Page MenuHomePhabricator

Wikibooks SSL certificate fails to validate (due to "Certificate Subject Alt Name"s?)
Closed, ResolvedPublic

Description

URL: https://zh.wikibooks.org/w/index.php?title=Special:用户登录&returnto=Wikibooks%3A首页&returntoquery=&fromhttp=1
Browser: Google Chrome 29.0.1547.66
OS: Microsoft Windows XP [5.1.2600]


Version: wmf-deployment
Severity: normal

Details

Reference
bz54457

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:10 AM
bzimport added projects: HTTPS, acl*sre-team.
bzimport set Reference to bz54457.
bzimport added a subscriber: Unknown Object (MLST).

Created attachment 13350
Received SSL cert

Attached:

How would I realize if it does not validate? Google Chrome says "Identity verified" when clicking on the locker icon in the URL bar.

(In reply to comment #2)

How would I realize if it does not validate? Google Chrome says "Identity
verified" when clicking on the locker icon in the URL bar.

It doesn't say so for me on that computer. You may need to use the same OS to reproduce it.

this is a certificate that has common name *.wikipedia.org but it has a lot of "Certificate Subject Alt Name"s. So in a browser in certificate details you need to go to that section and you'll see all these.. i'm just pasting the beginning to show wikibooks.org is in it.

DNS Name: *.wikipedia.org
DNS Name: wikipedia.org
DNS Name: m.wikipedia.org
DNS Name: *.m.wikipedia.org
DNS Name: wikibooks.org
DNS Name: m.wikibooks.org
DNS Name: *.wikibooks.org
DNS Name: *.m.wikibooks.org
...

and more ..

so i guess there must be some old browsers who don't look at the alt. names but just the main CN and then throw warnings while it isn't a problem for most users.

Do you actually get a browser warning? what does that look like? the cert file you uploaded also includes wikibooks.

(In reply to comment #4)

so i guess there must be some old browsers who don't look at the alt. names
but
just the main CN and then throw warnings while it isn't a problem for most
users.

On that computer, the reported error was "issuer not trusted".

(In reply to comment #6)

On that computer, the reported error was "issuer not trusted".

In that case it sounds like it is missing the root and/or intermediate cert of the CA, which in this case is DigiCert.

You could go to:

https://www.digicert.com/digicert-root-certificates.htm

and download them and install in your browser.

It should be 2 of them , "DigiCert High Assurance CA-3" (in the "intermediate cert"-section, plus the "DigiCert High Assurance EV Root CA". Your browser should offer some install dialog when you hit download.

That should make it trust the issuer.

(In reply to comment #7)

(In reply to comment #6)

On that computer, the reported error was "issuer not trusted".

In that case it sounds like it is missing the root and/or intermediate cert
of
the CA, which in this case is DigiCert.

You could go to:

https://www.digicert.com/digicert-root-certificates.htm

and download them and install in your browser.

It should be 2 of them , "DigiCert High Assurance CA-3" (in the "intermediate
cert"-section, plus the "DigiCert High Assurance EV Root CA". Your browser
should offer some install dialog when you hit download.

That should make it trust the issuer.

Well that's not "my browser" or "my computer". I saw this on some public computer, and wondered whether this also happens on other OS / browsers in their default states.

As far as I know all the popular OS / browser combinations ship with the necessary root certificate. So it should not happen in the default state. It is expected that when the root we use is disabled or deleted then one gets a warning or error.

I suspect that happened on that computer. You could check if the root is there under (from Chromium on Linux, hope this is similar for Chrome on Windows) Settings -> HTTPS/SSL: Manage certificates -> Authorities: Digicert Inc: DigiCert High Assurance EV Root CA. It should not say untrusted next to it and when you click the edit button "Trust this certificate for identifying websites." should be checked. (Most likely that was unchecked by another user.)

Do you want to follow up on this on that public computer or one that has the same problem?

If you find a configuration where that root is enabled and it doesn't work please open a new ticket. If you find a OS / browser combination that doesn't ship with this root or has it disabled per default please also report it.

fgiunchedi claimed this task.

resolving this for now as there's no activity and no clear action, feel free to reopen of course