Page MenuHomePhabricator

The certificate chains of newly installed SHA256 certificates are incomplete.
Closed, ResolvedPublic

Description

The following servers don't send the intermediate certificate: RapidSSL SHA256 CA - G3. It can be downloaded from http://gv.symcb.com/gv.crt.

  • rt.wikimedia.org
  • wikitech-static.wikimedia.org
  • etherpad.wikimedia.org

[1] https://www.ssllabs.com/ssltest/analyze.html?d=rt.wikimedia.org
[2] https://www.ssllabs.com/ssltest/analyze.html?d=wikitech-static.wikimedia.org
[3] https://www.ssllabs.com/ssltest/analyze.html?d=etherpad.wikimedia.org

Event Timeline

Chmarkine raised the priority of this task from to Needs Triage.
Chmarkine updated the task description. (Show Details)
Chmarkine added projects: acl*sre-team, HTTPS.
Chmarkine added subscribers: Chmarkine, Dzahn, RobH and 8 others.
akosiaris triaged this task as Unbreak Now! priority.Feb 4 2015, 2:46 PM
akosiaris set Security to None.
akosiaris renamed this task from The certificate chains of newly installed SHA2 certificates are incomplete. to The certificate chains of newly installed SHA256 certificates are incomplete..Feb 4 2015, 3:22 PM
gerritbot added a subscriber: gerritbot.

Change 188562 had a related patch set uploaded (by Alexandros Kosiaris):
Provision the RapidSSL_SHA256_CA_-_G3 CA

https://gerrit.wikimedia.org/r/188562

Patch-For-Review

Change 188562 merged by Alexandros Kosiaris:
Provision the RapidSSL_SHA256_CA_-_G3 CA

https://gerrit.wikimedia.org/r/188562

akosiaris claimed this task.

I managed to fix wikitech-static as well (albeit manually). Why does it even have HTTPS support btw ? Resolving

URGH, so even the replacement intermediary isnt really SHA256. I apologize, I should have caught this issue at the time of replacement!

I'll go through and point the right intermediary cert at the systems I've upgraded the rapidssl certs on, however the end result now is since the intermediary is still sha1 (for sha256 certs, nice rapidssl), we'll need to replace the certs outright in the long run.

it seems etherpad was fixed when rt was fixed (same system, and now pulling the cert with openssl shows proper intermediary.)

This is a myth. "RapidSSL SHA256 CA - G3" is definitely SHA256. The other intermediate is for compatibility with older clients such as XP/Server 2003 (but note that XP has root certificate update enabled by default).