Have you ever tried to order from a restaurant when you and the waiter don't speak the same language? You might face similar confusion when trying to debug SSL errors since returned messages can be cryptic or don’t provide indications on how to fix the problem. Many technologies and tools handle SSL differently, however, two of the most common SSL errors (invalid certificates and incomplete certificate chains) are very easy to remedy.
When running into invalid certificate problems, the first action is to make sure that your API testing tool supports the certificate authority (CA) that created the SSL certificate. At Runscope®, we use the Mozilla® CA Included Certificate List, but it’s easy to find what your tool supports with a quick Google search.
If the server’s SSL certificate provider is on the list, the next step is to debug the issue with the SSLLabs SSL Server Test - a free tool that performs a deep analysis of any public SSL web server. In addition to providing hostname grading, warnings and trust issues, SSLLabs SSL Server Test will also uncover incomplete certificate chain issues. This issue can cause confusion when testing with different tools. Curl,® for example, together with tools such as Postman, will automatically include an ‘Accept’ header for any MIME type: ‘*/*’ with every request, while Runscope doesn’t add a default Accept header. The net-net could mean getting different results when testing the same end-point, so be prepared to cover all bases. SSL Server Test will also uncover incomplete certificate chain issues.
SSL certificate chains can be handled differently across different browsers and tools. If a browser or a tool is trying to connect to a server it will try to check if its certificate was issued by a trusted CA. If it's not, then it will check whether the intermediate certificate was instead issued by a trusted CA, and so on. Those intermediate certificates can be bundled into one file, or they might be links that the browser or tool has to follow. Additionally, some browsers or tools won't follow those links, causing an SSL error.
If you have control of the server, fixing this issue requires bundling all intermediate certificates into a single file and updating your server with it. You can usually find instructions on how to do that with a quick Google search of " bundle certificates".
Start Free Trial Now