Attempting to receiving SMS from Twilio, twilio is getting SSL/TLS handshake error

Question

I have implemented a servlet to receive sms messages from Twilio; when someone replies to my twilio number. I have configured the server in twilio but I am getting ERROR 11220.

The servelet is in a AWS ec2 instance and is accessible via browser, JMeter. SSL Labs gave the servelet URL A+ rating. Not sure how come twilio can't reach it. I'm at a loss. Any tips on anything I can try would be greatly appreciated. Thanks.

Answer 1

TL/DR: Install (or have your server management company install) the full certificate chain that you got when you purchased the cert for your domain.

---

We ran into a similar issue with Twilio while using their faxing service; it gave the same error on callbacks.

More specifically, their event console (https://www.twilio.com/console/debugger) shows: 11200 - HTTP retrieval failure. In the details section it shows:

ErrorMessage: "Failed to fetch fax media from URL ... (Got status 502 trying to download media)"
Twilio_was_unable_to_fetch_content_from: ...
Error: _Connection_reset_by_peer_over_TLS, _assuming_that_this_is_a_handshake_failure
... SSL_Version:_TLSv1_2 URL_Fragment:_true

Twilio likely uses a Java library which, by default, has a set of certificates independent from the operating system's set of certificates.

All major browsers use their operating system's certificates, which is why you can see that the cert is valid in your browser. Services like SSL Labs that properly handle certs can also validate it.

Twilio could fix this by using their operating system's certificates or by keeping their certs up-to-date. Until such a time...

You have to work around the issue by installing the full certificate chain so that they can validate it. When you purchase a cert for your domain, they generally send the plain cert, as well as a full certificate chain bundle with all of the intermediate certificates. Installing the full chain should fix the issue.