We were trying to secure an important customer. They wanted an API to access our data.
My team scrambled to assemble an endpoint. One of my engineers was very gung-ho about stress testing the API. He would throw everything he knew about breaking a system at it.
And then we added SSL.
We immediately saw certificate errors with curl. The API seemed to not work over SSL on our virtual machines and laptops. Chrome on a Mac did work and we were able to access the API through the browser.
We were feeling desperate – we weren’t sure why we couldn’t get our API working. We thought our certificate was to blame. We had a cheap one from GoDaddy so we looked at spending over $2000 for a Verisign certificate. Securing the certificate would’ve taken 10 days to complete. That was not okay because the customer wanted API access within a day or two.
Due to the heavy restrictions from Verisign, we decided try another certificate. We spent $40 on a cheaper SSL certificate from Namecheap.
That still didn’t work.
I found out I needed to bundle the certificates together reading a blurb on configuring Nginx for SSL. I’m glad we tried a cheaper solution first. And I’m not familiar with the complete workings of SSL. I thought GoDaddy’s cert was omitted from default installations of OpenSSL which proved to be an incorrect assumption. I finally made the connection I had to provide the entire certificate chain.
We saved over $1000 with a $40 experiment. I wouldn’t have known to bundle the certificates together in the first process. I had to stumble around in order to find the solution.
Add one anecdote to the collection of “try a cheaper test first.”
This was a great technical exercise. I learned something new I could share with the engineers. Unfortunately we did not land this customer in time. In retrospect, I don’t think SSL was important enough to worry about if we could communicate to the potential customer the API was up and they could access a limited set of data.
Leave a Reply