Twitter Lead Gen Cards × Marketo: get that SSL cert right

Marketo users GÓM and CZ were sure they'd followed the old Marketo-Twitter integration guide correctly, but were still seeing somewhat opaque validation errors from Twitter. ​​​​​​

For those who don't know, Lead Generation Cards are essentially short forms that live within an expanded Tweet. They're pre-filled with the lead's full name, email address, and @username — all great info to have in Marketo, needless to say — and the lead only needs to click a CTA button to automatically have that info posted to Marketo (note the form post goes from Twitter's servers to your Marketo instance, not from the app/browser to your instance).

I worked with CZ offline and set her card's post URL to my debug server instead of to Marketo, and it worked fine. I then set up my server to proxy all requests directly to Marketo (not making any changes to the request) and that worked fine, too. Hmm.

So I looked a a little deeper. We know Twitter requires an HTTPS URL (though they didn't at the time the guide was written) and we're giving them the Marketo HTTPS endpoint. But what if we're not giving them the right kind of HTTPS setup? What if their SSL stack requires something... more?

Here's a peek inside my debug server's SSL cert:

And a peek inside Marketo's:

Yeah, that's different! Marketo's cert doesn't include the cert chain. But mine does. When you access *.marketo.com from a full-fledged browser, the missing certs aren't going to make a difference, since they'll be merged in from the browser's (or OS's) certificate database:

But in a server-side SSL client that may not have a preloaded cert bundle, it's broken:

While Twitter's technology remains a black box so I can't be completely sure, my takeaway is that Twitter's back end (which does the POST to Marketo) requires the entire cert chain.

So what's the solution? For CZ, it was to run her requests through a little proxy server I put up in the cloud (on AWS CloudFront) for her use. If you're interested, I could set that up for you as well. In order to post directly to Marketo, until they adjust their own setup, you'd have to enable SSL on your Marketo Landing Page domain (which I strongly recommended anyway) and then make sure to provide Marketo with a cert that includes the whole chain.