Page MenuHomePhabricator

DigiCert High Assurance EV Root CA is not trusted by IE8
Closed, InvalidPublic

Description

This is the root cert used by *.wikipedia.org and when I'm browsing Wikipedia on a public computer (or say, just a terminal) it complains about this.

Internet Explorer 8, version 8.0.6001.18702
Windows Server 2003, version 5.2 (3790.srv03_sp2_gdr.101019-0340)


Version: unspecified
Severity: normal

Details

Reference
bz33657

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 12:07 AM
bzimport added projects: HTTPS, acl*sre-team.
bzimport set Reference to bz33657.
bzimport added a subscriber: Unknown Object (MLST).

Created attachment 9840
cert

Attached:

The attached cert is the one in question (the one IE8 complains about).

Flagging this for Ops

Which URL are you hitting where it complains?

works for me on en.wikipedia.org ... so, yes, a URL would help

works for me on en.wikipedia.org with IE8 v 8.0.6001.19170 ... so, yes, a URL would help

(In reply to comment #5)

works for me on en.wikipedia.org ... so, yes, a URL would help

I simply typed https://zh.wikipedia.org and triggered this error.

Windows Server 2003...

Since this root is pretty 'new' (November 2006), it might be that it is not in the set of default rootcertificates recognized by the Operating System.... To confirm, you could try with Firefox 8 or 9. It maintains it's own collection of trusted rootcertificates, so it will probably work because it's not dependent on the collection shipped in Windows Server.

If confirmed, there are the following possible solutions that I can think of.

  • i think it is possible to cross sign the *.wikipedia.org certificate to make it work with older collections of root certificates (not sure though if digicert still offers this feature....)
  • manually update your windows server 2003 with newer root certificates....

I'm pretty sure MS pushed the new root certs out to the 03 boxes, But I can't remote in to confirm it on mone.

Oh. There's about a billion reasons this could fail on Windows Server. You *really* aren't supposed to web browse on Windows Server systems, and Microsoft tries their hardest to make it impossible.

If it's working with IE 8 in other versions of Windows, I'm happy.