I'm having trouble getting Amazon SNS to send a subscription message to my HTTPS endpoint. The CloudWatch logs report the following:
{
"delivery": {
"deliveryId": "7bdda6a5-0000-5d6d-b0c0-e9b254fde521",
"destination": "https://www.beta.yogacentre.com/webhooks/sns",
"providerResponse": "SSLPeerUnverifiedException in HttpClient",
"dwellTimeMs": 63661,
"attempts": 4
},
"status": "FAILURE"
}
It looks like it doesn't like the SSL certificate I'm using, but I confirmed that the root CA is on the list SNS checks. Chrome reports my connection uses TLS 1.2, so it should be compatible with the recent end of SSLv3 support.
As a sanity check I tried subscribing to a regular HTTP endpoint and it worked right away. What could be causing the problem? My certificate can be found at https://www.beta.yogacentre.com/ in case there is something I missed.
Have a look at the report for this site from SSLLabs and you will see:
This server's certificate chain is incomplete. Grade capped to B.
This means that the server is not properly setup in that it does not sent all needed chain certificates, i.e. everything in the trust path between the leaf certificate for the site and the root certificate trusted by the browser or system. Looking at the details you will see that the server sends only the leaf certificate and the missing certificate for "COMODO RSA Domain Validation Secure Server CA" is marked as "Extra Download".
While some browsers like Chrome will download missing certificates from the internet others don't and applications outside of browsers don't do it either. Thus all these clients which don't know the missing chain certificate will fail because they cannot build the trust chain, which causes the SSLPeerUnverifiedException you see. Therefore you need to fix your server configuration to also sent the missing chain certificates. Details depend on the server configuration.