SSL certificate chain borked

RealLarry · Post by **RealLarry** » Wed Jun 17, 2020 6:00 am

I'm getting SSL warnings everytime I access the RSS feeds, which is saying that it (the RSS reader, KDE's akgregator) won't trust the certificate of atari-forum.com
When checking the complete SSL settings, chains etc, SSL Labs confirms that something is borked. See https://www.ssllabs.com/ssltest/analyze ... Results=on

LynXX · Post by **LynXX** » Wed Jul 29, 2020 5:29 pm

Same for me, although worse because Feedly completely refuses to load the feeds because of this. I did not realize until a few days I was surprised to not have seen anything from the forum feeds since a while...

The certificate was renewed in May, something presumably changed in the configuration. Can it be fixed? I can assist if needed I'm familiar with the topic.

Thanks,

Nico

Zippy · Post by **Zippy** » Wed Jul 29, 2020 5:36 pm

I use ighome (replacement for the old Igoogle if anyone remembers that?) for various RSS feeds and recently every one stopped worked via https from Chrome , I switched to just accessing ighome with http and they all worked again.

The https connection still works to ighome via Opera browser , so appears there is some recent, general problem with https RSS feeds via Chrome.

Logistics · Post by **Logistics** » Tue Nov 17, 2020 2:20 pm

Could it be that this website does not adopt the https security protocol? If it is the http protocol, there will be a security risk prompt when you visit.

Post by **simonsunnyboy** » Tue Nov 17, 2020 4:13 pm

The protocol is working correctly as seen in my Chrome. You have to accept the certificate or leave if you think that is a problem. The protocol itself is established and running.

Bildschirmfoto_2020-11-17_17-13-19.png

arf · Post by **arf** » Thu Nov 19, 2020 11:03 pm

Several test suites say that the cert chain of atari-forum is incomplete. E.g.: https://www.ssllabs.com/ssltest/analyze ... -forum.com
“This server's certificate chain is incomplete. Grade capped to B.”
`sslyze` says: “Certificate is NOT Trusted: unable to get local issuer certificate”

AnthonyJ · Post by **AnthonyJ** » Fri Nov 20, 2020 9:17 am

It would seem that the issue probably relates to the certificate "GeoTrust RSA CA 2018", which is used to sign the atari-forum.com certificate. I don't believe the webserver is providing this certificate, although it does provide a reference to where it can be obtained.

SSLLabs.com seem to prefer that to be provided by the server along with the certificate, even though the certificate has a working URL to download the certificate. They do however even confirm the validity of it back to a trusted root certificate via the external download (click the "click here to expand" button underneath certificate paths and you'll see it marking in orange "external download"), so it seems a bit harsh to be complaining about this as they do successfully validate the whole chain.

Firefox seems quite happy to follow the external URL reference to verify the certificate chain for me, but perhaps not all SSL implementations can follow the "Authority Info" location to locate the rest of the certificate chain?

Atari-Forum

SSL certificate chain borked

SSL certificate chain borked

Re: SSL certificate chain borked

Re: SSL certificate chain borked

Re: SSL certificate chain borked

Re: SSL certificate chain borked

Re: SSL certificate chain borked

Re: SSL certificate chain borked