info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Certum Trusted Network CA 2 missing for a reason?
900 views
Skip to first unread message
basi...@gmail.com
Jan 28, 2019, 12:38:42 PM1/28/19
to mozilla-de...@lists.mozilla.org
Hi.
On various Linux distros I'm unable to access the certain site secured with "Certum Domain Validation CA SHA2". In particular, on Archlinux the trusted bundle comes from:
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_41_1_RTM/src/nss-3.41.1.tar.gz
and it does not contain this. Chrome on Ubuntu works, but Firefox and command line tools fail.
Is it missing by mistake or for a reason?
wget https://lk.peterburgregiongaz.ru
--2019-01-28 12:00:44-- https://lk.peterburgregiongaz.ru/
Resolving lk.peterburgregiongaz.ru (lk.peterburgregiongaz.ru)... 109.120.162.59
Connecting to lk.peterburgregiongaz.ru (lk.peterburgregiongaz.ru)|109.120.162.59|:443... connected.
ERROR: cannot verify lk.peterburgregiongaz.ru's certificate, issued by ‘CN=Certum Domain Validation CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL’:
Unable to locally verify the issuer's authority.
On various Linux distros I'm unable to access the certain site secured with "Certum Domain Validation CA SHA2". In particular, on Archlinux the trusted bundle comes from:
https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_41_1_RTM/src/nss-3.41.1.tar.gz
and it does not contain this. Chrome on Ubuntu works, but Firefox and command line tools fail.
Is it missing by mistake or for a reason?
wget https://lk.peterburgregiongaz.ru
--2019-01-28 12:00:44-- https://lk.peterburgregiongaz.ru/
Resolving lk.peterburgregiongaz.ru (lk.peterburgregiongaz.ru)... 109.120.162.59
Connecting to lk.peterburgregiongaz.ru (lk.peterburgregiongaz.ru)|109.120.162.59|:443... connected.
ERROR: cannot verify lk.peterburgregiongaz.ru's certificate, issued by ‘CN=Certum Domain Validation CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL’:
Unable to locally verify the issuer's authority.
Kathleen Wilson
Jan 28, 2019, 12:50:17 PM1/28/19
to basi...@gmail.com
"Certum Domain Validation CA SHA2" is an intermediate cert, that chains
up to the "Certum Trusted Network CA" root cert that is included in NSS.
NSS includes root certs / trust anchors (so not usually intermediate
certs).
Websites are expected to serve up the intermediate cert(s) along with
their TLS cert. The site https://lk.peterburgregiongaz.ru/ is only
serving up the TLS cert.
Other than that, I do not see any problem with the TLS cert:
https://crt.sh/?id=655675810
And the intermediate cert looks fine too -- just needs to be served up
by the webserver.
https://crt.sh/?id=5623969
Hope that helps.
Kathleen
up to the "Certum Trusted Network CA" root cert that is included in NSS.
NSS includes root certs / trust anchors (so not usually intermediate
certs).
Websites are expected to serve up the intermediate cert(s) along with
their TLS cert. The site https://lk.peterburgregiongaz.ru/ is only
serving up the TLS cert.
Other than that, I do not see any problem with the TLS cert:
https://crt.sh/?id=655675810
And the intermediate cert looks fine too -- just needs to be served up
by the webserver.
https://crt.sh/?id=5623969
Hope that helps.
Kathleen
0 new messages