Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/configuration/troubleshooting_https.diviner
| @title Troubleshooting HTTPS | @title Troubleshooting HTTPS | ||||
| @group config | @group config | ||||
| Detailed instructions for troubleshooting HTTPS connection problems. | Detailed instructions for troubleshooting HTTPS connection problems. | ||||
| = Overview = | = Overview = | ||||
| If you're having trouble connecting to an HTTPS install of Phabricator, and | If you're having trouble connecting to an HTTPS install of Phorge, and | ||||
| particularly if you're receiving a "There was an error negotiating the SSL | particularly if you're receiving a "There was an error negotiating the SSL | ||||
| connection." error, this document may be able to help you diagnose and resolve | connection." error, this document may be able to help you diagnose and resolve | ||||
| the problem. | the problem. | ||||
| Connection negotiation can fail for several reasons. The major ones are: | Connection negotiation can fail for several reasons. The major ones are: | ||||
| - You have not added the Certificate Authority as a trusted authority | - You have not added the Certificate Authority as a trusted authority | ||||
| (this is the most common problem, and usually the issue for self-signed | (this is the most common problem, and usually the issue for self-signed | ||||
| certificates). | certificates). | ||||
| - The SSL certificate is signed for the wrong domain. For example, a | - The SSL certificate is signed for the wrong domain. For example, a | ||||
| certificate signed for `www.example.com` will not work for | certificate signed for `www.example.com` will not work for | ||||
| `phabricator.example.com`. | `phorge.example.com`. | ||||
| - The server rejects TLSv1 SNI connections for the domain (this is | - The server rejects TLSv1 SNI connections for the domain (this is | ||||
| complicated, see below). | complicated, see below). | ||||
| = Certificate Authority Problems = | = Certificate Authority Problems = | ||||
| SSL certificates need to be signed by a trusted authority (called a Certificate | SSL certificates need to be signed by a trusted authority (called a Certificate | ||||
| Authority or "CA") to be accepted. If the CA for a certificate is untrusted, the | Authority or "CA") to be accepted. If the CA for a certificate is untrusted, the | ||||
| connection will fail (this defends the connection from an eavesdropping attack | connection will fail (this defends the connection from an eavesdropping attack | ||||
| Show All 16 Lines | |||||
| = Domain Problems = | = Domain Problems = | ||||
| Verify the domain the certificate was issued for. You can generally do this | Verify the domain the certificate was issued for. You can generally do this | ||||
| with: | with: | ||||
| $ openssl x509 -text -in <certificate> | $ openssl x509 -text -in <certificate> | ||||
| If the certificate was accidentally generated for, e.g. `www.example.com` but | If the certificate was accidentally generated for, e.g. `www.example.com` but | ||||
| you installed Phabricator on `phabricator.example.com`, you need to generate a | you installed Phorge on `phorge.example.com`, you need to generate a | ||||
| new certificate for the right domain. | new certificate for the right domain. | ||||
| = SNI Problems = | = SNI Problems = | ||||
| Server Name Identification ("SNI") is a feature of TLSv1 which works a bit like | Server Name Identification ("SNI") is a feature of TLSv1 which works a bit like | ||||
| Apache VirtualHosts, and allows a server to present different certificates to | Apache VirtualHosts, and allows a server to present different certificates to | ||||
| clients who are connecting to it using different names. | clients who are connecting to it using different names. | ||||
| Servers that are not configured properly may reject TSLv1 SNI requests because | Servers that are not configured properly may reject TSLv1 SNI requests because | ||||
| they do not recognize the name the client is connecting with. This | they do not recognize the name the client is connecting with. This | ||||
| topic is complicated, but you can test for it by running: | topic is complicated, but you can test for it by running: | ||||
| $ openssl s_client -connect example.com:443 -servername example.com | $ openssl s_client -connect example.com:443 -servername example.com | ||||
| Replace **both** instances of "example.com" with your domain. If you receive | Replace **both** instances of "example.com" with your domain. If you receive | ||||
| an error in `SSL23_GET_SERVER_HELLO` with `reason(1112)`, like this: | an error in `SSL23_GET_SERVER_HELLO` with `reason(1112)`, like this: | ||||
| CONNECTED(00000003) | CONNECTED(00000003) | ||||
| 87871:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112): | 87871:error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112): | ||||
| /SourceCache/OpenSSL098/OpenSSL098-44/src/ssl/s23_clnt.c:602: | /SourceCache/OpenSSL098/OpenSSL098-44/src/ssl/s23_clnt.c:602: | ||||
| ...it indicates server is misconfigured. The most common cause of this problem | ...it indicates server is misconfigured. The most common cause of this problem | ||||
| is an Apache server that does not explicitly name the Phabricator domain as a | is an Apache server that does not explicitly name the Phorge domain as a | ||||
| valid VirtualHost. | valid VirtualHost. | ||||
| This error occurs only for some versions of the OpenSSL client library | This error occurs only for some versions of the OpenSSL client library | ||||
| (from v0.9.8r or earlier until 1.0.0), so only some users may experience it. | (from v0.9.8r or earlier until 1.0.0), so only some users may experience it. | ||||
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0