Facebook Deauthorize Callback over HTTPS

Question

I\'ve implemented a Deauthorize Callback for my canvas app. It would appear that Facebook is unable to ping the Deauthorize Callback over https, but it has no problem with h

Answer 1

I finally figured out what the problem was with this, and wanted to document it so that other people can benefit from my stupidity.

My abilities are in software development. I'm not a skilled website administrator. I know just enough to get by. The problem was due to the SSL configuration of my web server.

When I bought my certificate two years ago, I installed it incompletely. I created and installed a PEM file for my domain, but never configured the web server to know about the certificate authority bundle (sf_bundle.crt in my case).

The direct consequence of this is, if you access the secure deauth callback from your web browser, and your web browser is configured with all the needed root and intermediate certificates, you will successfully "deauth" the application.

However, if a web client (such as the Facebook backend computers that ping your deauth callback) tries to access the web server in question and it does not already have all the intermediate certificates available, the SSL handshaking will fail because the client can't authenticate the certificate all the way back to a root CA certificate.

I hope this makes sense. As I said, web administration is not my strong suit, and I missed a step. If you install the CA bundle in your web server configuration properly, the Facebook backend computer will be able to authenicate your site and successfully ping your deauth callback.

If anything here is unclear, please don't hesitate to ask. I'll help if I can.