donner

unread,
Mar 8, 2016, 5:22:25 PM3/8/16
to Daniel Thorn, dev-id...@lists.mozilla.org
Thanks, Daniel -

This indeed fixed it for us.

- Stephen

On 3/7/2016 9:16 PM, Daniel Thorn wrote:
> I updated the ssl certs today, it will be rolled back soon.
>
> On Monday, March 7, 2016, <stephen...@gmail.com
> <mailto:stephen...@gmail.com>> wrote:
>
> On Monday, March 7, 2016 at 7:38:49 PM UTC-8, James Shore wrote:
> > My logins started failing today when I try to verify the Persona
> assertion: "unable to verify the first certificate."
> >
> > When I use the command-line `http` tool to do a HTTP GET
> https://verifier.login.persona.org
> <https://verifier.login.persona.org/>, I get the following error:
> >
> > SSLError: EOF occurred in violation of protocol (_ssl.c:590)
> >
> > But when I load the same URL in Firefox, everything works fine.
> What could be happening here? I haven't deployed new code. Is
> there a server-side config change that's affecting me in some way?
> >
> > Thanks,
> > Jim
> >
> > --
> > James Shore - The Art of Agile
> > recipient of Gordon Pask Award for Contributions to Agile Practice
> > co-author of The Art of Agile Development
> >
> > voice: +1 503-267-5490
> > email: jsh...@jamesshore.com <javascript:;>
> > blog: http://jamesshore.com
>
> Sorry, Jim - I don't have a solution, but wanted to note that
> Mozilla sites are also affected by something, starting around
> 7:56p PDT (perhaps earlier).
>
> This is affecting MozTrap, One and Done, Mozillians, One and Done,
> and probably other sites, on dev, staging, and production.
>
> When we use the "requests" library in Python to verify the cert,
> we throw:
>
> SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> - Stephen
Reply all
Reply to author
Forward
0 new messages