AWS SNS notifications not hitting the server with HTTPS

Question

We have a PHP platform as client for the AWS SNS service. We use NGINX as a proxy to Apache 2 in the back-end.

This works fine when notifications are send over port 80 (HTTP). We recently implemented SSL certificates to simulate our production environment better. We made a new subscription with the HTTPS protocol in the AWS SNS console but the subscription message never hits the PHP back-end. It gets blocked somewhere along the way.

From the NGINX access logs we cannot retrieve any answers. We see the following lines that we suspect are coming from SNS (the IPs resolve to a location inside Amazon's network)

54.240.197.67 - - [10/Feb/2014:10:49:42 +0000] "-" 400 0 "-" "-"
54.240.197.2 - - [10/Feb/2014:10:50:03 +0000] "-" 400 0 "-" "-"
62.75.187.88 - - [10/Feb/2014:10:50:07 +0000] "-" 400 0 "-" "-"
54.240.197.65 - - [10/Feb/2014:10:50:23 +0000] "-" 400 0 "-" "-"   
54.240.197.35 - - [10/Feb/2014:10:51:48 +0000] "-" 400 0 "-" "-"
54.240.197.66 - - [10/Feb/2014:10:52:09 +0000] "-" 400 0 "-" "-"
54.240.197.35 - - [10/Feb/2014:10:52:30 +0000] "-" 400 0 "-" "-"
54.240.197.33 - - [10/Feb/2014:10:52:51 +0000] "-" 400 0 "-" "-"

Our NGINX config looks like this

 listen 443;

    root /var/www/example_dev/public/;
    index index.php index.html index.htm;
    server_name dev.example.com;

    client_max_body_size 20M;

    ssl on;
    ssl_certificate /etc/nginx/ssl/dev.example.com/dev.example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/dev.example.com/dev.example.com.key;

    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/nginx.dev_example_com.access.log;
    error_log /var/log/nginx/nginx.dev_example_com.error.log;

    location / {
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Host $host;
            proxy_pass http://127.0.0.1:8080;

    }

    location ~ /\.ht {
            deny all;
    }

We have a hunch that the CA of the certificate we use might not be trusted by AWS but how can you confirm this ? CA PositiveSSL CA 2, Root CA AddTrust External CA Root

Perhaps the problem is in the NGINX config instead ?

Thanks in advance!

UPDATE

It seems it is a SSL certificate problem. After adding (concatenating) the CA Root certificate to the domain certificate, SNS notifications could hit the server. However, it hit only the subdomain first listed in the NGINX config. After juggling with the order of domains, I found an error in one the subdomains lower in the config file. Everything works now. I suspect AWS SNS doesn't look up CA Root certificates if they are not provided.

Answer 1

It seems it is a SSL certificate problem. After adding (concatenating) the CA Root certificate to the domain certificate, SNS notifications could hit the server. However, it hit only the subdomain first listed in the NGINX config. After juggling with the order of domains, I found an error in one the subdomains lower in the config file. Everything works now. I suspect AWS SNS doesn't look up CA Root certificates if they are not provided.