recaptime.dev
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
1@title Troubleshooting HTTPS
2@group config
3
4Detailed instructions for troubleshooting HTTPS connection problems.
5
6= Overview =
7
8If you're having trouble connecting to an HTTPS install of Phorge, and
9particularly if you're receiving a "There was an error negotiating the SSL
10connection." error, this document may be able to help you diagnose and resolve
11the problem.
12
13Connection negotiation can fail for several reasons. The major ones are:
14
15 - You have not added the Certificate Authority as a trusted authority
16 (this is the most common problem, and usually the issue for self-signed
17 certificates).
18 - The SSL certificate is signed for the wrong domain. For example, a
19 certificate signed for `www.example.com` will not work for
20 `phorge.example.com`.
21 - The server rejects TLSv1 SNI connections for the domain (this is
22 complicated, see below).
23
24= Certificate Authority Problems =
25
26SSL certificates need to be signed by a trusted authority (called a Certificate
27Authority or "CA") to be accepted. If the CA for a certificate is untrusted, the
28connection will fail (this defends the connection from an eavesdropping attack
29called "man in the middle"). Normally, you purchase a certificate from a known
30authority and clients have a list of trusted authorities.
31
32You can self-sign a certificate by creating your own CA, but clients will not
33trust it by default. They need to add the CA as a trusted authority.
34
35For instructions on adding CAs, see `arcanist/resources/ssl/README`.
36
37If you'd prefer that `arc` not verify the identity of the server whatsoever, you
38can use the `https.blindly-trust-domains` setting. This will make it
39dramatically easier for adversaries to perform certain types of attacks, and is
40**strongly discouraged**:
41
42 $ arc set-config https.blindly-trust-domains '["example.com"]'
43
44
45= Domain Problems =
46
47Verify the domain the certificate was issued for. You can generally do this
48with:
49
50 $ openssl x509 -text -in <certificate>
51
52If the certificate was accidentally generated for, e.g. `www.example.com` but
53you installed Phorge on `phorge.example.com`, you need to generate a
54new certificate for the right domain.
55
56= SNI Problems =
57
58Server Name Identification ("SNI") is a feature of TLSv1 which works a bit like
59Apache VirtualHosts, and allows a server to present different certificates to
60clients who are connecting to it using different names.
61
62Servers that are not configured properly may reject TSLv1 SNI requests because
63they do not recognize the name the client is connecting with. This
64topic is complicated, but you can test for it by running:
65
66 $ openssl s_client -connect example.com:443 -servername example.com
67
68Replace **both** instances of "example.com" with your domain.