Can’t get your DPS app to talk to your Entitlement Server? Check your SSL Config

When verifying your Entitlement setup during the whitelist process, Adobe does NOT verify that your SSL configuration is functioning properly. If SSL is misconfigured, authorization requests from within the app will fail, saying that the connection could not be established.

If you’ve gotten through the whole Entitlement setup process, yet your app is displaying an error like ‘problem establishing connection to host,’ checking out your SSL configuration should be the first place you look. Most web browsers are a lot more forgiving of ‘partially configured’ SSL setups than DPS is, so it’s likely that your config has been wrong for a while without you ever knowing it.

To troubleshoot any SSL issues, you’ll want to utilize one of the online SSL config checkers. I recommend the excellent SSL tester that SSL Labs hosts. Just paste in the URL to your Entitlement server and SSL Labs will provide you a list of any problems you may have.

The most commonly misconfigured aspect of SSL communications revolve around certificate authenticity chains. The basic gist of this is that the vendor you purchased your SSL cert from tells the world that you’re trusted. But how does the world know that your vendor is trusted? There’s another cert that says your vendor is who they say they are, and the browser needs to know where it can find that. How does the world know to trust that cert? There’s another cert, of course. It’s SSL certs all the way down.

In any case, if you’re seeing connection problems between your DPS app and your Entitlement server, it’s likely that the certificate you’re using doesn’t include the necessary info to build a chain of trust. How do we fix that? Well, we just need to include enough info about each step of the chain into our SSL config.

If SSL Labs says one or more certs are missing, make note of the ‘key fingerprint.’ It looks like this:

COMODO RSA Domain Validation Secure Server CA
Fingerprint: 339cdd57cfd5b141169b615ff31428782d1da639

Googling for that key name and fingerprint will return a page like this one that provides a number of different ways to acquire the missing key. You’ll want to download the .pem version. Repeat this for any other missing keys.

SSL keys are really just cryptographic signatures inside a text file, and it’s possible to put an entire chain into a single file. So if you open the key from your vendor in a text file and copy its contents, you can now paste it into a new file. At the end of this new file, paste the contents of each of the .pem files you downloaded earlier, in the order that SSL labs complained about them. We now have an SSL keyfile containing several steps of the trust chain, enough to allow even the strictest checkers to approve.

The last thing to do is configure your webserver to use our newly created “chained” certificate key instead of the one that contains only the key your vendor provided. Restart your webserver and now your DPS app should happily connect.