2014-04-23

Exploring StartSSL - Automated Registration Email

Reading about the decision to no longer include CACert.org in the Debian ca-certificates package (Debian bug 718434, LWN: Debian and CAcert) I was introduced to StartCom's free certificate offering. As I investigated their site I was both intrigued by the free offering and the Web-of-Trust program idea, and put off by the lack of clear or sometimes conflicting information.

For the impatient, the TL;DR version is this:

  1. Sign up first for a free (class 1) certificate by clicking Sign-up For Free in the top left of the site. Everything else is confusing.
  2. Use an email address that doesn't do grey listing, spam filtering, or anything, and that you have access to the logs on (is this service only for "techies"?)
    1. If you do have grey listing or spam filtering that blocks the web page test so they give you big red text telling you you're all wrong, disable it or at least allow from the names and IP addresses in their SPF record. (yes, I guess this service is only for "techies.")
  3. If the form submits without telling you your mail server is wrong but you don't get an email pretty quick, log out (top right corner icon) and try registering again.

If you'd like to learn more of the details or share my pain, read on:

All paths seemed to lead to getting a certificate so I settled on starting with the StartSSL Free (Class 1) certificate since I wasn't sure exactly what the requirements were to get the StartSSL Verified (Class 2) one. After deciding that "Sign Up" and "Express Lane" are the same thing, and seeing that I must fill out the form as an individual, I entered my personal (gmail) address.

This took me to a page asking for me to check my email right away and copy/paste in the code they sent me. Now Gmail is usually very fast about showing new emails, but nothing was there. Not in Important and unread. Not in Everything else, and not even in the Spam folder. Not several minutes later. The page was very insistent that I do not leave or reload it so in a new tab I started searching for answers.

The first answer I came across can be summarized thus "it must be your problem" with no additional suggestions. I have come to identify this as a common communication style from StartCom:
Important! Experience has shown that the failure of email messages not arriving are always the fault of the receiving end. If the wizard confirms to having sent the message, i.e. no error occurred, than the message has been delivered and accepted by your mail server!
 Surely they've had Gmail users do this process before. So strange that it wouldn't work. After all, I wasn't using one of their blacklisted email providers listed on their enrollment page. I decided to try again from a different browser using my work email address, the one that I manage and have access to the server logs on. This is what I learned.

When you click Continue on the enrollment page your server will get hit from one site. In my case it was [212.117.158.94]. If you have gray listing in place (the work server does) and it sends back an error like 450, the web page immediately tells you it couldn't deliver the email. It does mention that the problem could be grey listing among other things, and basically says it's your fault. So you try to open up your grey listing to allow startcom.org through, but that doesn't seem to be enough because for some reason the client name comes through as unknown. (Edit: I had recently upgraded our mail server and I believe the "unknown" issue was a local configuration issue.)

So you add their IP address and then the web page thinks that all is well and sends you to the "wait for it" code confirmation page, but still no email. Why? Probably because the web page just does a test connection. Right after it sends you to the next page another server, [192.116.242.7] in my case, connects (also with client_name=unknown) and gets Greylisted. So I sit here waiting, hoping for a retry, feeling stuck with no help. Back to searching in a new tab.

The second answer I came across also says "it must be your problem" :(
The program always sends the verification code! Do not blame us, if it does not arrive....we do not have control over your mail server and mail account!
 Third time's the charm? Good thing I have three browsers installed. So I checked the SPF (TXT) record for startcom.org and added all of the names and IP addresses listed into my server's client whitelist for greylisting and tried again from the third browser using the work email address. Success! The email made it to my inbox.

I didn't really want to do the certificate in the third-choice browser, so I went to the second browser and pasted the code there. It failed to verify but the failure message told me something I would have loved to have known long before. I didn't copy the exact message, sorry, but basically it said "if it fails, log out and try to sign in again". A "resend this request" button would have been better, but at least now I know that I don't have to stand like a deer in the headlights on the "wait for it" page when things fail.

Now I just have to wait 6 hours for the account to be reviewed, probably because I tried so many times.

Good luck. I may end up dabbling with CACert, Comodo, or retreating to my own self-signed certificates again.

2 comments:

Jacob Anawalt said...

Once I had the initial registration complete, the email validation for my gmail account worked instantly. Too bad that wasn't the case for the initial registration.

Jacob Anawalt said...

The initial registration was very fast, not hours, and a question I asked about documentation requirements for the Web of Trust was responded to quickly by Eddy Nigg. He does a better job running it than I would.