Hostname mismatch

Most of the time the API works fine, but randomly it'll fail with:

SSLError(CertificateError("hostname'api.youneedabudget.com' doesn't match either
of 'app.youneedabudget.com', 'classic.youneedabudget.com', 'forum.youneedabudget.com',
'purchase.youneedabudget.com', 'youneedabudget.com', 'www.youneedabudget.com'",),))

Are there still certificates in the wild that lack the "api.youneedabudget.com" alias?

11replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  •  Wessel  That is strange. I haven't heard of any other reports of this.  We switched TLS certificates about 6 months ago and then added api subdomain to it towards the end of 2017.  So, our TLS setup has been in place for quite awhile.  It seems like there must be some intermediate that is serving a cached certificate that is old.  Although, TLS certificate resolutions should be coming directly to our server and not being cached anywhere.  But, I've seen some ISPs so certificate caching.  So, you may want to check with your ISP to see if they are doing some certificate caching.  Also, it might be something on your machine that is intermittently using the old certificate so you might try to clear out older certificates to ensure it uses the latest one.

    Reply Like
  • Brady Thanks for your reply. Only partjes that have your private key can cache your certificate. How could you trust SSL otherwise?

     

    The error message comes from a Linode hosted server. They connect to the backbone without going through an ISP.

    Reply Like
  • Wessel You might want to check with Linode directly on this as they might be able to shed more light on what is going on.  Also, I'll keep an ear out for other reports of this.  Sorry I can't help more on this one but I do think this might be something that is related to local caching of old certificates.

    Reply Like
  • Brady If no other people have complained I understand that it sounds like a local cache.  I can reproduce the problem with this script:

    #!/bin/bash
    
    while true
    do
        curl https://api.youneedabudget.com/
        if [[ $? -ne 0 ]]; then
            echo -n
            echo Error at `date`
            exit 1
        fi
        sleep 1
    done

    It calls `curl` every second until an error occurs. It gives an error once every 20 or so calls.

    Reply Like
    • Wessel Thanks for the repo script - I can reproduce this!  This is very strange and I'm going to reach out to our platform partner to see if we can figure out why this is happening.

      Reply Like 1
    • Wessel Sorry it took awhile to get back to you on this but this issue should not be resolved.  Our platform partner determined that a few of the front-end routers had outdated certificates cached and has fixed this issue.  Thanks again!

      Reply Like 1
  • Brady : the problem was gone for a while, but now it's back. Once in a lot of calls I get an error that api.youneedabudget.com is not in the certificate's URL list.

    Is the problem reproducible on your side?

    Reply Like
  • Hi Wessel , that's strange.  Using your previously provided repo script above, I can no longer reproduce this as I was able to before.  I ask our platform provider about this again to ensure they've clear all their caches.  In the meantime, you might need to work around this occasional error.  Thanks for letting us know.

    Reply Like
      • Wessel
      • wessel
      • 1 yr ago
      • 1
      • Reported - view

      Brady Thanks for having a look. I'm not able to reproduce it anymore either, and it hasn't shown up in my after Thursday 👍

      Reply Like 1
  • Brady  the error is back, and I can reproduce it using the test script. It occurs once per around 20 calls.

    Reply Like
  • Wessel Thanks - I'll pass this along to our platform partner again and make sure we get this fixed for good.

    Reply Like
Like Follow
  • Status Answered
  • 1 yr agoLast active
  • 11Replies
  • 519Views
  • 2 Following