I'm using subscribe endpoint of Instagram and it gives me the following error message if my callback_url is HTTPS; it works fine if callback_url is HTTP; the error message:
{
"meta": {
"error_type": "APISubscriptionError",
"code": 400,
"error_message": "Invalid SSL certificate"
}
}
PS: I saw this thread saying "I think this because I checked the SSL certificate for api.instagram.com and it looks OK"; But I dont know where they exactly checked SSL certificate? I dont see this option in Instagram developer console...
Does this mean the callback_url cannot be HTTPS?
Any idea how I can solve it?
Your Callback URL is probably self-signed certificate. Instagram does not support self-signed certificates.
So you have to use HTTP or Get an SSL certificate for your website.
Also check this thread: https://groups.google.com/forum/?fromgroups=#!topic/instagram-api-developers/MaS4fjo8GXQ
Hey folks,
We've made a couple of changes recently that affected the realtime
API, and we wanted to update you all:
1) We centralized some of our error tracking, which made our previous
"blacklisting" rate limits too aggressive; we've identified this and
have raised these errors, resulting in fewer false positives
2) We
switched the library used for the POST requests, which had the
side-effect of starting to enforce proper SSL certificates. If you've
noticed a drop-off in realtime hooks, please double-check that your
certificate is valid on your host. Going forward, this check will be
made when creating subscriptions, too, so incorrect subscriptions
won't be created.
3) Finally, we've updated the documentation to
reflect that http://ec2-... URLs are often problematic (as we're on
Amazon and they will often resolve locally) and we instead recommend
using the public IP or an Elastic IP for that host.
Thanks, Mike
Related
I'm building an HTTP proxy in Node.js, which attempts to intercept HTTPS connections, using a self-signed certificate. I'm using a bare http.Server, instantiating my own tls.TLSSocket to upgrade sockets as required, and the functionality all works great when the CA is trusted by the client.
If the client isn't configured with the CA though, it obviously rejects the connection, complaining that there's a self-signed certificate in the chain.
That's all as it should be, but I'd like a way to detect that this has happened from the server-side, so I can prompt the user to correctly configure their client.
Is it possible to do this? It seems the TLS RFC (https://www.rfc-editor.org/rfc/rfc5246#section-7.2.2) has quite a few error alert messages about certificate rejections, which I would expect to cover this, but I can't see to see any debug info in Node about those even with NODE_DEBUG=tls.
Really I'd like to subscribe to TLS error alert events, so I can react to the various interesting cases in there directly. How can I do that?
Usually all what you see is that the client closes the connection. Some clients might send an alert, others don't - the exact behavior depends on the TLS stack. Anyway, you could not redirect the client from within this dead connection anyway.
What you might try is to have some initial page served with plain HTTP where you include some image or similar from a HTTPS resource using a certificate signed with your CA. With some script you can detect if the client has successfully loaded the image or not and in the latter case you can show your information about needing to install some certificate.
I am testing d3.js and have a working call to a service, but when I added SSL to service and client, it doesn't work. This is probably due to that the SSL certificate is self signed.
Is there a way in d3.js to have it ignore the SSL error?
Updated 2017-02-28:
A request for code, which I excluded since it is no major thing. Below is a simple call, which actually only retrieves a file with json-formated data. But the issue would be same when calling the actual REST service.
d3.json("https://vbgmysql01.local/d3/data2.json", function(error,json) {
console.log(error);
data = json.devices;
render(data);
});
For this call Chrome (on Windows) gives the following error message
GET https://vbgmysql01.local/d3/data2.json net::ERR_INSECURE_RESPONSE
If I place my webpage on the same server, and first accepts the self signed certificate, then everything will work. But that is obviously not how it will be running when finished.
This is how I solved it. It is not a nice solution, but on the other hand then I should use a real certificate instead.
Connect to the service with the self-signed service. Accept all browser warnings and continue to the site.
Connect to my webpage (in my case using http).
Now data is retrieved, but might require some CORS magic, if not allready present. Thanks for all input.
Recently, I was trying to build a bot for myself. It works flawlessly when I'm using ngrok to test my bot locally, but when I deployed to AWS, I started seeing the error captured below occasionally, and causing no webhook request sent to my server from Facebook. I have no idea what could possibly go wrong. I have check the request going to my server with tcpflow as well, but there's no luck, it seems like Facebook just didn't send that particular request to my server. This is a really weird problem that happens in no particular point of my bot conversation flow. I always need to repeat my answer or my postback in order to get it to work.
Some basic server info (don't know if this matters) :
Availability zone: ap-southeast-1b
Type: t2.micro
CPU usage (at that moment): 4%
I would really appreciated if anyone could solve my mystery. Thanks.
FYI, I have reported this to Facebook: https://developers.facebook.com/bugs/1825253057751227
Your webhook server has to work over valid https (not self signed).
My advice - add https to webhook server, using cloudflare service (it`s free), or get a free valid certificate using letsencrypt
If your error is occasional, I would recommend moving your instance size up from Micro, to at least Medium or Large and make it a Dedicated instance. The resources required to run the letsencrypt client, combined with your bot traffic and noisy neighbors might overcome a shared micro instance.
I am having trouble with certificate when using websocket (WSS://).
What is working
For now, I've been using websocket with WEB_SOCKET_FORCE_FLASH = true and I had no issues with connecting to my websocket server.
What is not working
I am trying to turn that option off, to stop using flash plugin for connecting. Problem occurs when i try to connect my websocket client to server. WebSocket opening handshake was canceled message appears.
I can disable this message, by going to https://127.0.0.1:9999. My browser will show that "This Connection is Untrusted", and if I add an exception here, my websocket connection will start working without any problem from now on. But i CAN'T make every end user to do that, right?
Google groups with this idea
What I need?
Is there any way, to buy, or create some self-signed certificate, which I can use? The problem is also that, it doesn't have to be localhost/127.0.0.1 but also any other IP in local network. (like 192.168.0.100 etc). End user can change that IP whenever he likes to. He just needs to point on the PC where my desktop app/websocket server is running.
What have I tried?
I sure tried to find my answer in google, browsing tons of forums, sites, and even few questions and all answers here on stack overflow.
I also tried not using certificate at all, but my page is on https:// so connection using ws:// is impossible.
Code
I know, code is usually obligatory, but I actually got my websocket client/server working, but the issue is certificate, so i hope you can forgive me lack of code.
missing info?
Do i need to provide any more information? I am willing to make multiple edits if needed.
While the current certificate system is kind of broken it is fortunately not broken enough to allow what you want. What you expect to get based on your description is a certificate for an IP addresses (bad idea anyway) which you don't even own fully (you cannot claim to be the owner of 127.0.0.1 or similar addresses) which then will be accepted by every browser without the need to add a manual exception by the user.
I am developing a firefox addon, and I need to make https calls. I am given an SSL certificate information (Serial Number, SHA1 Fingerprint, andMD5 Fingerprint). When I try to use the Request module from my main.js I always get a status of 0. I tried the Request module with other http requests which are not secured and it works fine.
So I assume that the 0 status has to do with the SSL certificate.
Although I try to simulate the same requests using Dev-HTTP-Client google chrome plugin and it works fine and I can get proper responses from the https server.
I am not sure but I think I need to use the chrome module Cc["#mozilla.org/security/... to make this work.
If you can guide me with the proper steps to setup the SSL certificate information from inside the addon that would be great
Unfortunately there is no direct way to verify a cert manually and continue with the request. Instead you need to add an override on error yourself and retry.
Attempt to make a regular XMLHttpRequest via nsIXMLHttpRequest. There is enough code and samples around on SO and Google describing how to do it. The requests module won't do, as it hides some necessary details.
Implement nsIBadCertListener2 and stuff it into req.channel.notificationCallbacks (might want to preserve the original callbacks).
If your .notifyCertProblem() get called, that means the cert did not verify. Now it's up to you to verify the cert with your seeded fingerprint (and serial).
If your seeded infos match, add a cert override (that won't work for STS hosts, of course)
Re-spin the request after adding the override, as the first request already got canceled as soon as it hit notifyCertProblem().
Most of the stuff is neatly demonstrated in ErrorPage.jsm of Boot2Gecko (still applies to all other mozilla powered products). That's a cross reference, so click around ;)
Of course, you'll need to use the chrome module.
I should mention that it is deliberate that I'm not giving a complete copy-pasta code solution, only all required pointers, as it is my opinion that a person should be capable enough to work with what I provided, or don't touch security subsystems in the first place.