ERROR: Fetching the page failed because SSL handshake error


#5

Getting the same message trying to validate:

I have checked:

  1. The server date/time is correct
  2. The server is NOT using SNI
  3. The correct cyphersuites are in use

The site’s certificate validates correctly in:

  • Firefox (34)
  • Chromium (39)
  • Internet Explorer (11)

The cards were working OK before Christmas (not sure of the exact date they stopped).

The server is running Ubuntu Linux 14.04.1 with apache2 and mod_ssl.

Any ideas what may have changed to stop things working?


#6

The only thing I’m aware of that changed in the past few months was that we no longer support SSLv3 due to the POODLE vulnerability (and others). I do not think this is the issue here, but I’ll ask the Cards team to take a look at why these issues may be occurring recently.


#7

Thanks for the update.

We’re weren’t running SSLv3 either and in any case all of the browsers listed chose TLS1.2 or better. Look forward to your updates.


#8

Thanks for your reply am also looking for further updates and suggestion regarding this error.


ERROR: Fetching the page failed because other errors
#9

Has there been any further result here?

Additionally I have been unable to find any log files our side mentioning this error.


#10

OK, I think I’ve found the solution to this one. Basically it’s a “design choice” made by both Apache and Java >= 1.7.

The issue is that Java always sends an SNI name request (which is good since IP addresses are in short supply). If you have an apache server that’s only serving one site (or, like ours, where each site has a unique IP) and you don’t specify a ServerName directive, apache will respond using the local host name (if defined) or the IP of the connection. Apache also sends a warning that the names don’t match (which is against the advice in the spec). Java sees that warning and turns it into a fatal error, so the connection is aborted.

The solution is simply to add a ServerName directive that matches the SSL certificate’s CN (add ServerAlias’s too if needed).

For a fuller discussion of this issue, see http://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0

Having made this change to the server config, my cards now once again validate correctly.

Thanks for the assistance.


Twitter Card Error "ERROR: Fetching the page failed because other errors."
Card Validator: Fetching the page failed because other errors
Twitter Card Validator displaying error message
Problems with reverse DNS lookup and SSL
Twitter Card
After July 27th: ERROR: Fetching the page failed because other errors
Large summary image unable to load image from IIIF image server
Not Whitelisted, unable to render, or no image: READ THIS FIRST
Lost card when I went secure
SSL Handshake Error
Card validation ERROR: Fetching the page failed because SSL handshake error
ERROR: Fetching the page failed because the request timed out
Twitter cards not working
Social Cards Not showing when link copied into Twitter
"ERROR: Fetching the page failed because SSL handshake error."
SSL Handshake Error
Twitter Card: ERROR: Fetching the page failed because other errors
#11

Woah, ninja skills @deanswaydesign - thank you so much for sharing this awesome and detailed description :thumbsup:


#12

Weird. I am still having this problem. On Apache 2.4. On SSLLabsTest, I got an A+ for the SSL Cert https://www.ssllabs.com/ssltest/analyze.html?d=lesterchan.net

You can test it with this URI https://lesterchan.net/blog/2015/03/13/lesterchan-net-now-on-https/.

ServerName has been setup in Apache


#13

Same problem here…@andypiper any news from the Cards Team?


#14

I’m having the exact same problem. I’ve tested my SSL certificate on SSL labs with an A rating. I’ve made sure to change my ServerName and add an Alias to my site configuration in Apache. I’m not sure what else I can do. My url is https://www.marshalldurham.com.


#15

Hello All,

When we try to validate our url on given https://cards-dev.twitter.com/validator url. it gives me an error
ERROR: Fetching the page failed because SSL handshake error.
My Url
https://belive.mobi/multitvfinal/jwplayer/tw.html
Please help me…


#16

Hi,

I habe the same problem, but can not change anything on my server settings (sheared host). Is there anything I can do to avoid this problem?

cheers
cbmainz


#17

If you are having an SSL handshake issue then you will need to make sure that your site’s SSL certificate is valid and using a suitable cipher i.e. TLS SHA-256.


#18

We also have problem with our page : https://oneplace.marketplanet.pl/ogloszenie-publiczne/
Can you give us more detailed info what is main problem with our certificate?


#19

I’m currently unable to tell what the issue with your certificate might be.


#20

I get the same error with https://dominikschilling.de/wordpress-4-6-release-lead/.

I’ve contacted the support of my host and got this info:

It seems like the validator is using a Java version which doesn’t support DHE with 4K-DH parameters. Modern browsers are supporting this.


#21

Your post seriously helped me. Thank you! I kept getting handshake errors from Twitter when trying to test various Twitter cards. It turns out that it was indeed SNI issues associated with Apache.

Note to others who have a CN (Common Name) associated with your SSL that uses a wildcard (e.g. *.mydomain.com) you will have to set a ServerName and a ServerAlias in your VirtualHost to account for that. For example:

ServerName mydomain.com
ServerAlias *.mydomain.com

This SO article explains wildcard support in more detail: https://serverfault.com/questions/139628/servername-wildcards-in-apache-name-based-virtual-hosts/139629#139629?newreg=523b41dfd9754959b21fcbc7b2ae3912


#22

Hi
I am getting the ERROR: Fetching the page failed because SSL handshake error. , for website



Please let me know how can i resolve this issue .
I am using godaddy hosting so i dont have the apache folder access to modify the serverName and serverAlias

The certificate Signature algorithm = SHA256 + RSA

Any help would be appreciated
Thanks


#23

You’ll need to talk to your host about this.

Running your site through SSLLabs checker https://www.ssllabs.com/ssltest/analyze.html?d=www.loginextsolutions.com

The key lines here are towards the middle of the report, specifically the errors “Client aborts on SNI unrecognized_name warning” which is what causes the crawler to be unable to connect to your site.


#24

This error has been evading us too for sharing a video on a Twitter timeline, e.g. the video on https://beyourself.crohnsandcolitis.org.uk/cards/beyourself/
The player is at https://beyourself.crohnsandcolitis.org.uk/cards/beyourself/player.html

I’m fairly certain the twitter tags are correct (pasted at the bottom). Similarly, on Facebook, the still image displays but not the video in the timeline (with no errors reported), and I wonder if that is down to the same issue as on Twitter. But we don’t know what needs to change on the domain. We are using nginx, so the apache solution doesn’t apply. We believe that SNI is covered.

On https://www.ssllabs.com/ssltest/analyze.html?d=beyourself.crohnsandcolitis.org.uk
the domain gets an overall A rating, with maximum scores on everything except DNS CAA, linked to more info at:
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

Can that be relevant to the problem, or should we be looking elsewhere? Any help would be appreciated.

    <meta name="twitter:url" content="https://beyourself.crohnsandcolitis.org.uk/cards/beyourself/">
    <meta name="twitter:card" content="player">
    <meta name="twitter:site" content="@CrohnsColitisUK">
    <meta name="twitter:title" content="Be yoursELF for Crohn’s and Colitis Awareness Week">
    <meta name="twitter:description" content="Be yoursELF | Crohn’s & Colitis UK.
We are making the invisible visible…">
    <meta name="twitter:image" content="https://beyourself.crohnsandcolitis.org.uk/assets/video/video-poster-preview.jpg">
    <meta name="twitter:player" content="https://beyourself.crohnsandcolitis.org.uk/cards/beyourself/player.html">
    <meta name="twitter:player:width" content="1280">
    <meta name="twitter:player:height" content="720">
    <meta name="twitter:player:stream:content_type" content="video/mp4">
    <meta name="twitter:player:stream" content="https://beyourself.crohnsandcolitis.org.uk/videos/beyourself/beyourself.mp4">
    <meta name="twitter:image" content="https://beyourself.crohnsandcolitis.org.uk/assets/video/video-poster-preview.jpg" />
    <meta name="twitter:image:alt" content="Animated Elf card for Crohn’s and Colitis Awareness Week" />

[EDIT]: SSL settings in the nginx conf for the domain

    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    expires 5m;
    add_header Cache-Control "must-revalidate, proxy-revalidate";