Config > Services > Notification Servers shows an error even though everything's working

I have installed and configured websocket notifications to run over a secure connection, and everything seems to be working:

  • The notifications drop-down shows a green dot and says ‘Connected’.
  • ./bin/aphlict notify --user {MyUserName} --message "Hello" results in a message popping up in the browser.
  • The browser Network panel shows the websocket successfully connecting (status code 101 Switching Protocols).
  • The browser Network panel shows the correct security certificate, which is being served over TLSv1.2
  • There are no errors in aphlict.log, just connection/message details that correspond with what I’d expect to see.

So, in short, everything seems to be working as expected.

However, the Config > Services > Notification shows a “Connection Error” and displays the following message

[cURL/60] (https://phabricator.MY_DOMAIN.com:9094/) <CURLE_SSL_CACERT> There was
an error verifying the SSL connection. This usually indicates that the remote host has
an SSL certificate for a different domain name than you are connecting with. Make
sure the certificate you have installed is signed for the correct domain.

Why is that error displayed? Is it a Phabricator bug or is it an indicator that there is, in fact, some kind of issue with my websocket configuration?

Note that the certificate is issued by Let’s Encrypt, in case that’s significant.

Version information

Library Version Date Branchpoint
phabricator 62f5bdbbd2c5 Mon, Mar 9
arcanist 66a6128239e2 Fri, Mar 6

I can’t reproduce this.

Is there anything else I can do to help diagnose this?

Also, are you using Let’s Encrypt? I’m wondering whether it’s something to do with that (though I don’t really know why I think that).

Have you got a custom CA bundle (instead of the default.pem that comes with Arcanist)? I experience the same result whether I use default.pem or download the latest CA bundle from https://curl.haxx.se/docs/caextract.html as custom.pem.

Any additional help would be appreciated.

Is there anything else I can do to help diagnose this?

Yes. Since you have a reproduction environment, you are guaranteed to be able to diagnose this. And since you are the only person with a reproduction environment, you are also the only person who can diagnose this.

You can diagnose this by removing one component of the system at a time until you can understand and describe the system behavior.

(For example, if you suspect Let’s Encrypt may be causing this issue, you can try a certificate from a different provider and see if that works.)

Hi there,

I’m not sure I’m prepared to buy an SSL certificate from elsewhere as this is not a project with any funds behind it. That was kind of the point of using Let’s Encrypt.

However, I am of course able to try any other tests that might be helpful.

The main question for me, with my sysops hat on, is why Phabricator is reporting something different to my web browser. The issue is not that something is ‘not working’, but that it is working differently, therefore the question is why these two different places are giving different reports (and, as the websocket is functionally working, it seems that the error is in Phabricator).

So to attempt to answer that, my first question would be, where does the Phabricator report come from? Is it generated in the browser via JS checks, or server-side by PHP checks, or server-side by some other means? Is there some way to debug this to see what it’s actually doing? If it is via a web request, can we see the request/response headers or view the (e.g.) cURL configuration that is being used?

One other thing - in aphlict.custom.json the "ssl.chain" setting for the servers is blank. Is this correct? The documentation implied it was optional and rarely used, but I’m not really sure how one would know whether it is needed, nor what to set it to if it is.

I had the same error issue recently whilst trying to get a certificate:

$ arc install-certificate
 CONNECT  Connecting to "http://reviews.llvm.org/api/"...
Usage Exception: Failed to connect to server (http://reviews.llvm.org/api/): [cURL/60] 
(http://reviews.llvm.org/api/conduit.ping) <CURLE_SSL_CACERT> There was an error verifying the 
SSL connection. This usually indicates that the remote host has an SSL certificate for a different 
domain name than you are connecting with. Make sure the certificate you have installed is signed for the correct domain.

In the end I ran:

arc set-config https.blindly-trust-domains '["reviews.llvm.org"]'

Then the arc install-certificate worked

CONNECT  Connecting to "https://reviews.llvm.org/api/"...
LOGIN TO PHABRICATOR
Open this page in your browser and login to Phabricator if necessary:

https://reviews.llvm.org/conduit/login/

Then paste the API Token on that page below.

    Paste API Token from that page:

I am not really comfortable disabling this security feature and, as everything appears to be working, I’m not sure that I need to.

Is anyone able to answer the questions I asked in my comment of March 20th?

How I can run this command in windows ?