Skip to main content
Answered

Push Subscription Bad Request 400 error

  • August 14, 2024
  • 8 replies
  • 378 views
ahaeger
Forum|alt.badge.img+4

Hi,

I'm working on registering my app for push subscription and when I run the post request outlined here I receive 400 status and this:

{"message": "Bad Request","errors": [{"resource": "PushSubscription","field": "callback url","code": "not verifiable"}]}

I'm able to get 200 status and the required hub.challenge to return if I hit the callback_url from 1) python requests & 2) curl. Then when I run the post (push subscriptions request) either with Python requests or curl, I receive the above error. Checking my server, I do not receive anything from Strava in this. Its like the callback url is blocked before Strava sends anything to it and I get the above error within 1 second, when it should be waiting 2 seconds for a response.

My server is running a flask api with nginx proxying api calls to the flask server. Could this be causing issues?

Does anyone else have any ideas for what I can check out? I'm operating at a .ai domain. Anything I should be aware of there?

Python:

response = requests.post(url,verify=True)
Curl (same string)

Best answer by ep90

If your webhook is returning the "not verifiable" error, but your callback URL is reachable in a browser and your code is correct, your server's SSL Root Certificate is likely too new for Strava's bot.

Strava's webhook bot doesn't run in a modern web browser like Chrome or Safari. It runs in backend Linux containers (likely on AWS) that rely on an internal, hardcoded "Trust Store" to know which Certificate Authorities (CAs) are safe.

If you recently installed a certificate from a newer Root CA (like Sectigo Root R46), modern browsers will trust it perfectly and give you an A-grade on SSL Labs. However, Strava's outdated backend containers don't have that newer Root CA in their trust file. When the Strava bot tries to connect to your webhook URL, it says "I don't recognize this issuer," drops the SSL handshake immediately, and throws the generic "not verifiable" error.

The Fixes

You have to give Strava a certificate that its outdated bots actually trust. Here are the three ways to fix it:

Option 1: The Cloudflare Bypass (Fastest & Easiest) Route your domain through Cloudflare's free tier (DNS & SSL Reverse Proxy). Cloudflare will sit in front of your server and present a universally trusted Edge Certificate to Strava. Strava accepts it, and Cloudflare passes the JSON payload securely to your origin server.

Option 2: Switch to Let's Encrypt Strava's bot explicitly trusts the Let's Encrypt root authority (ISRG Root X1). If you swap your current SSL certificate for a free Let's Encrypt certificate, the webhook will connect and verify instantly.

Option 3: Cross-Sign Your Current Certificate If you have to keep your current SSL certificate, you need to install a legacy cross-signed intermediate certificate on your web server (e.g., USERTrust RSA Certification Authority). This acts as a bridge, allowing dumb bots to verify your modern certificate using an older, legacy root that they already trust.

    8 replies

    ahaeger
    Forum|alt.badge.img+4
    • ahaeger
    • Author
    • Hub Rookie
    • August 15, 2024

    Do any @Admin13 @Kask_admin @tshirtadmin @Elijahadmin have any suggestions?

    ahaeger
    Forum|alt.badge.img+4
    • ahaeger
    • Author
    • Hub Rookie
    • August 16, 2024

    @Elliott11 can you by chance offer any suggestions to my problem?

    B
    Forum|alt.badge.img+4
    • bryantlikes
    • Hub Rookie
    • August 16, 2024

    Looks like you're missing the verify_token? Would match up to the error you're getting back. 

     

    verify_token
    required string    		String chosen by the application owner for client security. An identical string will be included in the validation request made by Strava's subscription service.
    ahaeger
    Forum|alt.badge.img+4
    • ahaeger
    • Author
    • Hub Rookie
    • August 16, 2024

    Thanks for the note. The verify_token is at the end of the string

    B
    Forum|alt.badge.img+4
    • bryantlikes
    • Hub Rookie
    • August 16, 2024

    I'd try something other than STRAVA. I feel like they block that one since it is just the default example. Could be wrong though.  

    ahaeger
    Forum|alt.badge.img+4
    • ahaeger
    • Author
    • Hub Rookie
    • August 17, 2024

    Tried something else just now... Still getting the same thing. I fear this has something to do with SSL and my nginx reverse proxy

    ahaeger
    Forum|alt.badge.img+4
    • ahaeger
    • Author
    • Hub Rookie
    • August 18, 2024

    For anyone that comes across this in the future... the issue had to do with SSL. I've made a workaround for now and the push_subscription is working (for dev at least). 

      ep90
      Forum|alt.badge.img+1
      • ep90
      • Hub Starter
      • Answer
      • April 14, 2026

      If your webhook is returning the "not verifiable" error, but your callback URL is reachable in a browser and your code is correct, your server's SSL Root Certificate is likely too new for Strava's bot.

      Strava's webhook bot doesn't run in a modern web browser like Chrome or Safari. It runs in backend Linux containers (likely on AWS) that rely on an internal, hardcoded "Trust Store" to know which Certificate Authorities (CAs) are safe.

      If you recently installed a certificate from a newer Root CA (like Sectigo Root R46), modern browsers will trust it perfectly and give you an A-grade on SSL Labs. However, Strava's outdated backend containers don't have that newer Root CA in their trust file. When the Strava bot tries to connect to your webhook URL, it says "I don't recognize this issuer," drops the SSL handshake immediately, and throws the generic "not verifiable" error.

      The Fixes

      You have to give Strava a certificate that its outdated bots actually trust. Here are the three ways to fix it:

      Option 1: The Cloudflare Bypass (Fastest & Easiest) Route your domain through Cloudflare's free tier (DNS & SSL Reverse Proxy). Cloudflare will sit in front of your server and present a universally trusted Edge Certificate to Strava. Strava accepts it, and Cloudflare passes the JSON payload securely to your origin server.

      Option 2: Switch to Let's Encrypt Strava's bot explicitly trusts the Let's Encrypt root authority (ISRG Root X1). If you swap your current SSL certificate for a free Let's Encrypt certificate, the webhook will connect and verify instantly.

      Option 3: Cross-Sign Your Current Certificate If you have to keep your current SSL certificate, you need to install a legacy cross-signed intermediate certificate on your web server (e.g., USERTrust RSA Certification Authority). This acts as a bridge, allowing dumb bots to verify your modern certificate using an older, legacy root that they already trust.

        Terms & ConditionsAccessibility statement