[Operators] IM Observatory: Not recognising DigiCert root certificate
thijs at xnyhps.nl
Thu Oct 31 09:37:05 UTC 2013
On 31 okt. 2013, at 02:44, Robert Norris <robn at fastmail.fm> wrote:
> Just learned about the IM Observatory, cute idea. Of course I ran our
> server through it:
> It has some good advice, which I'm now working through.
> I think the "Intermediate certificate was not included in the chain"
> error might be bogus though. Its choking on the apparent lack of the
> "DigiCert High Assurance EV Root CA" cert, however this is a cert
> normally included and trusted by browsers and clients alike.
> No errors. Which I'd expect, considering the same keychain is used on
> all of our services.
> So is the tester subtly broken, or am I subtly misconfigured?
> Rob N
Hm, I see what’s going wrong.
DigiCert has two different certificates:
Both have the same public key and CA constraint set to TRUE. The only (major)
difference is that the first one is signed by "Entrust.net Secure Server
Certification Authority" and the second one is self-signed. The second one is
part of the root certificates of Debian.
xmppoke tries to manually reconstruct the trust chain, because there are
things you can not get OpenSSL to do easily (such as warning for missing
intermediate certs, showing the root that was used). This checking didn't work
perfectly, for example it assumed every certificate is signed by exactly one
other certificate, which is clearly false in this case. I've updated the code
to look for a trusted root with the same public key as the issuer first, so
the error is now gone.
The error didn't influence the trust, by the way. You still get an F because
your certificate is not valid for fastmail.fm.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Operators