wiki.squid-cache.org has invalid SSL certificate

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

wiki.squid-cache.org has invalid SSL certificate

Walter H.
Hello,

look here

https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org

there is an invalid certificate as the intermediate

Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: wiki.squid-cache.org has invalid SSL certificate

Alex Rousskov
On 1/22/21 3:10 PM, Walter H. wrote:

> https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org
> there is an invalid certificate as the intermediate

FWIW, I see nothing marked as "invalid" on that page, even after
clicking on one of the two servers and expanding the "Certification
Paths" group. The "certificate" score is 100%/Green.

The service does show one missing intermediate certificate ("certificate
chain is incomplete" and "extra download" annotations), which the
service was able to successfully download and validated. This extra work
reduced our overall score from A to B AFAICT. This is expected per Squid
Project NOC AFAICT.

It may help if you provide more details about the "invalid" annotations
that _you_ see on that report.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: wiki.squid-cache.org has invalid SSL certificate

Matus UHLAR - fantomas
On 22.01.21 15:32, Alex Rousskov wrote:

>On 1/22/21 3:10 PM, Walter H. wrote:
>
>> https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org
>> there is an invalid certificate as the intermediate
>
>FWIW, I see nothing marked as "invalid" on that page, even after
>clicking on one of the two servers and expanding the "Certification
>Paths" group. The "certificate" score is 100%/Green.
>
>The service does show one missing intermediate certificate ("certificate
>chain is incomplete" and "extra download" annotations), which the
>service was able to successfully download and validated. This extra work
>reduced our overall score from A to B AFAICT. This is expected per Squid
>Project NOC AFAICT.
>
>It may help if you provide more details about the "invalid" annotations
>that _you_ see on that report.

this may be obsolete info, both server certificate and intermediate were
signes last synday (Jan 17).

I have noticed similar problems for some letsencrypt certificates last
month.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: wiki.squid-cache.org has invalid SSL certificate

Walter H.
On 23.01.2021 13:07, Matus UHLAR - fantomas wrote:

> On 22.01.21 15:32, Alex Rousskov wrote:
>> On 1/22/21 3:10 PM, Walter H. wrote:
>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org
>>> there is an invalid certificate as the intermediate
>>
>> FWIW, I see nothing marked as "invalid" on that page, even after
>> clicking on one of the two servers and expanding the "Certification
>> Paths" group. The "certificate" score is 100%/Green.
>>
>> The service does show one missing intermediate certificate ("certificate
>> chain is incomplete" and "extra download" annotations), which the
>> service was able to successfully download and validated. This extra work
>> reduced our overall score from A to B AFAICT. This is expected per Squid
>> Project NOC AFAICT.
>>
>> It may help if you provide more details about the "invalid" annotations
>> that _you_ see on that report.
>
> this may be obsolete info, both server certificate and intermediate were
> signes last synday (Jan 17).
>
> I have noticed similar problems for some letsencrypt certificates last
> month.
the reason:  Let's encrypt changed the interediate, see here:
https://letsencrypt.org/certificates/

https://wiki.squid-cache.org/

got a new SSL certificate but the chain still has the old X3 instead of
R3 ...

Thanks

Walter




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: wiki.squid-cache.org has invalid SSL certificate

Francesco Chemolli
Thanks for letting me know.
We use letsencrypt and there's an automated renewal mechanism at play, but apparently it doesn't keep up with changing intermediates.


On Sat, Jan 23, 2021 at 1:15 PM Walter H. <[hidden email]> wrote:
On 23.01.2021 13:07, Matus UHLAR - fantomas wrote:
> On 22.01.21 15:32, Alex Rousskov wrote:
>> On 1/22/21 3:10 PM, Walter H. wrote:
>>
>>> https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid-cache.org
>>> there is an invalid certificate as the intermediate
>>
>> FWIW, I see nothing marked as "invalid" on that page, even after
>> clicking on one of the two servers and expanding the "Certification
>> Paths" group. The "certificate" score is 100%/Green.
>>
>> The service does show one missing intermediate certificate ("certificate
>> chain is incomplete" and "extra download" annotations), which the
>> service was able to successfully download and validated. This extra work
>> reduced our overall score from A to B AFAICT. This is expected per Squid
>> Project NOC AFAICT.
>>
>> It may help if you provide more details about the "invalid" annotations
>> that _you_ see on that report.
>
> this may be obsolete info, both server certificate and intermediate were
> signes last synday (Jan 17).
>
> I have noticed similar problems for some letsencrypt certificates last
> month.

the reason:  Let's encrypt changed the interediate, see here:
https://letsencrypt.org/certificates/

https://wiki.squid-cache.org/

got a new SSL certificate but the chain still has the old X3 instead of
R3 ...

Thanks

Walter



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--
    Francesco

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users