SSL certificate chain borked

News, updates, like or dislike

Moderators: Mug UK, Silver Surfer, Moderator Team

Post Reply
User avatar
RealLarry
Captain Atari
Captain Atari
Posts: 154
Joined: Sat Jan 31, 2015 12:05 pm
Location: San Junipero

SSL certificate chain borked

Post by RealLarry »

I'm getting SSL warnings everytime I access the RSS feeds, which is saying that it (the RSS reader, KDE's akgregator) won't trust the certificate of atari-forum.com
When checking the complete SSL settings, chains etc, SSL Labs confirms that something is borked. See https://www.ssllabs.com/ssltest/analyze ... Results=on
On the other side of the screen, it all looks so easy.
User avatar
LynXX
Atari freak
Atari freak
Posts: 58
Joined: Wed Jul 19, 2017 3:15 am
Location: Bern, Switzerland

Re: SSL certificate chain borked

Post by LynXX »

Same for me, although worse because Feedly completely refuses to load the feeds because of this. I did not realize until a few days I was surprised to not have seen anything from the forum feeds since a while...

The certificate was renewed in May, something presumably changed in the configuration. Can it be fixed? I can assist if needed I'm familiar with the topic.

Thanks,

Nico
Zippy
Captain Atari
Captain Atari
Posts: 225
Joined: Sun Feb 01, 2004 1:58 am

Re: SSL certificate chain borked

Post by Zippy »

I use ighome (replacement for the old Igoogle if anyone remembers that?) for various RSS feeds and recently every one stopped worked via https from Chrome , I switched to just accessing ighome with http and they all worked again.

The https connection still works to ighome via Opera browser , so appears there is some recent, general problem with https RSS feeds via Chrome.
Logistics
Atarian
Atarian
Posts: 1
Joined: Sat Nov 14, 2020 4:00 am
Contact:

Re: SSL certificate chain borked

Post by Logistics »

Could it be that this website does not adopt the https security protocol? If it is the http protocol, there will be a security risk prompt when you visit.
simonsunnyboy
Moderator
Moderator
Posts: 5253
Joined: Wed Oct 23, 2002 4:36 pm
Location: Friedrichshafen, Germany
Contact:

Re: SSL certificate chain borked

Post by simonsunnyboy »

The protocol is working correctly as seen in my Chrome. You have to accept the certificate or leave if you think that is a problem. The protocol itself is established and running.
Bildschirmfoto_2020-11-17_17-13-19.png
You do not have the required permissions to view the files attached to this post.
Simon Sunnyboy/Paradize - http://paradize.atari.org/

Stay cool, stay Atari!

1x2600jr, 1x1040STFm, 1x1040STE 4MB+TOS2.06+SatanDisk, 1xF030 14MB+FPU+NetUS-Bee
arf
Captain Atari
Captain Atari
Posts: 219
Joined: Thu May 17, 2012 9:56 pm
Location: Germany

Re: SSL certificate chain borked

Post by arf »

Several test suites say that the cert chain of atari-forum is incomplete. E.g.: https://www.ssllabs.com/ssltest/analyze ... -forum.com
“This server's certificate chain is incomplete. Grade capped to B.”
`sslyze` says: “Certificate is NOT Trusted: unable to get local issuer certificate”
AnthonyJ
Atari freak
Atari freak
Posts: 73
Joined: Sat Jan 26, 2013 8:16 am

Re: SSL certificate chain borked

Post by AnthonyJ »

It would seem that the issue probably relates to the certificate "GeoTrust RSA CA 2018", which is used to sign the atari-forum.com certificate. I don't believe the webserver is providing this certificate, although it does provide a reference to where it can be obtained.

SSLLabs.com seem to prefer that to be provided by the server along with the certificate, even though the certificate has a working URL to download the certificate. They do however even confirm the validity of it back to a trusted root certificate via the external download (click the "click here to expand" button underneath certificate paths and you'll see it marking in orange "external download"), so it seems a bit harsh to be complaining about this as they do successfully validate the whole chain.

Firefox seems quite happy to follow the external URL reference to verify the certificate chain for me, but perhaps not all SSL implementations can follow the "Authority Info" location to locate the rest of the certificate chain?
Post Reply

Return to “Website Discussions”