3

I have implemented a servlet to receive sms messages from Twilio; when someone replies to my twilio number. I have configured the server in twilio but I am getting ERROR 11220.

The servelet is in a AWS ec2 instance and is accessible via browser, JMeter. SSL Labs gave the servelet URL A+ rating. Not sure how come twilio can't reach it. I'm at a loss. Any tips on anything I can try would be greatly appreciated. Thanks.

Monir
  • 840
  • 1
  • 10
  • 27
  • Hi, I'm sorry for the slow reply on this. Are you still having issues? Did you contact [Twilio support](https://www.twilio.com/help/contact) at all? – philnash Jun 05 '17 at 08:13
  • Contacted Twilio support but they pointed to SSL Labs failing TLS 1.0 and 1.1 failure. We force TLS 1.2 and they support it but we had bigger fish to fry at the moment so this is on hold. – Monir Jun 05 '17 at 13:36
  • Thanks for the response. I found your ticket in the Twilio support system too. Just one thing, I notice your URL that you use isn't always open to the public. Was it available to Twilio to send webhooks to when you were doing these tests? – philnash Jun 05 '17 at 16:57
  • Yes it was. We have reached out to our vendor who manages the servers for us. They are checking firewall settings but haven been told all looks well. – Monir Jun 05 '17 at 21:26
  • When you come around to working on this feature again, drop me an email at philnash@twilio.com and we'll see if we can get it sorted together. – philnash Jun 05 '17 at 21:59
  • Will do, thank you very much Phil – Monir Jun 06 '17 at 15:09

1 Answers1

1

TL/DR: Install (or have your server management company install) the full certificate chain that you got when you purchased the cert for your domain.

We ran into a similar issue with Twilio while using their faxing service; it gave the same error on callbacks.

More specifically, their event console (https://www.twilio.com/console/debugger) shows: 11200 - HTTP retrieval failure. In the details section it shows:

ErrorMessage: "Failed to fetch fax media from URL ... (Got status 502 trying to download media)"
Twilio_was_unable_to_fetch_content_from: ...
Error: _Connection_reset_by_peer_over_TLS, _assuming_that_this_is_a_handshake_failure
... SSL_Version:_TLSv1_2 URL_Fragment:_true

Twilio likely uses a Java library which, by default, has a set of certificates independent from the operating system's set of certificates.

All major browsers use their operating system's certificates, which is why you can see that the cert is valid in your browser. Services like SSL Labs that properly handle certs can also validate it.

Twilio could fix this by using their operating system's certificates or by keeping their certs up-to-date. Until such a time...

You have to work around the issue by installing the full certificate chain so that they can validate it. When you purchase a cert for your domain, they generally send the plain cert, as well as a full certificate chain bundle with all of the intermediate certificates. Installing the full chain should fix the issue.

James
  • 1,305
  • 11
  • 20