SSL Error occurs: no alternative certificate subject name matches target host name 'ads-api.twitter.com'

_curry · 2022-04-20T01:34:47.125Z

Ads API sometimes fail due to no alternative certificate for ads-api.twitter.com.

The following curl request reproduced the error.

$ curl -vvv https://ads-api.twitter.com/10/accounts

*   Trying 104.244.42.3:443...
* Connected to ads-api.twitter.com (104.244.42.3) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=api.twitter.com
*  start date: Jan 24 00:00:00 2022 GMT
*  expire date: Jan 23 23:59:59 2023 GMT
*  subjectAltName does not match ads-api.twitter.com
* SSL: no alternative certificate subject name matches target host name 'ads-api.twitter.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'ads-api.twitter.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

cuongdc316 · 2022-04-20T03:23:58.944Z

we have the same problem when calling Twitter ads API.
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.

DuDavido · 2022-04-20T04:17:54.706Z

Hi all,

I have the same issue. When I send request to POST stats/jobs/accounts/:account_id, this issue is thrown

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <ads-api.twitter.com> doesn't match any of the subject alternative names: [api.twitter.com]

But I cannot find out any issues at https://api.twitterstat.us/

Please help us to investigate this issue

Thank you very much.

mo79166814 · 2022-04-20T06:59:55.771Z

There is a server with the wrong common name setting.
I hope it will be resolved…

Success :

subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=*.twitter.com

Error :

subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=api.twitter.com

Success:

$ curl -vvv https://ads-api.twitter.com

*   Trying 104.244.42.131...
* TCP_NODELAY set
* Connected to ads-api.twitter.com (104.244.42.131) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=*.twitter.com
*  start date: Jan 24 00:00:00 2022 GMT
*  expire date: Jan 23 23:59:59 2023 GMT
*  subjectAltName: host "ads-api.twitter.com" matched cert's "*.twitter.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fa06980e800)
> GET / HTTP/2
> Host: ads-api.twitter.com
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 404
< date: Wed, 20 Apr 2022 06:46:03 GMT
< server: tsa_m
< set-cookie: guest_id_marketing=v1%3A165043716378680666; Max-Age=63072000; Expires=Fri, 19 Apr 2024 06:46:03 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
< set-cookie: guest_id_ads=v1%3A165043716378680666; Max-Age=63072000; Expires=Fri, 19 Apr 2024 06:46:03 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
< set-cookie: personalization_id="v1_Mhl4pdANdwIR3643VHAR1g=="; Max-Age=63072000; Expires=Fri, 19 Apr 2024 06:46:03 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
< set-cookie: guest_id=v1%3A165043716378680666; Max-Age=63072000; Expires=Fri, 19 Apr 2024 06:46:03 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
< content-type: application/json;charset=utf-8
< cache-control: no-cache, no-store, max-age=0
< x-transaction: c1c4ebaca21812c8
< content-length: 117
< x-frame-options: SAMEORIGIN
< x-xss-protection: 0
< content-disposition: attachment; filename=json.json
< timing-allow-origin: https://twitter.com, https://mobile.twitter.com
< x-content-type-options: nosniff
< strict-transport-security: max-age=631138519
< x-response-time: 109
< x-connection-hash: 792d075a06270b4dfab44a5475865e8205b3bf8930394f61ae303c2609a1ecec
<
* Connection #0 to host ads-api.twitter.com left intact
{"errors":[{"code":"ROUTE_NOT_FOUND","message":"The requested resource could not be found"}],"request":{"params":{}}}* Closing connection 0

Error:

$ curl -vvv https://ads-api.twitter.com

*   Trying 104.244.42.131...
* TCP_NODELAY set
* Connected to ads-api.twitter.com (104.244.42.131) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=api.twitter.com
*  start date: Jan 24 00:00:00 2022 GMT
*  expire date: Jan 23 23:59:59 2023 GMT
*  subjectAltName does not match ads-api.twitter.com
* SSL: no alternative certificate subject name matches target host name 'ads-api.twitter.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'ads-api.twitter.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The same thing happens with twitter’s URL shortener (t.co)

$ curl -vvv https://t.co
*   Trying 104.244.42.5...
* TCP_NODELAY set
* Connected to t.co (104.244.42.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=api.twitter.com
*  start date: Jan 24 00:00:00 2022 GMT
*  expire date: Jan 23 23:59:59 2023 GMT
*  subjectAltName does not match t.co
* SSL: no alternative certificate subject name matches target host name 't.co'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 't.co'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

mionstar · 2022-04-20T13:40:48.244Z

I have the same issue on the domain ‘upload.twitter.com domain’.

When I access to https://upload.twitter.com/1.1/media/upload.json,
the error ‘Unable to communicate securely with peer: requested domain name does not match the server’s certificate.’ is thrown.

The result of curl request is bellow

curl -vvv https://upload.twitter.com/1.1/media/upload.json
*   Trying 104.244.42.139...
* TCP_NODELAY set
* Connected to upload.twitter.com (104.244.42.139) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=api.twitter.com
*  start date: Jan 24 00:00:00 2022 GMT
*  expire date: Jan 23 23:59:59 2023 GMT
*  subjectAltName does not match upload.twitter.com
* SSL: no alternative certificate subject name matches target host name 'upload.twitter.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'upload.twitter.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

osowskit1 · 2022-04-20T14:27:26.720Z

Thank you all for reporting this. We have notified the engineering team and are investigating. I will post back when we have additional information.

osowskit1 · 2022-04-20T15:13:47.276Z

Our engineering team identified the problem and have verified they’ve resolved the issue. Please reach out if you notice any additional connection problems.

mionstar · 2022-04-20T22:20:59.010Z

Thank you for your support,
I’ve confirmed that the problem has been resoled.