Card validation ERROR: Fetching the page failed because SSL handshake error

TheWigglyPath · 2016-03-11T18:50:38.200Z

When testing the URL https://www.wigglypath.com or any of the pages the blog contains I get the error

ERROR: Fetching the page failed because SSL handshake error.

This is an Apache server, running on a dedicated AWS server with static IP address. SSL labs scores the server an A rating, so I don’t expect a configuration issue. No regular browsers I’m aware of have an issue with the site. Also, I’m fairly certain that the cards worked before.

Is it possible to get more information from the validator? If not, where should I look to resolve the issue?

TheWigglyPath · 2016-03-16T14:53:40.885Z

I’m still unsure how to progress. If it necessary to downgrade my SSL security to get Twitter cards to work?

TheWigglyPath · 2016-03-23T16:43:30.723Z

Still no inspiration why this is not working. The Facebook link preview validator works fine:

https://developers.facebook.com/tools/debug/og/object?q=HTTPS%3A%2F%2FWWW.wigglypath.com

Are there any Twitter devs watching the forums who can say what’s going on?

TheWigglyPath · 2016-05-27T16:42:29.196Z

Anybody got any thoughts on why Twitter requires downgraded security for cards to operate?

andypiper · 2016-05-31T13:23:36.109Z

There’s no requirement to “downgrade” security. In fact, the validator is just being very strict here. Therefore, there is a need to ensure that your CA cert details and Apache ServerName and ServerAlias match up.

Looking at your site, it looks as though CN is set to wigglypath.com which does not match the domain that the validator is trying to check.

subject=/OU=Domain Control Validated/CN=wigglypath.com

See these threads for more information:

Error on card preview: Fetching the page failed because connection is refused

ufl - that looks like a firewall problem. For everyone else: Your SSL certificate must match your ServerName or ServerAlias. For omgtap.co for example, your certificate is issued to “www.omgtap.co” and for www.talenteca.com your certificate is issued to “*.talenteca,com” - neither of these are exact matched for the domain, and Twitter seems to choke on it. If you have apache, go to your ssl.conf for you domain. You will probably see: ServerName www.omgtap.co Change it to ServerName omg…

ERROR: Fetching the page failed because SSL handshake error

OK, I think I've found the solution to this one. Basically it's a "design choice" made by both Apache and Java >= 1.7. The issue is that Java always sends an SNI name request (which is good since IP addresses are in short supply). If you have an apache server that's only serving one site (or, like ours, where each site has a unique IP) and you don't specify a ServerName directive, apache will respond using the local host name (if defined) or the IP of the connection. Apache also sends a warnin…

If you do have the ServerName and ServerAlias set correctly, then there may be some other issue here.

TheWigglyPath · 2016-06-15T15:51:36.240Z

Sorry for the delay getting back with a response Andy.

It seems that there was a configuration error where the ServerName and ServerAlias were not set in the virtual host, allowing it to act as a default for any host request. This did not break the browsers as the certificate was recognised, but as you suggested Twitter is more strict.

The actual fix was to set the ServerName and ServerAlias, plus to ensure the setting in the virtual host block:

SSLEngine on

which is necessary when the server names are specified (as the default server setting is suddenly no longer valid).

Thanks for your help! I wish the validator had given me a hint what the actual issue was to save you time and effort guiding me.

andypiper · 2016-06-16T03:56:44.132Z