Unable to Connect to Notification Server [Solved]

Dear Phabricator team,

I recently migrated Phabricator from CentOS 7 to CentOS 8 for PHP 7.x support. Once migrated I also updated Phabricator to the latest commit (stable branch).

After updating the notification service stopped working:

HTTPFutureCURLResponseStatus
[cURL/60] (https://host.domain.tld:22281/status/) <CURLE_SSL_CACERT> There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are using a self-signed certificate but have not added your CA to the CA bundle. See instructions in “libphutil/resources/ssl/README”.

I use a publicly trusted certificate from “RapidSSL RSA CA 2018” and was once able to get the notification service running by following this README and updating the default.pem in “libphutil/resources/ssl/default.pem”.

Libphutil got recently deprecated and now I cannot get notifications to work:

https://github.com/phacility/libphutil/blob/master/README

I tried updating the system-wide ca-trust, adjusting php.ini (openssl.cafile, curl.cainfo, openssl.capath) but it did not help.

When I use CURL the certificate trust is valid:

curl --noproxy "*" https://host.domain.tld/status/
ALIVE
curl --noproxy "*" https://host.domain.tld:22281/status/
{"some:json"}

Please let me know if you were able to get notifications working with an “unknown” CA. I see many users struggling with LetsEncrypt CA and of course self-signed-certificates.

Many thanks for you help.

Best,
Graeme

The file was moved to arcanist/resources/ssl/README, but looks like the error message was not updated.

Basically, it looks like you should move the default.pen file you used to arcanist/resources/ssl/custom.pem.

1 Like

Hey @avivey
Many thanks for your quick reply and solving my problem!
Creating a symlink to the proper ca-trust-file did the trick.

These were the steps on CentOS 8:

  • Copy your CA certificate file to the following directory
    cp ca-certificate.crt /etc/pki/ca-trust/source/anchors/

  • Run update-ca-trust
    update-ca-trust

  • Create a symlink to the ca-trust-file
    cd /<path>/phabricator/arcanist/resources/ssl/
    ln -s /etc/pki/tls/certs/ca-bundle.crt custom.pem