0
Not a bug

Starting today, calling the API is giving me a certificate error

legacy370 3 years ago updated by Michael J. Radwin 3 years ago 2

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)):

Answer

Answer
Not a bug

Hi, thanks for using Hebcal. We are sorry to hear you are having SSL certificate expired issues.


Unfortunately, we are unable to reproduce this error.


mradwin ~ % curl --compressed -v 'https://www.hebcal.com/shabbat?cfg=json&zip=90210'
*   Trying 45.55.96.251...
* TCP_NODELAY set
* Connected to www.hebcal.com (45.55.96.251) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=hebcal.com
*  start date: Aug 30 00:57:02 2021 GMT
*  expire date: Nov 28 00:57:01 2021 GMT
*  subjectAltName: host "www.hebcal.com" matched cert's "www.hebcal.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fdf7980ec00)
> GET /shabbat?cfg=json&zip=90210 HTTP/2
> Host: www.hebcal.com
> User-Agent: curl/7.64.1
> Accept: */*
> Accept-Encoding: deflate, gzip
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx/1.18.0 (Ubuntu)
< date: Thu, 30 Sep 2021 15:48:57 GMT
< content-type: application/json; charset=utf-8
< content-length: 770
< vary: Accept-Encoding
< etag: W/"17a-Tj/NK7JgcA6OrApV7TdezSRU3LY"
< last-modified: Thu, 30 Sep 2021 15:48:45 GMT
< expires: Sun, 03 Oct 2021 07:00:00 GMT
< content-encoding: gzip
< x-response-time: 6.331ms
< x-varnish: 2229171 133656
< age: 12
< via: 1.1 varnish (Varnish/6.2)
< access-control-allow-origin: *
< accept-ranges: bytes
< 
* Connection #0 to host www.hebcal.com left intact
{"title":"Hebcal Beverly Hills October 2021","date":"2021-09-30T15:48:45.277Z","location":{"title":"Beverly Hills, CA 90210","city":"Beverly Hills","tzid":"America/Los_Angeles","latitude":34.103131,"longitude":-118.416253,"cc":"US","country":"United States","admin1":"CA","geo":"zip","zip":"90210","state":"CA"},"items":[{"title":"Candle lighting: 6:19pm","date":"2021-10-01T18:19:00-07:00","category":"candles","title_orig":"Candle lighting","hebrew":"הדלקת נרות","memo":"Parashat Bereshit"},{"title":"Shabbat Mevarchim Chodesh Cheshvan","date":"2021-10-02","category":"mevarchim","hebrew":"שבת מברכים חודש חשון","memo":"Molad Cheshvan: Wed, 11 minutes and 12 chalakim after 12:00"},{"title":"Parashat Bereshit","date":"2021-10-02","category":"parashat","hebrew":"פרשת בראשית","leyning":{"1":"Genesis 1:1 - 2:3","2":"Genesis 2:4 - 2:19","3":"Genesis 2:20 - 3:21","4":"Genesis 3:22 - 4:18","5":"Genesis 4:19 - 4:22","6":"Genesis 4:23 - 5:24","7":"Genesis 5:25 - 6:8","torah":"Genesis 1:1-6:8","haftarah":"Isaiah 42:5 - 43:10","haftarah_sephardic":"Isaiah 42:5 - 42:21","maftir":"Genesis 6:5 - 6:8","triennial":{"1":"Genesis 5:1 - 5:5","2":"Genesis 5:6 - 5:8","3":"Genesis 5:9 - 5:14","4":"Genesis 5:15 - 5:20","5":"Genesis 5:21 - 5:24","6":"Genesis 5:25 - 5:31","7":"Genesis 5:32 - 6:8","maftir":"Genesis 6:5 - 6:8"}},"link":"https://<a href="http://www.hebcal.com" class="redactor-autoparser-object">www.hebcal.com</a>/sedrot/bereshit-20211002?utm_source=js&utm_medium=api"},{"title":"Havdalah: 7:13pm","date":"2021-10-02T19:13:00-07:00","category":"havdalah","title_orig":"Havdalah","hebrew":"הבדלה"}]}* Closing connection 0
mradwin ~ % 

For reference for other users, we were able to diagnose this issue further.

The author appears to be running into the Let's Encrypt Certificate Authority expiry issue that is documented here:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

https://scotthelme.co.uk/lets-encrypt-old-root-expiration/


Hebcal's certificate itself is valid and expires in 1 month and 28 days:

https://www.ssllabs.com/ssltest/analyze.html?d=www.hebcal.com&latest

However, very old operating systems or browsers need to update their CA store so they can trust the more modern Let's Encrypt signing authority.

    Answer
    Not a bug

    Hi, thanks for using Hebcal. We are sorry to hear you are having SSL certificate expired issues.


    Unfortunately, we are unable to reproduce this error.


    mradwin ~ % curl --compressed -v 'https://www.hebcal.com/shabbat?cfg=json&zip=90210'
    *   Trying 45.55.96.251...
    * TCP_NODELAY set
    * Connected to www.hebcal.com (45.55.96.251) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/cert.pem
      CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
    * ALPN, server accepted to use h2
    * Server certificate:
    *  subject: CN=hebcal.com
    *  start date: Aug 30 00:57:02 2021 GMT
    *  expire date: Nov 28 00:57:01 2021 GMT
    *  subjectAltName: host "www.hebcal.com" matched cert's "www.hebcal.com"
    *  issuer: C=US; O=Let's Encrypt; CN=R3
    *  SSL certificate verify ok.
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Using Stream ID: 1 (easy handle 0x7fdf7980ec00)
    > GET /shabbat?cfg=json&zip=90210 HTTP/2
    > Host: www.hebcal.com
    > User-Agent: curl/7.64.1
    > Accept: */*
    > Accept-Encoding: deflate, gzip
    > 
    * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
    < HTTP/2 200 
    < server: nginx/1.18.0 (Ubuntu)
    < date: Thu, 30 Sep 2021 15:48:57 GMT
    < content-type: application/json; charset=utf-8
    < content-length: 770
    < vary: Accept-Encoding
    < etag: W/"17a-Tj/NK7JgcA6OrApV7TdezSRU3LY"
    < last-modified: Thu, 30 Sep 2021 15:48:45 GMT
    < expires: Sun, 03 Oct 2021 07:00:00 GMT
    < content-encoding: gzip
    < x-response-time: 6.331ms
    < x-varnish: 2229171 133656
    < age: 12
    < via: 1.1 varnish (Varnish/6.2)
    < access-control-allow-origin: *
    < accept-ranges: bytes
    < 
    * Connection #0 to host www.hebcal.com left intact
    {"title":"Hebcal Beverly Hills October 2021","date":"2021-09-30T15:48:45.277Z","location":{"title":"Beverly Hills, CA 90210","city":"Beverly Hills","tzid":"America/Los_Angeles","latitude":34.103131,"longitude":-118.416253,"cc":"US","country":"United States","admin1":"CA","geo":"zip","zip":"90210","state":"CA"},"items":[{"title":"Candle lighting: 6:19pm","date":"2021-10-01T18:19:00-07:00","category":"candles","title_orig":"Candle lighting","hebrew":"הדלקת נרות","memo":"Parashat Bereshit"},{"title":"Shabbat Mevarchim Chodesh Cheshvan","date":"2021-10-02","category":"mevarchim","hebrew":"שבת מברכים חודש חשון","memo":"Molad Cheshvan: Wed, 11 minutes and 12 chalakim after 12:00"},{"title":"Parashat Bereshit","date":"2021-10-02","category":"parashat","hebrew":"פרשת בראשית","leyning":{"1":"Genesis 1:1 - 2:3","2":"Genesis 2:4 - 2:19","3":"Genesis 2:20 - 3:21","4":"Genesis 3:22 - 4:18","5":"Genesis 4:19 - 4:22","6":"Genesis 4:23 - 5:24","7":"Genesis 5:25 - 6:8","torah":"Genesis 1:1-6:8","haftarah":"Isaiah 42:5 - 43:10","haftarah_sephardic":"Isaiah 42:5 - 42:21","maftir":"Genesis 6:5 - 6:8","triennial":{"1":"Genesis 5:1 - 5:5","2":"Genesis 5:6 - 5:8","3":"Genesis 5:9 - 5:14","4":"Genesis 5:15 - 5:20","5":"Genesis 5:21 - 5:24","6":"Genesis 5:25 - 5:31","7":"Genesis 5:32 - 6:8","maftir":"Genesis 6:5 - 6:8"}},"link":"https://<a href="http://www.hebcal.com" class="redactor-autoparser-object">www.hebcal.com</a>/sedrot/bereshit-20211002?utm_source=js&utm_medium=api"},{"title":"Havdalah: 7:13pm","date":"2021-10-02T19:13:00-07:00","category":"havdalah","title_orig":"Havdalah","hebrew":"הבדלה"}]}* Closing connection 0
    mradwin ~ %