Update server not reachable [resolved, restart to clear certificate cache]
Previously:
I am unable to check for 1Password for Mac updates in the app. This appears to be because a secure connection can not be established to https://app-updates.agilebits.com
From https://agilebits.com/downloads, viewing the change log does not work. The download button did not work yesterday iirc but now points directly to cloudfront.net, which works. The direct download link you tweeted to me works: I can connect to https://cache.agilebits.com
I have tried on multiple different networks in Thailand and New Zealand, since 29 October to now. Other network connections on my Mac are working fine. I just rebooted my Mac and it is still happening.
1Password Version: 6.3.5
Extension Version: 4.6.1
OS Version: 10.12.1 (16B2555)
Sync Type: iCloud
Comments
-
I found I can reach https://app-updates.agilebits.com on my iPhone. I’ll try Firefox on my Mac later since it has a different security system. It could be this is a bad certificate cache on my Mac.
0 -
I can confirm I can reach https://app-updates.agilebits.com/ in Firefox.
So the best way for me to keep 1Password up-to-date is to set a reminder to periodically check https://app-updates.agilebits.com/ in Firefox and see if the version is different to the version installed. I would welcome any suggestions to improve this process.
(Related: automatic updates aren’t working https://discussions.agilebits.com/discussion/66609/1password-isn-t-promoting-me-for-updates)
0 -
@douglas: Definitely frustrating. I think it's most important to determine what's going wrong on your machine that's breaking the chain of trust and preventing your from establishing a secure connection. Do you have "security" software or other extensions which may be interfering — or remnants of something? Both AgileBits.com and 1Password.com (and the updater) will reject the connection if there's an invalid certificate, or it cannot be verified that the connection is end-to-end encrypted. Usually this is due to self-signed certificates, proxy settings, or corporate hardware/software/network. If you inspect the certificate when visiting https://app-updates.agilebits.com/ what do you see?
0 -
Thanks for the reply @brenty
I don’t see any padlock, so I don’t think I can inspect the certificate.
Here’s
nscurl:$ nscurl https://app-updates.agilebits.com 2016-11-22 22:53:07.743 nscurl[74176:2350192] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) Load failed with error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7f96f6c28c60>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=( "<cert(0x7f96f7030400) s: *.agilebits.com i: AlphaSSL CA - SHA256 - G2>", "<cert(0x7f96f7030c00) s: AlphaSSL CA - SHA256 - G2 i: GlobalSign Root CA>", "<cert(0x7f96f7019200) s: GlobalSign Root CA i: GlobalSign Root CA>" ), NSUnderlyingError=0x7f96f6c290b0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7f96f6c28c60>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( "<cert(0x7f96f7030400) s: *.agilebits.com i: AlphaSSL CA - SHA256 - G2>", "<cert(0x7f96f7030c00) s: AlphaSSL CA - SHA256 - G2 i: GlobalSign Root CA>", "<cert(0x7f96f7019200) s: GlobalSign Root CA i: GlobalSign Root CA>" )}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://app-updates.agilebits.com/, NSErrorFailingURLStringKey=https://app-updates.agilebits.com/, NSErrorClientCertificateStateKey=0}The
-1200iskCFURLErrorSecureConnectionFailedfrom CFNetworkErrors.hError code
-9802seems to beerrSSLFatalAlert = -9802, /* Fatal alert */
which isn’t illuminating.
0 -
Could you open up Keychain Access.app and click on "System Roots" in the sidebar and see what it shows for the GlobalSign Root CA entry? is it expired or otherwise marked as not trusted? You will want to double click on it to see the trust details.
The -1200 error in your output makes it seem like something in that chain of allocation isn't trusted on your system (thus the recovery suggestion of would you like to connect anyway?)
Rudy
0 -
GlobalSign Root CA seems to be valid
Trying the next level in the chain, I tried visiting https://www.alphassl.com (they use their own certificate) and indeed I see the same problem there. The problem seems to be with the AlphaSSL certificate. I’m not sure how to proceed from here though.
0 -
@douglas: There's definitely not a problem with the actual certificate, or you wouldn't be the only one having this problem. I wonder if, for whatever reason, you're suffering from an issue from over a month ago. Please follow the instructions here to clear your cache:
Globalsign certificate revocation
Let me know if that helps. Who knows, maybe you haven't even restarted your Mac in over month! :)
0 -
Yes, this does look like the same problem. GlobalSign reached out to me over Twitter and their suggestion has fixed the problem.
Sorry for adding noise here, but I hadn’t been seeing problems with anything except 1Password. And yeah, it’s pretty likely I hadn’t restarted for over a month — that’s normally a good thing!
Thank you for all the help.
0
