SSL producing intermittent errors on GET requests

Question

SSL producing intermittent errors on GET requests

Closed this issue 6 years ago · 19 comments

SSL, or at least SSL instantiated on dev.lg.org on digital ocean server is producing intermittent SSL errors on GET requests from non-dev.lg.org sites. Most recently, it's been happening for the Five Dollar Challenge:

http://code510.org/yri/fdc/

I'm attaching a sample screenshot:

At one point last Thursday, this error was happening each time I loaded the page for at least one resource. Any ideas?

Answer 1 · 2016-05-02T21:37:23.000Z

Another one that just happened:

Answer 2 · 2016-05-03T22:05:28.000Z

So what is generally happening when you get the errors? Are you just clicking around? I'm trying to reproduce, but unable so far. Also if we can get a time stamp for when an error occurs, maybe I can find a log to match.

Answer 3 · 2016-05-03T22:20:46.000Z

I did find this in apache error logs.

[Tue May 03 06:05:23.273379 2016] [ssl:error] [pid 6890:tid 140120413923072] AH02032: Hostname 104.236.160.109 provided via SNI and hostname *.localground.org provided via HTTP are different

Answer 4 · 2016-05-03T22:24:01.000Z

Awesome! Do you understand what that error means?

On Tue, May 3, 2016 at 3:20 PM, Scot Spinner notifications@github.com
wrote:

I did find this in apache error logs.

[Tue May 03 06:05:23.273379 2016] [ssl:error] [pid 6890:tid
140120413923072] AH02032: Hostname 104.236.160.109 provided via SNI and
hostname *.localground.org provided via HTTP are different

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#82 (comment)

Answer 5 · 2016-05-03T22:27:16.000Z

Just happened again!

On Tue, May 3, 2016 at 3:23 PM, Sarah Van Wart vanwars@gmail.com wrote:

Awesome! Do you understand what that error means?

On Tue, May 3, 2016 at 3:20 PM, Scot Spinner notifications@github.com
wrote:

I did find this in apache error logs.

[Tue May 03 06:05:23.273379 2016] [ssl:error] [pid 6890:tid
140120413923072] AH02032: Hostname 104.236.160.109 provided via SNI and
hostname *.localground.org provided via HTTP are different

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#82 (comment)

Answer 6 · 2016-05-03T22:28:12.000Z

no I don't really understand that error... yet.

Answer 7 · 2016-05-03T22:32:08.000Z

dev.localground.org:80 50.131.127.220 - - [03/May/2016:22:29:43 +0000] "GET /profile/photos/L3VzZXJkYXRhL21lZGlhL2FzaGEvcGhvdG9zL2ltZzk2OTVfNTAwLmpwZyMxNDYyMzE0NTc5/ HTTP/1.1" 302 724 "http://code510.org/yri/fdc/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36"

I bet it's because we are returning a 302 redirect. So sometimes it caches the redirect, and then it works correctly, but when it gets a 302 back I think that's against ssl protocol or something.

Answer 8 · 2016-05-03T22:33:33.000Z

Now the question is why are we returning a 302 for those addresses?

Answer 9 · 2016-05-03T22:36:42.000Z

Hmm, the only redirect is for http to https. @vanwars Are you making all those requests as https requests?

Answer 10 · 2016-05-03T22:44:41.000Z

Ah ha! So it looks like in the API feeds, the media links are being served
over http (hence requiring apache to redirect them all to https). You can
see what I mean here:
https://dev.localground.org/api/0/projects/33/

(scroll down)

So, one fix is to make sure those links are being encoded as https.
However, that doesn't explain the SSL error that happened on the JSON
request (in the screenshot above).

On Tue, May 3, 2016 at 3:36 PM, Scot Spinner notifications@github.com
wrote:

Hmm, the only redirect is for http to https. @vanwars
https://github.com/vanwars Are you making all those requests as https
requests?

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#82 (comment)

Answer 11 · 2016-05-03T22:52:51.000Z

hmm, ya that one is a timeout error. So probably a different issue. I haven't seen that one yet. Next time it happens let's try to get a timestamp so I can look at the logs.

Answer 12 · 2016-05-03T22:56:04.000Z

Hmmm, actually, the image that I thought I attached didn't work. Attaching now.

Timestamp: Today at ~3:26PM

Answer 13 · 2016-05-04T14:57:19.000Z

Hi Scot, I updated the settings.py file so that the default protocol for serving media files is HTTPS (so no redirects will be issued). Hopefully this will fix the photo-serving errors. But this won't fix the API query error documented in the screenshot above. When you get a chance, can you do an apache2 log trace for 5/3/2016, ~3:26PM and see if you can get more intel? Thanks!

Answer 14 · 2016-05-05T21:23:45.000Z

This might be that request, but it returned a 200.
dev.localground.org:443 184.23.248.242 - - [03/May/2016:21:32:24 +0000] "GET /api/0/photos/?page_size=150&format=json&query=WHERE%20project%20=%2033 HTTP/1.1" 200 16131 "https://youthradio.org/innovationlab/fdc/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36"

Can we check that this link isn't also a http request originally?

These are probably related, but I think safe to ignore.
from error.log
[Tue May 03 06:05:23.273379 2016] [ssl:error] [pid 6890:tid 140120413923072] AH02032: Hostname 104.236.160.109 provided via SNI and hostname *.localground.org provided via HTTP are different
from access log.
dev.localground.org:443 54.186.136.99 - - [03/May/2016:06:05:23 +0000] "GET / HTTP/1.1" 400 5595 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"

Answer 15 · 2016-05-05T21:28:37.000Z

Hmm. It looks like that one came from Youth Radio's server (not the one I generated from my local machine), but perhaps that one's not in the logs. I'm certain that it's not an http request originally. The request is hardcoded as https here:
https://github.com/vanwars/fdc/blob/master/js/map-app.js

Answer 16 · 2016-05-05T21:31:17.000Z

I think that address is what page the browser was on when it made the request. Were you browsing on localhost? or youthradio.org?

Answer 17 · 2016-05-05T21:35:59.000Z

Exactly. I was using a local server (localhost:8000), and accessing
https://dev.localground.org/api/0/photos/ from my local server.

On Thu, May 5, 2016 at 2:31 PM, Scot Spinner notifications@github.com
wrote:

I think that address is what page the browser was on when it made the
request. Were you browsing on localhost? or youthradio.org?

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#82 (comment)

Answer 18 · 2016-05-05T21:41:57.000Z

Ok, maybe this one was yours then. Still a 200, so I'm not sure. I've looked for things like /api/0/photos/?... and I think I've only seen 200s. Have you seen the ssl error today at all?

dev.localground.org:443 208.127.240.8 - - [03/May/2016:21:32:26 +0000] "GET /api/0/photos/?page_size=150&format=json&query=WHERE%20project%20=%2033 HTTP/1.1" 200 16131 "http://localhost:8000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0"

Answer 19 · 2016-05-05T21:47:10.000Z

I haven't seen it in a couple of days. Maybe fixing media links fixed it?
Fingers crossed.

On Thu, May 5, 2016 at 2:41 PM, Scot Spinner notifications@github.com
wrote:

Ok, maybe this one was yours then. Still a 200, so I'm not sure. I've
looked for things like /api/0/photos/?... and I think I've only seen 200s.
Have you seen the ssl error today at all?

dev.localground.org:443 208.127.240.8 - - [03/May/2016:21:32:26 +0000]
"GET
/api/0/photos/?page_size=150&format=json&query=WHERE%20project%20=%2033
HTTP/1.1" 200 16131 "http://localhost:8000/" "Mozilla/5.0 (Macintosh;
Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0"

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#82 (comment)