[SOLVED] Problem with TLS at Particle tonight?

I’m getting a stream error on all 4 apps that I currently have running, and that were all running fine this morning. I get both of these errors on Xcode,

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9814)
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

This error seems to have something to do with TLS protocol. I get this error running from my phone or from my iMac running Xcode. I’m trying to figure out if this is an Apple problem or a Particle one.

1 Like

@ido

I am having a problem that I believe is related. If I run:

curl https://api.particle.io/oauth/token -u particle:particle -d grant_type=password -d username=xxxxx -d password=xxxxx

I get this error:
curl: (60) SSL certificate problem: unable to get local issuer certificate

This is affecting my applications that depend on connecting to the particle cloud to download readings from my particle devices.

1 Like

I have this in my radar. Will see if this needs to be escalated.

Update:

@osprey, the command seems to work on my side:

curl https://api.particle.io/oauth/token -u particle:particle -d grant_type=password -d username=xxx -d password=xxxx

Output:

{“token_type”:“bearer”,“access_token”:“xx”,“expires_in”:7776000,“refresh_token”:“xx”

Did that command worked for you before?

There have been no changes on the Particle API, related to TLS / SSL certificates or not, for a couple days. If this issue just appeared today and it was working yesterday it’s most likely an issue on your machine, maybe due to a recent system update?

Here’s what I see when I run curl against the API on a Windows machine. Can you post what you see?

curl -v https://api.particle.io/oauth/token
* Adding handle: conn: 0x27e8c70
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x27e8c70) send_pipe: 1, recv_pipe: 0
* About to connect() to api.particle.io port 443 (#0)
*   Trying 52.202.229.241...
* Connected to api.particle.io (52.202.229.241) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: C:\Ruby\cacert.pem
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*        subject: CN=*.particle.io
*        start date: 2016-04-23 00:00:00 GMT
*        expire date: 2017-05-23 12:00:00 GMT
*        subjectAltName: api.particle.io matched
*        issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*        SSL certificate verify ok.
> GET /oauth/token HTTP/1.1
> User-Agent: curl/7.30.0
> Host: api.particle.io
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Date: Tue, 14 Mar 2017 10:46:40 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 117
< Connection: keep-alive
* Server nginx is not blacklisted
< Server: nginx
< Access-Control-Allow-Origin: *
< Cache-Control: no-store
< Pragma: no-cache
< ETag: W/"75-PJoF3voMEmjrMl1G5YzwaA"
<
{"error":"invalid_request","error_description":"Method must be POST with application/x-www-form-urlencoded encoding"}* Connection #0 to host api.particle.io left intact

It’s the spark.io SSL certificate that expired. So if you’re using api.spark.io, for example, you’ll run into trouble as of March 13, 2017, but api.particle.io is fine.

3 Likes

Thanks a lot for your suggestion this morning I have the same problem. Now is working fine.
Best regards
Valentino

1 Like

My real problem is with this line of code that I have in a VB.Net application that uses the SparkIO.WebServices library:

MyCore = New CoreAPI(“my_username”, “my_password”, , , “https://api.particle.io”)

This was working fine up until yesterday but then I started getting this error:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

I haven’t used curl for a long while, but when I saw that I could not get the curl command to work, I figured that if that could be solved, it would also solve my other problem. The curl problem was easier to explain. I still cannot connect through curl or through the vb.net application. When I saw @Ric problem and that its start coincided with mine, I figured the problem was related.

Hi @jvanier,
This is what I get when I run the curl command on my windows machine:

C:>curl https://api.particle.io/oauth/token -u particle:particle -d grant_type=
password -d username=xxxxxx -d password=xxxxxx

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

Thanks @rickkas7 for pointing me to the right direction. I was using this library that is quite old and it was still using the api.spark.io address

For the benefit of anyone who might encounter the same problem, here is how I solved it. I downloaded the source code and change the line reading:

protected const string sparkAddress = “https://api.spark.io”;

to

protected const string sparkAddress = “https://api.particle.io”;

in BaseAPI module. Then I recompiled the DLL and replaced the one in my application and the error stopped appearing.

I believe the CURL problem is just a coincidence but it is no big deal for me since I don’t really use it.

Thanks, that was it. I’m using my own SDK that I wrote quite a while ago, so it still had some use of spark.