Why does my family login page respond with a 403

jplussier
jplussier
Community Member
in Families

I cannot access any sign page for 1Password. Both https://my.1password.com/signin/ and my family login URL respond with a 403 forbidden.

This is soul crushingly frustrating.

1Password Version: N/A
Extension Version: N/A
OS Version: Linux Mint 18.1 Cinnamon
Sync Type: Not Provided
Referrer: forum-search:forbidden

Comments

  • jplussier
    jplussier
    Community Member

    This appears to be a network issue. All three of the SSIDs (which are two separate networks, iirc) result in forbidden requests for everything (web or native app). I have sync error logs from Android and OS X along with the web app problems above.

    If I switch to Sprint 3G service, my Android app is able to sync again. Thanks for helping.

  • Ben
    Ben

    Hi @jplussier

    Thanks for the update. I'd be happy to try and help here, but please understand there is only so much we are able to do when it comes to troubleshooting your network.

    Does your network do any content filtering? Do you use a proxy server? Or anything else you can think of that would be intercepting SSL connections?

    Please let us know. :)

    Ben

  • jplussier
    jplussier
    Community Member
    edited May 2017

    It's hard for me to say if any of those things are happening, unfortunately. This does appear to be a 1Password server issue, if I had to make a guess.

    Anecdotally, not all users in my environment seem to be having this problem, but, the Windows native client may just be very bad at displaying sync errors. I know I had to dive into the app logs to determine that my OS X client was failing due to a sync issue.

    My company does not use a proxy server (least, not one I configure to connect to), however, and as far as I know our company hasn't been using SSL interception. If there are any terminal (curl or otherwise) commands I can use to try and debug who might be causing this, I'm happy to run them. Just for the sake of context, I'm a senior software engineer and am happy to help in a technical capacity.

  • jplussier
    jplussier
    Community Member
    edited May 2017

    [Lengthy command output is now under this Spoiler added by AgileBits]

    `
    -@-  ~   openssl s_client -connect [Removed by AgileBits for privacy on our public forum] -prexit -showcerts  10:47:19
    CONNECTED(00000003)

    6500:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/ssl/s23_lib.c:185:

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 130 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE

    Expansion: NONE

    -@-l  ~   openssl s_client -connect my.1password.com:443 -prexit -showcerts  10:47:25
    CONNECTED(00000003)

    6553:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/ssl/s23_lib.c:185:

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 130 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE

    Expansion: NONE

    -@-  ~   openssl s_client -connect www.1password.com:443 -prexit -showcerts  10:47:28
    CONNECTED(00000003)
    depth=1 /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
    verify error:num=20:unable to get local issuer certificate

    verify return:0

    Certificate chain
    0 s:/OU=Domain Control Validated/CN=*.1password.com
    i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
    -----BEGIN CERTIFICATE-----
    MIIE1zCCA7+gAwIBAgISESENlk5eOTkSQPwD0yJAi1Q/MA0GCSqGSIb3DQEBCwUA
    MEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYD
    VQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE1MDIxODIwMDk1MFoX
    DTIwMDIxODIwMDk1MFowPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
    dGVkMRgwFgYDVQQDDA8qLjFwYXNzd29yZC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
    A4IBDwAwggEKAoIBAQCtl9zzZwPZEhJ/ADQ0A1LFwTGp4i2thqtHqY71pBLqAqfj
    FG668KmT5HrMV6liLUB7tMCv2CXCmUk5c0XGZkwtSV2dpOCUJpqpVnnysWqggDH9
    E8sHT57VMig1SfBTLVPg4vSIvwpaNyi4yTja8vUfVWLpwXRQcc/ZoipsVhRooqfv
    G3IrJ+G//Q1K3XkcaktNeKcwPtJZ0YYbRXaE3iL6NaQko19K+MP9Y1tRvW0jLcu8
    BmnMsaisrtnL98dXGPmI9UCZPBMvjvEZNQWAan6VPAy16+TPUo92XcaFlhusPyjU
    Yka1CHqOwwGdwuQGv3JVoVY0tWB4fkmXimZMVgsfAgMBAAGjggHAMIIBvDAOBgNV
    HQ8BAf8EBAMCBaAwSQYDVR0gBEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYm
    aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wKQYDVR0RBCIw
    IIIPKi4xcGFzc3dvcmQuY29tgg0xcGFzc3dvcmQuY29tMAkGA1UdEwQCMAAwHQYD
    VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD4GA1UdHwQ3MDUwM6AxoC+GLWh0
    dHA6Ly9jcmwyLmFscGhhc3NsLmNvbS9ncy9nc2FscGhhc2hhMmcyLmNybDCBiQYI
    KwYBBQUHAQEEfTB7MEIGCCsGAQUFBzAChjZodHRwOi8vc2VjdXJlMi5hbHBoYXNz
    bC5jb20vY2FjZXJ0L2dzYWxwaGFzaGEyZzJyMS5jcnQwNQYIKwYBBQUHMAGGKWh0
    dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc2FscGhhc2hhMmcyMB0GA1UdDgQW
    BBTv9MYbx69bPgezIqz+05ZUi5qv6zAfBgNVHSMEGDAWgBT1zdU8CFD5ak86t5fa
    VoPmadJo9zANBgkqhkiG9w0BAQsFAAOCAQEA2OGEMbhX7wdie/6xZS5IIXvxN8oI
    z5r3sdkteJYGLzEFaZrQvxv8facFnrcRCbz7BN1njF4mkkxmJDuz5XDemgqtFFXA
    hLFLJzUWP6pMmwcsCnJZSmXCSNAbX1dj6BB/4Pa/0w2M/De6DDQyXkEbee7c6hHi
    c8LWxZeHJRrdhhSx7Jko5ou/CseCvNvu3qQZJY69e2zE5cESoNGGE5fFwvz7ItOf
    ++Mh82TOyY36YfY+rBqQ9NJ7s9JAf9oXj2XxBPLbJvPO353mmzoBvmrnoyv5cZJG
    XMBaFYnRADXYRvUSjf4YYx349xkSYViB00fVDKqUNmm9CGJRSE0WCbrsEQ==
    -----END CERTIFICATE-----
    1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
    i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
    -----BEGIN CERTIFICATE-----
    MIIESzCCAzOgAwIBAgIOSMqBefg+ikLz9c3isT8wDQYJKoZIhvcNAQELBQAwTDEg
    MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2Jh
    bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTYxMDE0MDAwMDAwWhcNMjQw
    MjIwMTAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu
    di1zYTEiMCAGA1UEAxMZQWxwaGFTU0wgQ0EgLSBTSEEyNTYgLSBHMjCCASIwDQYJ
    KoZIhvcNAQEBBQADggEPADCCAQoCggEBANoB7OTsc2D7fo9qt8YX45JkMtSsANmi
    D7nt7muKhsqSZ9l0111HAjyPQNaebRTNw9opOacPBQpoomYaHsSyi3ZY5atdHY9A
    szmL7x6DfSLQ46kALuxTz2IZhUQoTMAny3sO7BBkABCkBcygcr5BbDFbSOSx7Lkj
    61VN0H1iSqW0paRZhcUlkab+pgmfBhBtj4EMZEBecwCa4C5lmFQQAHCYyOHtNF/Y
    nMcNwNYjWUX8/lV6hu6UYCLxrtHmVUb2mcUbCHRfrLBkhI+JOByhp5AhTwJuveBh
    Z9T4QocPCvfJBG0qqS/vQqXf3aNT25gegfmacnta3k8+f6JYoOIXrWcCAwEAAaOC
    ASkwggElMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
    DgQWBBT1zdU8CFD5ak86t5faVoPmadJo9zAfBgNVHSMEGDAWgBSP8Et/qC5FJK5N
    UPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9v
    Y3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4YlaHR0
    cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+MDwG
    BFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20v
    cmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAFsnfA30jsQHf3U8XxeJUHhV
    EpESFSNyt7yf/zboXTvy7RG7hgFugyWfcS4WIhHIy9yYoTfSuFCj73Clc6x62EP7
    5ros/YN38Q7zjaJKdSdJJ5+9Kq4fFQ5itED807y5maAzrMG4indOACzP9swinQ7C
    daRO4z00bN2CKgJd4S0wQ6hQYqodPYLoRVZI2yqAxNGBI0DozuwiIQpYLPMk/Rza
    vArdFMtyyKsWVCgQnRBCIS7AXUHHQcCasd5fg3WhZSLJRInEXALy4k5bGxjtNeby
    CV/akHyNQxN+Lw3E4hxAT4wK0emK+UOQP3RbzWnljGbrVy56GKcQupSlAkclrDo=

    -----END CERTIFICATE-----

    Server certificate
    subject=/OU=Domain Control Validated/CN=*.1password.com

    issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

    No client certificate CA names sent

    SSL handshake has read 3304 bytes and written 456 bytes

    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : DHE-RSA-AES256-SHA
    Session-ID: 6277C8456ACC91EBEAA911FCDF4A1E52C91A2E9D0575708C6F998F0FCA501074
    Session-ID-ctx:
    Master-Key: F09A747B3F4173B2131959760EC5B480270233AEF3322CAD236B7C66E0E2D75ECB782FC69BE1A5041964720F1D1A55A1
    Key-Arg : None
    Start Time: 1494341250
    Timeout : 300 (sec)

    Verify return code: 0 (ok)

    `

  • jplussier
    jplussier
    Community Member
    edited May 2017

    This cURL log may be useful in some regard? Please let me know what other methods of troubleshooting I can attempt.

    [Lengthy command output is now under this Spoiler added by AgileBits]

    ` jp@macbook  ~   openssl s_client -connect [Removed by AgileBits for privacy on our public forum] -prexit -showcerts  10:47:19
    CONNECTED(00000003)

    6500:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/ssl/s23_lib.c:185:

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 130 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE

    Expansion: NONE

    jp@macbook  ~   openssl s_client -connect my.1password.com:443 -prexit -showcerts  10:47:25
    CONNECTED(00000003)

    6553:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/ssl/s23_lib.c:185:

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 130 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE

    Expansion: NONE

    jp@macbook  ~   openssl s_client -connect www.1password.com:443 -prexit -showcerts  10:47:28
    CONNECTED(00000003)
    depth=1 /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
    verify error:num=20:unable to get local issuer certificate

    verify return:0

    Certificate chain
    0 s:/OU=Domain Control Validated/CN=*.1password.com
    i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
    -----BEGIN CERTIFICATE-----
    MIIE1zCCA7+gAwIBAgISESENlk5eOTkSQPwD0yJAi1Q/MA0GCSqGSIb3DQEBCwUA
    MEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYD
    VQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE1MDIxODIwMDk1MFoX
    DTIwMDIxODIwMDk1MFowPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
    dGVkMRgwFgYDVQQDDA8qLjFwYXNzd29yZC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
    A4IBDwAwggEKAoIBAQCtl9zzZwPZEhJ/ADQ0A1LFwTGp4i2thqtHqY71pBLqAqfj
    FG668KmT5HrMV6liLUB7tMCv2CXCmUk5c0XGZkwtSV2dpOCUJpqpVnnysWqggDH9
    E8sHT57VMig1SfBTLVPg4vSIvwpaNyi4yTja8vUfVWLpwXRQcc/ZoipsVhRooqfv
    G3IrJ+G//Q1K3XkcaktNeKcwPtJZ0YYbRXaE3iL6NaQko19K+MP9Y1tRvW0jLcu8
    BmnMsaisrtnL98dXGPmI9UCZPBMvjvEZNQWAan6VPAy16+TPUo92XcaFlhusPyjU
    Yka1CHqOwwGdwuQGv3JVoVY0tWB4fkmXimZMVgsfAgMBAAGjggHAMIIBvDAOBgNV
    HQ8BAf8EBAMCBaAwSQYDVR0gBEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYm
    aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wKQYDVR0RBCIw
    IIIPKi4xcGFzc3dvcmQuY29tgg0xcGFzc3dvcmQuY29tMAkGA1UdEwQCMAAwHQYD
    VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD4GA1UdHwQ3MDUwM6AxoC+GLWh0
    dHA6Ly9jcmwyLmFscGhhc3NsLmNvbS9ncy9nc2FscGhhc2hhMmcyLmNybDCBiQYI
    KwYBBQUHAQEEfTB7MEIGCCsGAQUFBzAChjZodHRwOi8vc2VjdXJlMi5hbHBoYXNz
    bC5jb20vY2FjZXJ0L2dzYWxwaGFzaGEyZzJyMS5jcnQwNQYIKwYBBQUHMAGGKWh0
    dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc2FscGhhc2hhMmcyMB0GA1UdDgQW
    BBTv9MYbx69bPgezIqz+05ZUi5qv6zAfBgNVHSMEGDAWgBT1zdU8CFD5ak86t5fa
    VoPmadJo9zANBgkqhkiG9w0BAQsFAAOCAQEA2OGEMbhX7wdie/6xZS5IIXvxN8oI
    z5r3sdkteJYGLzEFaZrQvxv8facFnrcRCbz7BN1njF4mkkxmJDuz5XDemgqtFFXA
    hLFLJzUWP6pMmwcsCnJZSmXCSNAbX1dj6BB/4Pa/0w2M/De6DDQyXkEbee7c6hHi
    c8LWxZeHJRrdhhSx7Jko5ou/CseCvNvu3qQZJY69e2zE5cESoNGGE5fFwvz7ItOf
    ++Mh82TOyY36YfY+rBqQ9NJ7s9JAf9oXj2XxBPLbJvPO353mmzoBvmrnoyv5cZJG
    XMBaFYnRADXYRvUSjf4YYx349xkSYViB00fVDKqUNmm9CGJRSE0WCbrsEQ==
    -----END CERTIFICATE-----
    1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
    i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
    -----BEGIN CERTIFICATE-----
    MIIESzCCAzOgAwIBAgIOSMqBefg+ikLz9c3isT8wDQYJKoZIhvcNAQELBQAwTDEg
    MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2Jh
    bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTYxMDE0MDAwMDAwWhcNMjQw
    MjIwMTAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBu
    di1zYTEiMCAGA1UEAxMZQWxwaGFTU0wgQ0EgLSBTSEEyNTYgLSBHMjCCASIwDQYJ
    KoZIhvcNAQEBBQADggEPADCCAQoCggEBANoB7OTsc2D7fo9qt8YX45JkMtSsANmi
    D7nt7muKhsqSZ9l0111HAjyPQNaebRTNw9opOacPBQpoomYaHsSyi3ZY5atdHY9A
    szmL7x6DfSLQ46kALuxTz2IZhUQoTMAny3sO7BBkABCkBcygcr5BbDFbSOSx7Lkj
    61VN0H1iSqW0paRZhcUlkab+pgmfBhBtj4EMZEBecwCa4C5lmFQQAHCYyOHtNF/Y
    nMcNwNYjWUX8/lV6hu6UYCLxrtHmVUb2mcUbCHRfrLBkhI+JOByhp5AhTwJuveBh
    Z9T4QocPCvfJBG0qqS/vQqXf3aNT25gegfmacnta3k8+f6JYoOIXrWcCAwEAAaOC
    ASkwggElMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
    DgQWBBT1zdU8CFD5ak86t5faVoPmadJo9zAfBgNVHSMEGDAWgBSP8Et/qC5FJK5N
    UPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9v
    Y3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4YlaHR0
    cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+MDwG
    BFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20v
    cmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAFsnfA30jsQHf3U8XxeJUHhV
    EpESFSNyt7yf/zboXTvy7RG7hgFugyWfcS4WIhHIy9yYoTfSuFCj73Clc6x62EP7
    5ros/YN38Q7zjaJKdSdJJ5+9Kq4fFQ5itED807y5maAzrMG4indOACzP9swinQ7C
    daRO4z00bN2CKgJd4S0wQ6hQYqodPYLoRVZI2yqAxNGBI0DozuwiIQpYLPMk/Rza
    vArdFMtyyKsWVCgQnRBCIS7AXUHHQcCasd5fg3WhZSLJRInEXALy4k5bGxjtNeby
    CV/akHyNQxN+Lw3E4hxAT4wK0emK+UOQP3RbzWnljGbrVy56GKcQupSlAkclrDo=

    -----END CERTIFICATE-----

    Server certificate
    subject=/OU=Domain Control Validated/CN=*.1password.com

    issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2

    No client certificate CA names sent

    SSL handshake has read 3304 bytes and written 456 bytes

    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : TLSv1
    Cipher : DHE-RSA-AES256-SHA
    Session-ID: 6277C8456ACC91EBEAA911FCDF4A1E52C91A2E9D0575708C6F998F0FCA501074
    Session-ID-ctx:
    Master-Key: F09A747B3F4173B2131959760EC5B480270233AEF3322CAD236B7C66E0E2D75ECB782FC69BE1A5041964720F1D1A55A1
    Key-Arg : None
    Start Time: 1494341250
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---`

  • Frank
    Frank

    Hi jplussier - Sorry for the troubles. To get a better understanding, let's move the conversation over to email. I'll be in a better position to assist you from there. When you get a chance, reply back to me so we can work on this together. :smile:

    ref: PLY-69342-369

This discussion has been closed.