Failing SSL connection on MAC - macos

I have met a VERY peculiar problem on my MAC recently.
All SSL-connections fail. Well, browsers work fine, but for instance, curl and wget (and a bunch of other apps) fail.
curl -vk https://s3.osl1.safedc.net
* Trying 193.156.25.230...
* TCP_NODELAY set
* Connected to s3.osl1.safedc.net (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.osl1.safedc.net:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.osl1.safedc.net:443
I have even installed Openssl, but it fails the same way :
curl -vk https://s3.osl1.safedc.net
* Trying 193.156.25.230:443...
* Connected to s3.osl1.safedc.net (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/openssl#1.1/cert.pem
CApath: /usr/local/etc/openssl#1.1/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.osl1.safedc.net:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.osl1.safedc.net:443
The strangest, is that when I reinstall MacOS, it is fixed, until the next day ???!!!!
Can anybody think of what can be the problem here? I am out of options and pretty desperate.

Related

What is the default TLS version in Spring boot?

In the documentation the default value for server.ssl.protocol is TLS, but it does not specify which version will be used.
I read that TLS 1.3 is available since java 11 but is it used by default in Sprint boot when available?
Is there any configuration that can tell me which version is used in my project?
Or any documentation depending on the Spring boot version that could tell the TLS version used by the framework?

I am using Spring Boot 2.7.3 and JDK 17 and by default, it supports TLSv1.3
You can check that by running the below command. My application is running locally on port 8080 so I passed 127.0.01:8080 after -connect
openssl s_client -connect 127.0.01:8080
Output
CONNECTED(00000003)
140704377439424:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 294 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1668006818
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
You can change the TLS version by this property.
server.ssl.enabled-protocols=TLSv1.2
Want to read more about this? refer below links
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.configure-ssl
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#application-properties.server.server.ssl.enabled-protocols

How to fix unable to check revocation for the certificate when downloading a remote file in Vagrant

As part of my Vagrantfile I have
config.vm.box = "hashicorp/bionic64"
config.vm.provision "shell", path: "https://get.docker.com", name: "dockers"
I'm behind a corporate proxy. I appended my corporate certificate to
C:\HashiCorp\Vagrant\embedded\cacert.pem. Also, I set this environments variable CURL_CA_BUNDLE & SSL_CERT_FILE both to C:\HashiCorp\Vagrant\embedded\cacert.pem which has the certificate.
But still vagrant up fails with the following message:
schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
INFO interface: Machine: error-exit ["Vagrant::Errors::DownloaderError", "An error occurred while downloading the remote file. The error\nmessage, if any, is reproduced below. Please fix this error and try\nagain.\n\nschannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.\r"]
My guess is that Ruby (being used by Vagrant) cannot find the cert or the call to get the revocation list is blocked. Any ideas what is the exact issue here and how to fix it?
Update
In the debug mode it appears that curl (possibly called from Ruby?) is trying to download the file
INFO downloader: Downloader starting download:
INFO downloader: -- Source: https://get.docker.com
INFO downloader: -- Destination: C:/Users/John/.vagrant.d/tmp/12288a08-a7ba-3d92-96ff-8bf28e739099-remote-script
INFO subprocess: Starting process: ["C:\\HashiCorp\\Vagrant\\embedded\\bin/curl.EXE", "-q", "--fail", "--location", "--max-redirs", "10", "--verbose", "--user-agent",
"Vagrant/2.2.16 (+https://www.vagrantup.com; ruby2.6.7) ", "--output", "C:/Users/John/.vagrant.d/tmp/12288a08-a7ba-3d92-96ff-8bf28e739099-remote-script", "https://get.docker.com"]
DEBUG subprocess: Selecting on IO
DEBUG subprocess: stderr: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 99.84.174.91:443...
* Connected to get.docker.com (99.84.174.91) port 443 (#0)
* schannel: ALPN, offering http/1.1
* schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
* schannel: shutting down SSL/TLS connection with get.docker.com port 443
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Have a look at this SO answer .
As mentioned there, disabling the antivirus software till vagrant init was initialized solved the problem.

Mac OSX Catalina + tunnelblick SSL/TLS handshake failed

I have installed a brand new Desktop iMac running Catalina version 10.15.4
And since yesterday I have had problems to authenticate on OpenVPN using Tunnelblick. I am currently using Tunnelblick 3.8.2 (build 5480)..
Bellow you can check the error logs from it.
*Tunnelblick: macOS 10.15.4 (19E266); Tunnelblick 3.8.2 (build 5480); Admin user
git commit 6155bb774cf9652ef0231b712d7784ee03d3c85e
Configuration vpngate_vpn244287220.opengw.net_udp_1673
"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk:
dev tun
proto udp
remote vpn244287220.opengw.net 1673
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
================================================================================
Files in vpngate_vpn244287220.opengw.net_udp_1673.tblk:
Contents/Resources/config.ovpn
================================================================================
Configuration preferences:
-routeAllTrafficThroughVpn = 1
-openvpnVersion = -
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
-loggingLevel = 3
-lastConnectionSucceeded = 0
================================================================================
Wildcard preferences:
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
================================================================================
Program preferences:
buildExpirationTimestamp = 1587379876
launchAtNextLogin = 1
tunnelblickVersionHistory = (
"3.8.2 (build 5480)",
"3.8.1 (build 5400)"
)
lastLaunchTime = 606821074.439207
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = vpngate_118.241.144.186_udp_1195
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
NSWindow Frame ConnectingWindow = 1085 937 389 187 0 0 2560 1417
NSWindow Frame SUUpdateAlert = 970 783 620 392 0 0 2560 1417
detailsWindowFrameVersion = 5400
detailsWindowFrame = {{1267, 756}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {167, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = log
leftNavSelectedDisplayName = vpngate_vpn244287220.opengw.net_udp_1673
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 1
SUScheduledCheckInterval = 86400
SULastCheckTime = 2020-03-25 09:24:34 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times
buildExpirationTimestamp = 1587379876
================================================================================
Tunnelblick Log:
2020-03-25 09:26:50.201403 *Tunnelblick: macOS 10.15.4 (19E266); Tunnelblick 3.8.2 (build 5480)
2020-03-25 09:26:50.512597 *Tunnelblick: Attempting connection with vpngate_vpn244287220.opengw.net_udp_1673; Set nameserver = 769; monitoring connection
2020-03-25 09:26:50.513215 *Tunnelblick: openvpnstart start vpngate_vpn244287220.opengw.net_udp_1673.tblk 58118 769 0 3 0 1098544 -ptADGNWradsgnw 2.5_git_32723d2-openssl-1.1.1e
2020-03-25 09:26:50.531516 *Tunnelblick: openvpnstart starting OpenVPN
2020-03-25 09:26:50.794089 OpenVPN 2.5_git_32723d2 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 22 2020
2020-03-25 09:26:50.794152 library versions: OpenSSL 1.1.1e 17 Mar 2020, LZO 2.10
2020-03-25 09:26:50.795069 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:58118
2020-03-25 09:26:50.795116 Need hold release from management interface, waiting...
2020-03-25 09:26:51.136934 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.5_git_32723d2-openssl-1.1.1e/openvpn
--daemon
--log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Svpngate_vpn244287220.opengw.net_udp_1673.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1098544.58118.openvpn.log
--cd /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5480 3.8.2 (build 5480)"
--verb 3
--config /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk/Contents/Resources
--management 127.0.0.1 58118 /Library/Application Support/Tunnelblick/lnkadcnbabkakmcajkcbbhagnilekdiadephbbio.mip
--management-query-passwords
--management-hold
--redirect-gateway def1
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2020-03-25 09:26:51.145350 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:58118
2020-03-25 09:26:51.214147 MANAGEMENT: CMD 'pid'
2020-03-25 09:26:51.214221 MANAGEMENT: CMD 'auth-retry interact'
2020-03-25 09:26:51.214269 MANAGEMENT: CMD 'state on'
2020-03-25 09:26:51.214311 MANAGEMENT: CMD 'state'
2020-03-25 09:26:51.214356 MANAGEMENT: CMD 'bytecount 1'
2020-03-25 09:26:51.215097 *Tunnelblick: Established communication with OpenVPN
2020-03-25 09:26:51.231465 *Tunnelblick: >INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
2020-03-25 09:26:51.234302 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:51.234590 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-03-25 09:26:51.234626 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-25 09:26:51.239204 MANAGEMENT: >STATE:1585128411,RESOLVE,,,,,,
2020-03-25 09:26:51.528796 TCP/UDP: Preserving recently used remote address: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:51.528866 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-03-25 09:26:51.528884 UDP link local: (not bound)
2020-03-25 09:26:51.528899 UDP link remote: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:51.528956 MANAGEMENT: >STATE:1585128411,WAIT,,,,,,
2020-03-25 09:26:51.834207 MANAGEMENT: >STATE:1585128411,AUTH,,,,,,
2020-03-25 09:26:51.834286 TLS: Initial packet from [AF_INET]121.155.129.51:1673, sid=5882099d 9d031a26
2020-03-25 09:26:52.177465 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
2020-03-25 09:26:52.177567 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-03-25 09:26:52.177582 TLS_ERROR: BIO read tls_read_plaintext error
2020-03-25 09:26:52.177593 TLS Error: TLS object -> incoming plaintext read error
2020-03-25 09:26:52.177603 TLS Error: TLS handshake failed
2020-03-25 09:26:52.178015 SIGUSR1[soft,tls-error] received, process restarting
2020-03-25 09:26:52.218256 MANAGEMENT: >STATE:1585128412,RECONNECTING,tls-error,,,,,
2020-03-25 09:26:52.225982 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:52.226119 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-03-25 09:26:52.226143 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-25 09:26:52.226301 MANAGEMENT: >STATE:1585128412,RESOLVE,,,,,,
2020-03-25 09:26:52.227535 TCP/UDP: Preserving recently used remote address: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:52.227590 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-03-25 09:26:52.227607 UDP link local: (not bound)
2020-03-25 09:26:52.227622 UDP link remote: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:52.227643 MANAGEMENT: >STATE:1585128412,WAIT,,,,,,
2020-03-25 09:26:52.227956 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:52.608861 MANAGEMENT: >STATE:1585128412,AUTH,,,,,,
2020-03-25 09:26:52.608945 TLS: Initial packet from [AF_INET]121.155.129.51:1673, sid=24e59327 4db6ce3c
2020-03-25 09:26:53.017553 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
2020-03-25 09:26:53.017616 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-03-25 09:26:53.017631 TLS_ERROR: BIO read tls_read_plaintext error
2020-03-25 09:26:53.017642 TLS Error: TLS object -> incoming plaintext read error
2020-03-25 09:26:53.017652 TLS Error: TLS handshake failed
2020-03-25 09:26:53.017813 SIGUSR1[soft,tls-error] received, process restarting
2020-03-25 09:26:53.017836 MANAGEMENT: >STATE:1585128413,RECONNECTING,tls-error,,,,,
2020-03-25 09:26:53.026246 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:53.058693 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-03-25 09:26:53.058774 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-25 09:26:53.058959 MANAGEMENT: >STATE:1585128413,RESOLVE,,,,,,
2020-03-25 09:26:53.059957 TCP/UDP: Preserving recently used remote address: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:53.060007 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-03-25 09:26:53.060023 UDP link local: (not bound)
2020-03-25 09:26:53.060037 UDP link remote: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:53.060058 MANAGEMENT: >STATE:1585128413,WAIT,,,,,,
2020-03-25 09:26:53.060373 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:53.512826 MANAGEMENT: >STATE:1585128413,AUTH,,,,,,
2020-03-25 09:26:53.512940 TLS: Initial packet from [AF_INET]121.155.129.51:1673, sid=e66bd815 2a66696d
2020-03-25 09:26:53.836081 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
2020-03-25 09:26:53.836141 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-03-25 09:26:53.836154 TLS_ERROR: BIO read tls_read_plaintext error
2020-03-25 09:26:53.836165 TLS Error: TLS object -> incoming plaintext read error
2020-03-25 09:26:53.836174 TLS Error: TLS handshake failed
2020-03-25 09:26:53.836333 SIGUSR1[soft,tls-error] received, process restarting
2020-03-25 09:26:53.836363 MANAGEMENT: >STATE:1585128413,RECONNECTING,tls-error,,,,,
2020-03-25 09:26:53.838259 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:53.838325 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-03-25 09:26:53.838340 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-25 09:26:53.838419 MANAGEMENT: >STATE:1585128413,RESOLVE,,,,,,
2020-03-25 09:26:53.839406 TCP/UDP: Preserving recently used remote address: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:53.839450 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-03-25 09:26:53.839465 UDP link local: (not bound)
2020-03-25 09:26:53.839480 UDP link remote: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:53.839499 MANAGEMENT: >STATE:1585128413,WAIT,,,,,,
2020-03-25 09:26:53.839702 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:54.140756 MANAGEMENT: >STATE:1585128414,AUTH,,,,,,
2020-03-25 09:26:54.140859 TLS: Initial packet from [AF_INET]121.155.129.51:1673, sid=ce43006a 5a2277a1
2020-03-25 09:26:54.446583 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
2020-03-25 09:26:54.446650 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-03-25 09:26:54.446674 TLS_ERROR: BIO read tls_read_plaintext error
2020-03-25 09:26:54.446685 TLS Error: TLS object -> incoming plaintext read error
2020-03-25 09:26:54.446695 TLS Error: TLS handshake failed
2020-03-25 09:26:54.446864 SIGUSR1[soft,tls-error] received, process restarting
2020-03-25 09:26:54.446905 MANAGEMENT: >STATE:1585128414,RECONNECTING,tls-error,,,,,
2020-03-25 09:26:54.457512 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:54.487380 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
The app seems to go into some sort of loop never authenticating.

Success & Error: curl: (60) unable to get local issuer certificate

I´m doing some curl request on my web application (also on bash) and recogonized the following behaviour:
Sometimes i´m doing a
curl --header "ApiKey: an1ceke3y" https://test.host.com/api/endpoint
i get the following:
curl: (60) SSL certificate problem: unable to get local issuer certificate
But sometimes, even a second after the fail request i made an successful request.
I made a little test with 6 requests:
1) Success
2) Error
3) Success
4) Success
5) Success
6) Error
Shouldn´t the
unable to get local issuer certificate
Happens all the time?
Is there a way i could better debug the issue?
Additional informations:
API Endpoint is behind a microsoft azure load balancer
Success Request ( with -v )
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
Error Request ( with -v )
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
Thanks!

Heroku: SSL Endpoint - subjectAltName does not match www.mydomain.com

I have just been setting up my first app that requires ssl.
It's RoR app, hosted on Heroku.
I have added the SSL Endpoint add-on to my app.
I purchased a SSL certificate from DNSimple.
Then followed these instructions - https://devcenter.heroku.com/articles/ssl-certificate
to concatenate the necessary files. Then uploaded them to my server.
So far so good.
Following these instructions - https://devcenter.heroku.com/articles/ssl-endpoint#testing-your-certificate
for testing my certificat seems fine.
I have updated my DNS records with a CNAME that points to my Heroku generated Endpoint.
heroku certs
gives:
Endpoint Common Name(s) Expires Trusted
---------------------------- -------------------------------------- -------------------- -------
<generated_id>.herokussl.com www.mydomain.com, mydomain.com 2014-04-29 23:25 UTC True
But when I try:
curl -v https://www.mydomain.com
I get:
* About to connect() to www.mydomain.com port 443 (#0)
* Trying 107.20.162.205... connected
* Connected to www.mydomain.com (107.20.162.205) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Heroku, Inc.; CN=*.herokuapp.com
* start date: 2011-04-11 00:00:00 GMT
* expire date: 2014-04-15 12:00:00 GMT
* subjectAltName does not match www.mydomain.com
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* SSL peer certificate or SSH remote key was not OK
curl: (51) SSL peer certificate or SSH remote key was not OK
Any help appreciated.

There was nothing wrong with the setup/config - There was a delay of about 24hrs, then everything worked as expected.

Resources