Skip to content

Tip: StartSSL certifiates are not supported by Amazon SNS

edited March 2013 in Using Sendy

I just spent a week working with Amazon AWS support on a problem where my SNS endpoints were stuck in "PendingConfirmation" state. After a handful of days and a fair bit of back-and-forth email, we discovered that the problem had to do with the SSL certificate I'm using for my Sendy installation.

I'm using a wildcard certificate from StartSSL which works great in every browser I've tested, back to IE6, but is apparently not trusted by the Java SSL library that Amazon is using for their SNS service. The result of this is that SNS will not be able to talk to your endpoints if you're using one of these certificates.

Options at this point are a) get a different certificate, or b) not require SSL for your bounces/complaints endpoints. Either of these will fix the problem easily, but it was a real headache figuring this out.

Amazon has a list of supported certificate authorities here:
http://docs.aws.amazon.com/sns/latest/gsg/SendMessageToHttp.https.ca.html

This is not a Sendy problem, but I figure there's a non-zero overlap between people using Sendy (and therefore SNS) and people using StartSSL certificates, so hopefully this post will help anyone else who runs into this.

Comments

  • Thanks @kwilson, I really appreciate you taking the time to help future users who may need this valuable information.

This discussion has been closed.