Untrusted certificate?

25 views
Skip to first unread message

Jason Olshefsky

unread,
Oct 15, 2012, 11:29:15 AM10/15/12
to roches...@googlegroups.com
I'm using Camino 2.1.2 (Mozilla-based) on Mac OSX and get a stern warning that the SSL certificate for rocwiki.org is not trusted. It's issued by "PositiveSSL CA 2" and expires "October 14, 2014 19:59:59  EDT". Adding an exception apparently takes me to the site. I'm assuming the certificate is actually correct, but I'll refrain from logging in again (thanks(?) cookies).

It would be nice if the plain http://rocwiki.org were still permitted for those squeamish about adding an exception.

---Jason Olshefsky

Chris Olin

unread,
Oct 15, 2012, 11:37:43 AM10/15/12
to Jason Olshefsky, roches...@googlegroups.com, Ryan Tucker
I just visited it using Firefox 15 on Windows XP and didn't receive an exception. I was on it yesterday from home also using Firefox 15 on Arch Linux and didn't receive an exception.

I just eyed the certificate and didn't notice anything wrong with it or the intermediate. Ryan, do you have any input?



---Jason Olshefsky

--
For options, view full headers. See also http://groups.google.com/group/rochesterwiki

Damian Kumor

unread,
Oct 15, 2012, 11:43:33 AM10/15/12
to Chris Olin, Jason Olshefsky, roches...@googlegroups.com, Ryan Tucker
Do you have our issuer in your trusted CA store?

Sent from my iPhone, typos are numerous and hilarious

Chris Olin

unread,
Oct 15, 2012, 11:52:22 AM10/15/12
to Damian Kumor, Jason Olshefsky, roches...@googlegroups.com, Ryan Tucker
I don't have access to a Mac right now, nor can I find a list of trusted CA's that come with Camino. Damian is likely on to something.

Jason Olshefsky

unread,
Oct 15, 2012, 12:11:23 PM10/15/12
to roches...@googlegroups.com, Damian Kumor, Jason Olshefsky, Ryan Tucker
On Monday, October 15, 2012 11:52:47 AM UTC-4, Chris Olin wrote:
I don't have access to a Mac right now, nor can I find a list of trusted CA's that come with Camino. Damian is likely on to something.

I couldn't find anything concrete, but there is an old thread where Mozilla trusted far fewer CA's than other browsers. It's a frustrating experience sometimes to use Camino, but I guess I'd rather be reminded occasionally how stupidly fragile ssl really is ...

As long as the certificate is correct, carry on. Nothing to see here. (I may add a reminder in my calendar that this is going to happen again in 2 years! :-) )

---Jason

Ryan Tucker

unread,
Oct 15, 2012, 1:59:49 PM10/15/12
to Jason Olshefsky, roches...@googlegroups.com
Yup, the certificate was rolled this weekend, with a new issuer.  Alas, it is a chained certificate and I did not provide the certificate chain to the web server(*).  It tested fine with Chrome on Linux, but it does also trip out Firefox on WinXP.  Rats.

The certificate is otherwise legit.  This will be fixed as soon as I get home tonight.  Thanks for the heads up!  -rt

(*) nginx will freak all the way out when I forget to do this, but lighttpd apparently doesn't

On Mon, Oct 15, 2012 at 11:29 AM, Jason Olshefsky <goog...@jayceland.com> wrote:


---Jason Olshefsky

--
For options, view full headers. See also http://groups.google.com/group/rochesterwiki



--
Ryan Tucker <rtu...@gmail.com>

Ryan Tucker

unread,
Oct 15, 2012, 6:17:19 PM10/15/12
to Jason Olshefsky, roches...@googlegroups.com
All should be well now -- the web server is offering the intermediate certificate as it should, and (my) Firefox is no longer shooting sparks.  -rt
--
Ryan Tucker <rtu...@gmail.com>
Reply all
Reply to author
Forward
0 new messages