?
avatar stellainformatica
stellainformatica
29 Feb 2016

Steps to reproduce the issue

Make a fresh install of Joomla 3.5 beta3, go to Extensions > Manage and click on "Add Install from Web tab" button

Expected result

Installation successful and Tab Install fron Web appears

Actual result

Installation not successful and these erros appears:

Warning
Update: :Extension: Could not open https://appscdn.joomla.org/webapps/jedapps/webinstaller.xml
Error connecting to the server: SSL certificate problem: unable to get local issuer certificate

Error
Invalid URL
Unable to find install package

System information (as much as possible)

Tested in localhost, php version 5.4.25 and also on a live site

Additional comments

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
4.00

avatar stellainformatica stellainformatica - open - 29 Feb 2016
avatar andrepereiradasilva
andrepereiradasilva - comment - 29 Feb 2016

i can reproduce this issue described

image

avatar Bakual
Bakual - comment - 29 Feb 2016

That's sounds like your localhost doesn't have SSL correctly set up.
Since the URL for the webinstaller now is a https address, this fails.

avatar brianteeman
brianteeman - comment - 29 Feb 2016

snap but slightly different - and there is NO way to setup SSL on a localhost that I know of

Update: :Extension: Could not open https://appscdn.joomla.org/webapps/jedapps/webinstaller.xml
Error connecting to the server: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

avatar andrepereiradasilva
andrepereiradasilva - comment - 29 Feb 2016

SSL Labs test. could this be the problem?
image

See https://www.ssllabs.com/ssltest/analyze.html?d=appscdn.joomla.org&hideResults=on

@Bakual i'm not using localhost. this happens using a CentOS 7 production server

avatar brianteeman
brianteeman - comment - 29 Feb 2016

It is nothing to do with localhost!!! This screenshot is from siteground servers

djb2

avatar brianteeman brianteeman - change - 29 Feb 2016
Priority Medium Urgent
Status New Confirmed
Labels Added: ?
avatar brianteeman brianteeman - change - 29 Feb 2016
Labels
avatar andrepereiradasilva
andrepereiradasilva - comment - 29 Feb 2016

just for info, on the same server ...

openssl connection to joomla.org -> All ok

# openssl s_client -connect joomla.org:443 -servername joomla.org
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT76358277, OU = See www.rapidssl.com/resources/cps (c)14, OU = Domain Control Validated - RapidSSL(R), CN = *.joomla.org
verify return:1
---
Certificate chain
 0 s:/OU=GT76358277/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=*.joomla.org
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
// [...] omitted for brevity.
    Verify return code: 0 (ok)
---

openssl connection to appscdn.joomla.org -> Error

# openssl s_client -connect appscdn.joomla.org:443 -servername appscdn.joomla.org
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = EssentialSSL, CN = appscdn.joomla.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL, CN = appscdn.joomla.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL, CN = appscdn.joomla.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL/CN=appscdn.joomla.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 4 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
---
// [...] omitted for brevity.
    Verify return code: 21 (unable to verify the first certificate)
---
avatar mbabker
mbabker - comment - 29 Feb 2016

Anything attached to a CDN uses a different certificate from the joomla.org wildcard certificate (so in theory you should get something similar for extensionscdn.joomla.org, update.joomla.org, or even cdn.joomla.org. Or it'd be interesting to know if it's just the appscdn certificate now.

avatar andrepereiradasilva
andrepereiradasilva - comment - 29 Feb 2016

The 3 you mentioned are all good.

extensionscdn.joomla.org
# openssl s_client -connect extensionscdn.joomla.org:443 -servername extensionscdn.joomla.org
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.netdna-ssl.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.netdna-ssl.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
// [...] omitted for brevity.
    Verify return code: 0 (ok)
---
update.joomla.org
# openssl s_client -connect update.joomla.org:443 -servername update.joomla.org
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.netdna-ssl.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.netdna-ssl.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
// [...] omitted for brevity.
    Verify return code: 0 (ok)
---
cdn.joomla.org
# openssl s_client -connect cdn.joomla.org:443 -servername cdn.joomla.org
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.netdna-ssl.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.netdna-ssl.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
// [...] omitted for brevity.
    Verify return code: 0 (ok)
---
avatar brianteeman
brianteeman - comment - 29 Feb 2016
avatar richard67
richard67 - comment - 29 Feb 2016

Same problem when trying to update a 3.4.8 for testing to 3.5.0 Beta 3 using the Joomla! Update Component with update path = "testing": Same error, the XML could not be opened.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9259.

avatar simbus82
simbus82 - comment - 1 Mar 2016

I have had same problem yesterday morning during an update process from Joomla 3.4.7 to Joomla 3.4.8. Joomla can't read XML file (update STS), but if i open this https url with browser i can read it without problems. We have OVH servers.

avatar wilsonge
wilsonge - comment - 1 Mar 2016

We have contacted Rochen and this should be fixed now! Please can you guys test :)

avatar richard67
richard67 - comment - 2 Mar 2016

Install from web works well now here on a fresh updated 3.5.0 Beta 3 + recent PRs for other stuff, this error message as shown above is not shown anymore. Could replicate the error yesterday so it seems to be solved now for the webinstaller.

But when I wanted to update thr 3.4.8. to Beta 3 by switching update channel to testing, I saw same kind of message, that the xml file could not be loaded. Is this a similar issue or related, or something different?

avatar andrepereiradasilva
andrepereiradasilva - comment - 2 Mar 2016

for appscdn.joomla.org

install web: OK
ssl labs test: OK (just incorrect order now)
https://www.ssllabs.com/ssltest/analyze.html?d=appscdn.joomla.org&hideResults=on&latest

Test with openssl: OK

# openssl s_client -connect appscdn.joomla.org:443 -servername appscdn.joomla.org
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL, CN = appscdn.joomla.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL/CN=appscdn.joomla.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
---
    Verify return code: 0 (ok)
---
avatar wilsonge
wilsonge - comment - 2 Mar 2016

Umm I'm not sure but based on what @mbabker said the extensions cdn and the update cdn should use the same cert (unless he meant those 2 use different certs....)

avatar andrepereiradasilva
andrepereiradasilva - comment - 2 Mar 2016

for update.joomla.org

ssl labs test: OK (only sha-1 chain issues now)
https://www.ssllabs.com/ssltest/analyze.html?d=update.joomla.org&hideResults=on&latest

Test with openssl: OK

# openssl s_client -connect update.joomla.org:443 -servername update.joomla.org
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Aut                                         hority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.netdna-ssl.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.netdna-ssl.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
    Verify return code: 0 (ok)
---
avatar richard67
richard67 - comment - 2 Mar 2016

Hmm then maybe for me for update.joomla.org was a cached bad cert somewhere on the server, and I just have to wait a bit?

avatar wilsonge
wilsonge - comment - 2 Mar 2016

Maybe - but Rochen notified us 2 hours ago :/ I just only picked up on the message from marijke (who kindly submitted the ticket to them) on glip

avatar andrepereiradasilva
andrepereiradasilva - comment - 2 Mar 2016

this issue itself (i mean the appscdn.joomla.org server(s) ssl configuration) is solved IMHO with the Rochen change.

avatar wilsonge wilsonge - close - 2 Mar 2016
avatar wilsonge wilsonge - change - 2 Mar 2016
Status Confirmed Closed
Closed_Date 0000-00-00 00:00:00 2016-03-02 00:19:17
Closed_By wilsonge
avatar wilsonge wilsonge - close - 2 Mar 2016
avatar wilsonge
wilsonge - comment - 2 Mar 2016

OK Richard can you give it 24 hours and try again please? If it doesn't work just create a fresh issue - it's not too much effort to submit another ticket to Rochen (and it's not something we can solve in the 3.5 release process anyhow).

avatar wilsonge wilsonge - close - 2 Mar 2016
avatar wilsonge wilsonge - change - 2 Mar 2016
Labels Removed: ?
avatar richard67
richard67 - comment - 2 Mar 2016

Sure, I'll keep it on my list.

avatar wilsonge
wilsonge - comment - 2 Mar 2016

Thanks!

avatar mbabker
mbabker - comment - 2 Mar 2016

Umm I'm not sure but based on what @mbabker said the extensions cdn and the update cdn should use the same cert (unless he meant those 2 use different certs....)

Negative. Every CDN endpoint in *.joomla.org uses a certificate specific to that subdomain. This includes appscdn, cdn, downloadscdn, extensionscdn, and update. Everything else except for the Jenkins server (because I've not had the server & app configured for SSL operations) uses (or has available in the case of every property that still fails to function correctly on or enforce HTTPS) the wildcard *.joomla.org certificate.

avatar richard67
richard67 - comment - 2 Mar 2016

Then the cert for update is maybe not OK still?

avatar mbabker
mbabker - comment - 2 Mar 2016

I think the ticket that was logged only resolved the appscdn specifically based on the original reports.

avatar trustyrusty
trustyrusty - comment - 26 May 2016

Hi I am having exact same issue has
@andrepereiradasilva on 1 Mar 2016 (I see same screen shot) - this is not local host
as of today 26 May 2016


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9259.

avatar trustyrusty
trustyrusty - comment - 26 May 2016

Sorry, text slight different

Warning
Update: :Extension: Could not open https://appscdn.joomla.org/webapps/jedapps/webinstaller.xml
Error connecting to the server: SSL certificate problem: certificate has expired
Error
Invalid URL
Unable to find install package

I can open this page https://appscdn.joomla.org/webapps/jedapps/webinstaller.xml no problems...

Joomla 3.5.1 - upgraded from 1.5 > to 2.5 > to 3.5.1


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9259.

avatar roland-d
roland-d - comment - 26 May 2016

I have asked Rochen to take a look at this.

avatar andrepereiradasilva
andrepereiradasilva - comment - 26 May 2016

Test: https://www.ssllabs.com/ssltest/analyze.html?d=appscdn.joomla.org&hideResults=on
"This site works only in browsers with SNI support."

Probably it's the lack of support for servers that don't support SNI again, but this time for appscdn.joomla.org domain and the default server certificate expired.

Test with SNI
# openssl s_client -connect appscdn.joomla.org:443 -servername appscdn.joomla.org
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL, CN = appscdn.joomla.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL/CN=appscdn.joomla.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
---
    Verify return code: 0 (ok)
---
Test without SNI (notice it fallback to other certificate)
# openssl s_client -connect appscdn.joomla.org:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - G2
verify return:1
depth=0 C = FR, ST = Alpes Maritimes, L = Grasse, OU = IT, O = DYNADMIC, CN = bko.dynadmic.com
verify error:num=10:certificate has expired
notAfter=May 23 13:05:03 2015 GMT
verify return:1
depth=0 C = FR, ST = Alpes Maritimes, L = Grasse, OU = IT, O = DYNADMIC, CN = bko.dynadmic.com
notAfter=May 23 13:05:03 2015 GMT
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=Alpes Maritimes/L=Grasse/OU=IT/O=DYNADMIC/CN=bko.dynadmic.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
    Verify return code: 10 (certificate has expired)
---
avatar trustyrusty
trustyrusty - comment - 4 Jun 2016

Still same issue on brand new - default joomla 3.5.1 - different server as first site

I can open the xml. on web, but does not want to install "install from web"

FYI

Warning
Update: :Extension: Could not open https://appscdn.joomla.org/webapps/jedapps/webinstaller.xml
Error connecting to the server: SSL certificate problem: certificate has expired
Error
Invalid URL
Unable to find install package

avatar andrepereiradasilva
andrepereiradasilva - comment - 5 Jun 2016

@roland-d any news from Rochen on this? Since this one is closed and the problem can be replicated, should a new issue be created?

avatar roland-d
roland-d - comment - 5 Jun 2016

@andrepereiradasilva Apologies, the answer was there already but it fell off the radar. This is their answer:

The server is reporting the certificate is fine. As for only supporting browsers with SNI support, that is true for pretty much all common SSL's now a days. The only browsers that do not support SSL are browsers that are no longer supported by their respective operating systems. 

I guess we need to make them aware of your check without SNI, I have mentioned your non-SNI check results.

avatar andrepereiradasilva
andrepereiradasilva - comment - 5 Jun 2016

yeah it seems appscdn.joomla.org domain in normally used only by browsers. but i guess in the process of installing the install from web plugin the url it's fetched by the server hosting joomla, not by the browser.

In that case is the server that has to support SNI and so we have the same problem that we had before with the update.joomla.org (see #9281 (comment)).

In conclusion, it seems for this to work across multiple systems, the appscdn.joomla.org needs a dedicated IP to.

avatar trustyrusty
trustyrusty - comment - 5 Jun 2016

I am using firefox, I have not tried with other browser.... Are you FF is not supporting SNI?

avatar trustyrusty
trustyrusty - comment - 5 Jun 2016

PS Can this be reopened? It is not solved....

avatar mbabker
mbabker - comment - 6 Jun 2016

If anything a new issue should be logged. What was fixed 3 months ago may
or may not have any relation at all to the fact it isn't working today.
Same error message doesn't mean same issue.

On Sunday, June 5, 2016, trustyrusty notifications@github.com wrote:

PS Can this be reopened? It is not solved....


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#9259 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AAWfof7iT2r8XjrLCQQjdmpz38VgcSspks5qI1c3gaJpZM4Hlptz
.

avatar roland-d
roland-d - comment - 7 Jun 2016

Since we don't have a new issue, I am going to post the answer here:

Thank you for the update. I have investigated this issue and found that the problem was due to an issue at MaxCDN. I reached out to MaxCDN and had them place appscdn.joomla.org on a new IP address, so SNI support is no longer required to generate a valid HTTPS connection to that subdomain.

Could you check and confirm this has resolved the issue?

avatar andrepereiradasilva
andrepereiradasilva - comment - 7 Jun 2016
Test with SNI
# openssl s_client -connect appscdn.joomla.org:443 -servername appscdn.joomla.org
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL, CN = appscdn.joomla.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL/CN=appscdn.joomla.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
---
    Verify return code: 0 (ok)
---
Test without SNI
# openssl s_client -connect appscdn.joomla.org:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL, CN = appscdn.joomla.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL/CN=appscdn.joomla.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
---
    Verify return code: 0 (ok)
---

So it seems all

avatar andrepereiradasilva
andrepereiradasilva - comment - 7 Jun 2016
avatar roland-d
roland-d - comment - 7 Jun 2016

Thanks. Now let's keep this issue closed :)

avatar Freegrass69
Freegrass69 - comment - 16 Jun 2016

Sorry To open it again, but I'm having the same issue, and I'm not an expert, so I read everything here, but I still don't know how to solve it. I'm using freehostia, could the problem be with them?


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9259.

avatar andrepereiradasilva
andrepereiradasilva - comment - 16 Jun 2016

very probable is a problem with your host. Contact them.

avatar Freegrass69
Freegrass69 - comment - 17 Jun 2016

I think so. WordPress had problems as well, so now I'm trying Drupal, and it works perfectly. So I guess I'm gonna be a Drupal guy now... It looks awesome, not so difficult as they say, and more possibilities. So I'm sold to Drupal.

Thanks for the quick response!

avatar wilsonge
wilsonge - comment - 17 Jun 2016

I'm going to lock this issue. If anyone else has this issue in the future please open a new tracker item. Thanks

avatar wilsonge wilsonge - locked - 17 Jun 16

Add a Comment

Login with GitHub to post a comment