-
Notifications
You must be signed in to change notification settings - Fork 308
intermittent bad cert in the chain #3278
Comments
Where are you seeing this, @clone1018? In Chrome I have the "does not have public audit records" message if I drill down, but the address bar is still locked green. Opera is green. Firefox is locked gray. |
Version 42.0.2311.39 beta (64-bit) Which should be the next stable. |
@clone1018 Are you sure the warning you're seeing is due to the audit records issue? That was also present on #3160 but wasn't why we were getting a broken lock. |
What else do you want me to look for @whit537 ? |
@clone1018 When you click "Certificate information" what do you see? Below is what I see. The problem on #3160 was that the signature algorithm was SHA-1 instead of SHA-256. |
I'm on |
Closing because not reproducible with a stable version of Chrome. Reopen if it happens once 42 is stable. |
I'm still on a dev-build (45), but I tracked down the issue to a a sha1 starcom SSL certificate somewhere in the chain. Here is a screenshot of the Startcom SSL certificate in the chain with SHA1 as the signature algorithm: This cert (StartCom) is valid till
I am guessing that this is a configuration issue on Heroku side? |
@captn3m0 Why do you think it's Heroku? Sounds like a StartCom/Chrome interaction to me. |
I was guessing it must be a mis-configuration issue on Heroku's side because that intermediary cert is clearly wrong. I was thinking it might be using an old cert config, but that seems unlikely as well. |
I haven't ever used Heroku custom SSL, so don't really know much here. |
I believe we are responsible for uploading the intermediate certificate bundle to Heroku. I guess we're using an out-of-date chain? |
It looks like the expiration timestamps differ as well. |
Yes, I'm seeing green here as well for now. But once every few weeks this On Fri 10 Jul, 2015 06:03 Chad Whitacre [email protected] wrote:
|
If this is indeed parallel to #1512 and #2586, then I interpret this bug as a result of leaky abstraction. We have so very little hope of getting to the bottom of this, because it seems to be a bug somewhere in AWS, and we're insulated even from that by Heroku. To my way of thinking, the way to resolve this class of bugs is to port to an architecture that we control more directly. |
Yeah. Maybe file a support ticket with heroku? |
|
@captn3m0 One thing to check: do you have any StartCom root certificates in your system certificate chain? You might see two with the common name "StartCom Certification Authority", one as SHA-1 and the other as SHA-256. I'm not sure which OS you are on, but I'm trying to find if this post from the Chrome team is related. This certificate is issued under the SHA-1 root, so maybe it is taken that to mean insecure. On Chrome 45/OSX I can't reproduce, so I wonder if it might related to your OS certs from this clause:
|
I do have 3 StartCom certs in my system certificate chain. I'm on arch linux. Only one of the 3 certs is a SHA1 cert, but its not the one being referenced above. (all 3 have CA=true) The one breaking the ssl is a sha1 intermediate cert. |
Ok, after much digging around (using the cert's name) I think I have understood the issue.
It makes perfect sense in my case because I'm very reluctant of clearing my browser cache. I copy my chrome profile over OS re-installs. This thread on StartCom forums also has others facing the same issue. Closing this issue as we can't really do anything about it for now. |
Good debugging, @stevo550 @captn3m0, thanks. |
The text was updated successfully, but these errors were encountered: