SSL issues with First Tech Federal Credit Union

daikerjohn's Avatar

daikerjohn

20 Nov, 2018 10:11 PM

Just recently started receiving the dreaded 'No trusted certificate found' from First Tech Federal Credit Union:

A communication or parsing error occurred. This could be the result of a network problem, a proxy error, or misconfigured server.
Error Description: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

I also recently updated from 2017.9 to 2017.10, but I couldn't tell you with 100% certainty if the two are related.

I suspected that FTCU just rolled out new certificates, but the most recent cert for https://ofx.firsttechfed.com/ was issues on June 9th of this year.

Thanks,
John

  1. 1 Posted by Alex Man on 21 Nov, 2018 07:25 AM

    Alex Man's Avatar

    I'm experiencing the same problem. Is there anything we can do to help fixing the issue?

  2. Support Staff 2 Posted by Jenny on 21 Nov, 2018 11:35 AM

    Jenny's Avatar

    Hi John and Alex,

    Sorry to hear about the problems you've encountered.

    I've tested the First Tech FCU connection and can confirm there is a problem. I am investigating the connection problems now. I'll let you know as soon as I have an update, or if there's any useful information you can provide.

    Jenny
    Infinite Kind Support

  3. 3 Posted by Lynn Moyers on 24 Nov, 2018 12:10 AM

    Lynn Moyers's Avatar

    Please add me to the problem group. I've been corresponding with a customer service person at FTCU that has access to the IT department. I sent her a copy of the certificate error message I got while testing.

    Jenny, if you do find a solution please let me know along with Alex and John.

    Thanks.

    Lynn

  4. Support Staff 4 Posted by Jenny on 24 Nov, 2018 09:14 AM

    Jenny's Avatar

    Hi Lynn, John and Alex,

    I wanted to confirm we're still working to fix this connection problem. We need to load a new certificate into Moneydance to resolve the issues, and this is proving a little trickier than we expected. Sorry for the inconvenience. I will let you know as soon as the connection is functional again.

    Jenny
    Infinite Kind Support

  5. 5 Posted by hillhaus on 24 Nov, 2018 07:28 PM

    hillhaus's Avatar

    Me too

  6. 6 Posted by ormike on 24 Nov, 2018 07:58 PM

    ormike's Avatar

    Hi Infinite Kind Support,

    Thank you for working on this problem. It is affecting me as well. You're great!

    -Mike

  7. 7 Posted by salinasv on 24 Nov, 2018 08:18 PM

    salinasv's Avatar

    Hi all, I didn't found this thread, so I started a new one. I added few details there, so I'll link to it as reference.
    http://help.infinitekind.com/discussions/online-banking/11445-first...

  8. 8 Posted by Zhuoqing on 25 Nov, 2018 08:05 AM

    Zhuoqing's Avatar

    Seems as of now we cannot even setup online account with FirstTech. The wizard finishes without even asking for password.

  9. 9 Posted by infinitekind on 27 Nov, 2018 03:23 AM

    infinitekind's Avatar

    Adding myself to the thread in the hopes that when Jenny tells us the issue is fixed I will get notified and go download a new version of Moneydance. (And yes, I just realized I didn't need to do this and could have just hit the subscribe button, sigh... next time)

  10. 10 Posted by mattp on 27 Nov, 2018 04:25 PM

    mattp's Avatar

    I'm having this problem as well. Is there any update on the resolution of this? Are other finance programs affected by the bad certificate? Or, just Moneydnce?

  11. 11 Posted by alan_auerbach on 27 Nov, 2018 06:13 PM

    alan_auerbach's Avatar

    As far as I can tell, Moneydance is uniquely affected because it does SSL cert validation differently. On Windows, the root cert exists in the Trusted Root Certification Authorities store, so SSL cert validation succeeds -- for finance programs running on Windows that use Windows APIs to perform their HTTP/SSL operations. Moneydance performs its own validation against its own list of certificates. Moneydance's list does not include First Tech's current root cert.

  12. 12 Posted by alan_auerbach on 27 Nov, 2018 06:46 PM

    alan_auerbach's Avatar

    Also, while adding a cert is trivial, one thing that may be causing complications for the Moneydance engineers (at least it's causing complications for me) is that First Tech seems to have implemented Incapsula as a WAF (Web Application Firewall) at or around the same time as they changed root certs (on or around November 19). Incapsula seems to kick in its DDos protection pretty easily, leading to HTTP 302 or HTTP 403 responses even after getting through the SSL handshake.

  13. Support Staff 13 Posted by Jenny on 29 Nov, 2018 04:15 PM

    Jenny's Avatar

    Hi all,

    Unfortunately we still haven't been able to fix this issue, but I can confirm we're working on it and hope to have the connection functional again soon.
    Unfortunately the change required within Moneydance is not a standard certificate update, which we could implement fairly quickly. The change we need to make is more involved and unfortunately its proving to be a tricker fix than we first thought.

    Our lead developer is aware of the problems, and is aiming to create a temporary patch that will allow the connection within a new preview build of Moneydance - but unfortunately this could take a couple of days. Please accept my sincere apologies for the inconvenience this has caused. I will update you as soon as the connection is functional again.

    If you need to download transactions in the meantime, you can use a web browser to download files from your bank's web site. If your bank offer OFX or QFX files, you should use either of these formats. If not, use the QIF file format. These files can be imported to Moneydance via File --> Import. The steps are outlined in this article.

    Jenny
    Infinite Kind Support

  14. 14 Posted by Bonnie on 29 Nov, 2018 11:20 PM

    Bonnie's Avatar

    Add me to the list. (I couldn't find an option to subscribe to this thread.)

    I was able to export transactions through the FirstTech website as OFX directly into Moneydance, but it didn't appear to have an option for specifying a date range so I got 1000 transactions--ugh. Wasn't too hard to clean that up but I look forward to a real solution soon!

    Thanks!

  15. 15 Posted by hillhaus on 29 Nov, 2018 11:27 PM

    hillhaus's Avatar

    Chris off First Tech support team has asked that Moneydance support contact him. Hi is at 855-855-8805, option 5, Ext 2440.

  16. 16 Posted by Jim on 01 Dec, 2018 04:34 AM

    Jim's Avatar

    Need to be added as well.

  17. 17 Posted by jon.d.slater on 03 Dec, 2018 10:34 PM

    jon.d.slater's Avatar

    This comment was split into a new private discussion: SSL issues with First Tech Federal Credit Union

    I have been using MoneyDance from it's earliest days in Linux. But I can't use it the way it is now.

    I have purchased Quicken because I desperately need to get back on-line with something that works.

    What is the process for returning MoneyDance and requesting a refund?

    Thanks!
    Jon

  18. 18 Posted by daikerjohn on 04 Dec, 2018 10:34 PM

    daikerjohn's Avatar

    Can we all get an update on this, Jenny? I know folks will be anxious to have this fixed, and having a periodic update would be helpful to those of us that are less patient than others. :)

  19. 19 Posted by alan_auerbach on 04 Dec, 2018 11:01 PM

    alan_auerbach's Avatar

    I ended up writing a custom downloader. It's not hard when you have Quicken for a reference implementation, Fiddler (or similar) for HTTP logging, and years of experience writing web client code. :)

    I'm still guessing that Moneydance developers are wrestling with Incapsula's bot classifier (https://www.incapsula.com/blog/how-incapsula-client-classification-challenges-bots.html). Hopefully they're in touch with not only First Tech support, but Incapsula support as well.

  20. 20 Posted by Zhuoqing on 05 Dec, 2018 02:56 AM

    Zhuoqing's Avatar

    alan_auerbach will you be able to kindly share your custom downloader (with your personal info removed of course)?
    I don't have Quicken for reference so I don't know what http headers quicken will be send and in what orders, also not sure what. I wrote a custom python script which worked for a couple times, but later believed to be blocked by incapsula as bot.

  21. 21 Posted by alan_auerbach on 05 Dec, 2018 03:19 AM

    alan_auerbach's Avatar

    Well, because it's custom, it's not useful to others. ;)

    Try these headers in this order.

    Accept: */*
    User-Agent: InetClntApp/3.0
    Date: Wed, 05 Dec 2018 03:05:57 GMT
    Content-Type: application/x-ofx
    Host: ofx.firsttechfed.com
    Content-Length: 1572
    Connection: Keep-Alive

  22. 22 Posted by jon.d.slater on 06 Dec, 2018 02:27 AM

    jon.d.slater's Avatar

    I wonder if this FirstTech message means they're doing something on
    their end:

    Online and Mobile Banking will be unavailable from 10:00pm PT Wednesday,
    12.5.18 until 2:00am PT Thursday, 12.6.18 for scheduled maintenance.
    Thank you for your patience.

  23. 23 Posted by daikerjohn on 06 Dec, 2018 04:49 PM

    daikerjohn's Avatar

    Just attempted to sync again this morning without success. It appears whatever their maintenance was last night either A) didn't occur, or B) didn't fix our issue.
    Any update Jenny?

  24. 24 Posted by Zhuoqing on 07 Dec, 2018 06:33 AM

    Zhuoqing's Avatar

    Thanks a lot alan_auerbach. Now my python script works. https://github.com/Zhuoqing/kmymoney_discover_workaround/commit/161...

    Moneydance may also need to send same useragent "InetClntApp/3.0" to pass firsttech incapsula.

  25. 25 Posted by alan_auerbach on 07 Dec, 2018 08:20 AM

    alan_auerbach's Avatar

    Yay! I'm glad I was able to help someone! :)

  26. 26 Posted by dwg on 08 Dec, 2018 01:39 AM

    dwg's Avatar
  27. 27 Posted by jon.d.slater on 08 Dec, 2018 06:00 PM

    jon.d.slater's Avatar

    But... Is there a solution you can share with us mere mortals ;-)

  28. 28 Posted by dwg on 08 Dec, 2018 07:46 PM

    dwg's Avatar

    Alas that discussion was public when I copied the link it has now been made private by someone.

    It basically said that a change had been made to the connection information and to delete and setup a new connection, but someone later reported that it was still reporting a certificate error.

  29. 29 Posted by alan_auerbach on 08 Dec, 2018 10:19 PM

    alan_auerbach's Avatar

    Yeah, I tried it with a fresh install in a fresh VM (double fresh) and no difference.

  30. 30 Posted by dwg on 09 Dec, 2018 04:56 AM

    dwg's Avatar

    Based on what I have seen in the forums I suspect they need both the connection change that has been made and a new certificate.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac