SSL connection reset error

[babs]

Hello everybody!

This has been bugging me for some time already, but I can't pin down the cause of the problem:

My test app (RoR app) is using OAuth to access a test shop.
When the merchant gets to the app installation page and presses "Install" button, he's redirected back to the RoR app with a temporary token code to be exchanged later.

However, the subsequent request:

POST https://SHOP_NAME.myshopify.com/admin/oauth/access_token"

with params:

{"grant_type"=>"authorization_code", "code"=>"[HIDDEN]", "client_id"=>"[HIDDEN]", "client_secret"=>"[HIDDEN]", :redirect_uri=>"[HIDDEN]"}

{"Content-Type"=>"application/x-www-form-urlencoded"}

... fails with error:

  Connection reset by peer - SSL_connect

Some time ago, re-creating a test shop helped that, but since recently nothing seems to help.

Before you ask: I'm accessing my app via a public DDNS, not "localhost", I checked that the firewall does not block HTTPS or any other ports and I tried the same query via "curl" and got a "normal" response":

{"error":"invalid_request","error_description":"Could not find Shopify API application with api_key: "}

- due to a stale token code, I believe; but still it's not a timeout as seems to be with the app.

Could you help me track down the problem?

Thank you!

[David Underwood]

Hey Slava,

Can you give us the shop and API key you're using? That'll help us dig up the logs and see if there's anything on our end we can help you with. Thanks!

-David Underwood

 Developer Advocate, Shopify

[babs]

Hi David

The shop is "breitenberg-inc9012.myshopify.com", the API key is "873554b0b6b635b90cae98c2fa696709".

--

Slava Kravchenko

On Monday, May 7, 2012 6:36:43 PM UTC+3, David Underwood wrote:

Hey Slava,

Can you give us the shop and API key you're using? That'll help us dig up the logs and see if there's anything on our end we can help you with. Thanks!

-David Underwood

 Developer Advocate, Shopify

[David Underwood]

Thanks for the info. I'm not seeing anything systematic on our end that suggests a problem. I did see some 400 - Bad Request errors but that's it.

One thing I did notice is that there's a high number of 302 redirection responses. It looks like you're requesting access to the same shop over and over when the permission has already been granted.

I'm afraid I don't know what's causing your problem. Have you tried putting your app up on a service like Heroku and seeing if it works from there?

-David Underwood

 Developer Advocate, Shopify

[Hein Behrens]

I get the same error. At first I thought openssl library problem with Ubuntu 12.04. This has been going on for about a month. Very frustrating.

Then the problem disappeared,

 Now it is back again tonight.

If I comment out the following:

 # get 5 products

#   @products = ShopifyAPI::Product.find(:all, :params => {:limit => 10})

    # get latest 5 orders

 # @orders   = ShopifyAPI::Order.find(:all, :params => {:limit => 5, :order => "created_at DESC" })

It works but of course no product or orders shown. 

If I remove the comments it timesout with the ssl_connection error.

www.curvaciones.com

Thanks

Hein Behrens

[Matt Smith-Stubbs]

I've also noticed this problem on one of my servers two days ago.

It was an Amazon EC2 instance running Ubuntu 12.04.

My other server, which is on Linode running Ubuntu 10.04, doesn't have this issue, so I'm sticking with that for now.

I put it down to the openssl library in 12.04, too, but haven't investigated any further than that.

[Slava Kravchenko]

Those Bad Request errors must be the result of me "curl"ing stuff manually, you may disregard them. As for the redirections, OAuth gem here first tries to send a request to HTTP for some reason, then it is redirected to HTTPS. This doesn't seem to be the cause for the problem, as I tried forcing it to do a HTTPS request initially and it resulted in the same "SSL connection reset" error.

You're correct - the permission is granted despite the error - I can confirm it in the shop admin's console. I just don't receive the final reply to that.

Now after seeing Hein's comment, it makes me wonder if Ubuntu 12.04 has something to do with that. Before I switched to it, it was possible to "fix" the problem by recreating a test shop. But that wasn't a sound solution anyway.

And answering your question - there's no such problem at Heroku or my co-developer's PC (he's using Debian, I believe).

On Wednesday, May 9, 2012 4:03:40 PM UTC+3, David Underwood wrote:

Thanks for the info. I'm not seeing anything systematic on our end that suggests a problem. I did see some 400 - Bad Request errors but that's it.

One thing I did notice is that there's a high number of 302 redirection responses. It looks like you're requesting access to the same shop over and over when the permission has already been granted.

I'm afraid I don't know what's causing your problem. Have you tried putting your app up on a service like Heroku and seeing if it works from there?

-David Underwood

 Developer Advocate, Shopify

[Slava Kravchenko]

To whom it may concern,

I installed a Debian (6.0.4) in a VirtualBox and tried running my app from there. And it worked!

So, I guess I'm out of Ubuntu league for good now ;-)

Have a great time!

On Wednesday, May 9, 2012 4:03:40 PM UTC+3, David Underwood wrote:

Thanks for the info. I'm not seeing anything systematic on our end that suggests a problem. I did see some 400 - Bad Request errors but that's it.

One thing I did notice is that there's a high number of 302 redirection responses. It looks like you're requesting access to the same shop over and over when the permission has already been granted.

I'm afraid I don't know what's causing your problem. Have you tried putting your app up on a service like Heroku and seeing if it works from there?

-David Underwood

 Developer Advocate, Shopify

[John Piasetzki]

I'm getting a similar error. I tried connecting with openssl (1.0.1c)
and it gave me errors. Any chance the certification might be
incorrectly chained?

$ openssl s_client -showcerts -connect mckenzie-and-
sons9821.myshopify.com:443
CONNECTED(00000003)
depth=0 serialNumber = inVwoUGzj3duFEUBdzDQrbS2kO1qx0Vr, C = CA, ST =
Ontario, L = Ottawa, O = Jaded Pixel Technologies Inc., CN =
*.myshopify.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = inVwoUGzj3duFEUBdzDQrbS2kO1qx0Vr, C = CA, ST =
Ontario, L = Ottawa, O = Jaded Pixel Technologies Inc., CN =
*.myshopify.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = inVwoUGzj3duFEUBdzDQrbS2kO1qx0Vr, C = CA, ST =
Ontario, L = Ottawa, O = Jaded Pixel Technologies Inc., CN =
*.myshopify.com
verify error:num=21:unable to verify the first certificate
verify return:1

---
Certificate chain
0 s:/serialNumber=inVwoUGzj3duFEUBdzDQrbS2kO1qx0Vr/C=CA/ST=Ontario/
L=Ottawa/O=Jaded Pixel Technologies Inc./CN=*.myshopify.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDwjCCAyugAwIBAgIDEtBsMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTAwNTEwMjIyMzA4WhcNMTUwODEyMTkxNzE0
WjCBnTEpMCcGA1UEBRMgaW5Wd29VR3pqM2R1RkVVQmR6RFFyYlMya08xcXgwVnIx
CzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2Ex
JjAkBgNVBAoTHUphZGVkIFBpeGVsIFRlY2hub2xvZ2llcyBJbmMuMRgwFgYDVQQD
DA8qLm15c2hvcGlmeS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC37opsWtBSAKa3VLA5xeGBjc6ZnWNg+hsEdr6HcA/FbYaSnZzYcwC61m3X8qPD
9n6j5RbFDW3Cf4DbBis7R30/N6T4txgleOvqaV6Sx6nXCWxjfHO97eTGkWaMiffx
nCNH6nKATp29NM7qs11rIu24pup6XhJldKotFmIzK+whLkubrQ+ZkwswXROTOiAM
r9gHzfbd01c25GBuQeHyXVBoLPMan2IIcsXhFeS8uqwQ/SBsIkQYS4ZmcMb9/rVl
Pmblsba6C2tKcxwYXyZXXgI9Lc4tlSLuMrU1TaaDNbyI2z8ou/XiwYv4cl0+8j/W
yv0G3r2QBpIsMmOWMaBnvaVFAgMBAAGjgdkwgdYwHwYDVR0jBBgwFoAUSOZo+SvS
spXXR9gjIBBPM5iQn9QwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjApBgNVHREEIjAggg8qLm15c2hvcGlmeS5jb22CDW15c2hv
cGlmeS5jb20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j
b20vY3Jscy9zZWN1cmVjYS5jcmwwHQYDVR0OBBYEFOn0W86dD+1VEylPstfFZ4bJ
DQfeMA0GCSqGSIb3DQEBBQUAA4GBAFe9MCJfpPd11uSN/NqaEhq/PM1QWNxXqrBL
SgeIguboHhhvCFKrzq/a74iFHnRLmnpwg8Z+RkBP05cjK71om886I3CrNI+xhJWw
0TIaKCFnSReiWyb67pYPomCCsYF35W5ik6Srr+wEsGz6qtwnV4QSzPFRkEAw1BYL
uvjDOa4b
-----END CERTIFICATE-----
---
Server certificate
subject=/serialNumber=inVwoUGzj3duFEUBdzDQrbS2kO1qx0Vr/C=CA/ST=Ontario/
L=Ottawa/O=Jaded Pixel Technologies Inc./CN=*.myshopify.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1116 bytes and written 542 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID:
175276BE0DE130302A5F9E21B853D28C94364DB82A51A440D2040B91136A6FF2
Session-ID-ctx:
Master-Key:
4C9602799CA8CF6B120D0D07668C36BEA2874FC45C5A6DE866153F2C81813A445D58DB61013118C314A1643D5C945E96
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1336906426
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE

On May 9, 9:03 am, David Underwood <david.underw...@jadedpixel.com>
wrote:

[Andreas Rami]

Hi!

Same problem here!

Also using openssl 1.0.1c

Also browser is reporting that certificate for https://*.myshopify.com is invalid.

So it seems that because of the invalid certificate, openssl 1.0.1c is killing the connection.

Greets

Andreas

[John Duff]

It sounds like this is an issue with OpenSSL on your machine.

Talking to our Ops guys I got this:

With other versions of openssl unless you direct
openssl client to use the right, local certificate repos:

openssl s_client -CApath /etc/ssl/certs -showcerts -connect
mckenzie-and-sons9821.myshopify.com:443

(works flawlessly on Ubuntu 10.04 with openssl 0.9.8 and on Ubuntu
12.04 with openssl 1.0.1)

Hopefully that helps.

John Duff
Software Developer @ Shopify.com

[Hein Behrens]

The connect string works for me. Shows me cetificate etc. But the app still does not.

What do I need to do to make the ssl connection work with the  shopify_app?

[Nathan Broadbent]

Just wanted to add that I've also wasted a bit of time on this issue, before finding this thread. I'm not an SSL expert by any means, and this is going out on a limb, but would it be possible to reconfigure the Shopify SSL in some way?

I've written 7 other OAuth integrations in the last few weeks, and this is the first time I've experienced a problem with SSL. This includes other services over HTTPS with custom subdomains, like desk.dom and uservoice.

I understand that Shopify might not be at fault, but it would be awesome if you were able to solve this problem for any future developers.

For now, I'll downgrade OpenSSL to an older version and see if that helps.

Thanks,
Nathan

[John Duff]

So far no one has actually provided enough information to debug this
issue fully.

The consensus so far has been that whatever machine is trying to do
the SSL is looking for it's local certificates in the wrong place.
This is likely due to an OS update that moved things around.

Using openssl directly on ubuntu like this should show that the certs are valid:

openssl s_client -CApath /etc/ssl/certs -showcerts -connect

shop.myshopify.com:443

Somewhere along the way the browser, or library you are using is
looking for certificates in the wrong place.

John Duff
Software Developer @ Shopify.com

> --
>
>
>

[Matt C]

I just took a very quick look into this based on John's test above and I actually think that there is enough info here: I don't think the Equifax CA fingerprint matches the one listed in GeoTrust.

# "Official" equifax cert listed on the geo trust website
openssl x509 -noout -fingerprint -in official.pem SHA1 Fingerprint=D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

openssl x509 -noout -fingerprint -in ef.pem
SHA1 Fingerprint=3E:5F:32:44:55:8E:76:D0:6C:D8:58:A6:55:90:90:26:6A:6F:25:F1

I think that this causing the issue.

--Matt

--

[Matt C]

Actually I may take that back. It could be that the chain isn't trusted with openssl and some other tools:

CONNECTED(00000003)
depth=0 serialNumber = inVwoUGzj3duFEUBdzDQrbS2kO1qx0Vr, C = CA, ST = Ontario, L = Ottawa, O = Jaded Pixel Technologies Inc., CN = *.myshopify.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = inVwoUGzj3duFEUBdzDQrbS2kO1qx0Vr, C = CA, ST = Ontario, L = Ottawa, O = Jaded Pixel Technologies Inc., CN = *.myshopify.com
verify error:num=27:certificate not trusted