Config > Services > Notification Servers shows an error even though everything's working

I have installed and configured websocket notifications to run over a secure connection, and everything seems to be working:

  • The notifications drop-down shows a green dot and says ‘Connected’.
  • ./bin/aphlict notify --user {MyUserName} --message "Hello" results in a message popping up in the browser.
  • The browser Network panel shows the websocket successfully connecting (status code 101 Switching Protocols).
  • The browser Network panel shows the correct security certificate, which is being served over TLSv1.2
  • There are no errors in aphlict.log, just connection/message details that correspond with what I’d expect to see.

So, in short, everything seems to be working as expected.

However, the Config > Services > Notification shows a “Connection Error” and displays the following message

[cURL/60] (https://phabricator.MY_DOMAIN.com:9094/) <CURLE_SSL_CACERT> There was
an error verifying the SSL connection. This usually indicates that the remote host has
an SSL certificate for a different domain name than you are connecting with. Make
sure the certificate you have installed is signed for the correct domain.

Why is that error displayed? Is it a Phabricator bug or is it an indicator that there is, in fact, some kind of issue with my websocket configuration?

Note that the certificate is issued by Let’s Encrypt, in case that’s significant.

Version information

Library Version Date Branchpoint
phabricator 62f5bdbbd2c5 Mon, Mar 9
arcanist 66a6128239e2 Fri, Mar 6

I can’t reproduce this.

Is there anything else I can do to help diagnose this?

Also, are you using Let’s Encrypt? I’m wondering whether it’s something to do with that (though I don’t really know why I think that).

Have you got a custom CA bundle (instead of the default.pem that comes with Arcanist)? I experience the same result whether I use default.pem or download the latest CA bundle from https://curl.haxx.se/docs/caextract.html as custom.pem.

Any additional help would be appreciated.

Is there anything else I can do to help diagnose this?

Yes. Since you have a reproduction environment, you are guaranteed to be able to diagnose this. And since you are the only person with a reproduction environment, you are also the only person who can diagnose this.

You can diagnose this by removing one component of the system at a time until you can understand and describe the system behavior.

(For example, if you suspect Let’s Encrypt may be causing this issue, you can try a certificate from a different provider and see if that works.)

Hi there,

I’m not sure I’m prepared to buy an SSL certificate from elsewhere as this is not a project with any funds behind it. That was kind of the point of using Let’s Encrypt.

However, I am of course able to try any other tests that might be helpful.

The main question for me, with my sysops hat on, is why Phabricator is reporting something different to my web browser. The issue is not that something is ‘not working’, but that it is working differently, therefore the question is why these two different places are giving different reports (and, as the websocket is functionally working, it seems that the error is in Phabricator).

So to attempt to answer that, my first question would be, where does the Phabricator report come from? Is it generated in the browser via JS checks, or server-side by PHP checks, or server-side by some other means? Is there some way to debug this to see what it’s actually doing? If it is via a web request, can we see the request/response headers or view the (e.g.) cURL configuration that is being used?

One other thing - in aphlict.custom.json the "ssl.chain" setting for the servers is blank. Is this correct? The documentation implied it was optional and rarely used, but I’m not really sure how one would know whether it is needed, nor what to set it to if it is.