Dear jerks, Thank you for breaking HTTPS on the mobile site

[anodos]

My mobile browser kept throwing certificate errors when viewing the mobile site. As a result, I finally broke down and decided to try out Tapatalk. It's so much better than the janky mobile site. Thanks all. :D

Edit: I'm still not proficient enough to edit my post title, which came off a bit snarkier than intended. Yeah, total noob-sauce here. I won't be offended if a mod decides to change the title to something mocking my noobishness.

 

[jgreco]

Edit: I'm still not proficient enough to edit my post title, which came off a bit snarkier than intended. Yeah, total noob-sauce here. I won't be offended if a mod decides to change the title to something mocking my noobishness.

ftfy

 

[Mirfster]

I think we all pitch in and get this site a real certificate... :P

 

[anodos]

I think we all pitch in and get this site a real certificate... :P

You realize that, since there is basically no real money invested in maintaining this site, you're basically advocating an infinite increase in the overhead.

Cynical minds might think that this is a passive - aggressive way to get some improvements to the site. :D

Of course, that's probably not the case since the preferred way of conducting business in the forums is aggressive-aggressive.

 

[jgreco]

LetsEncrypt is basically free and works with most browsers. It's just an engineering time thing to make it actually work.

 

[Ericloewe]

Mobile site? You mean XenForo formatted for small screens? That's the same website, I can even turn my phone into landscape orientation and the layout immediately switches to the full desktop view (sure, it barely fits in my pocket, but the point stands). And I didn't get any certificate warnings, though I do occasionally get a really irritating "Use tapatalk!" message.

Neither Firefox nor Edge are complaining about the certificate here.

Sounds like you might have had a Man-in-the-Middle experience. :D

 

[Mirfster]

See it on Chrome with my Samsung. It comes up quite a lot there...

 

[Ericloewe]

I just had Windows validate the certificate and everything seems to check out. No funny business, as far as I can tell:

Code:

C:\Users\Eric\Desktop>certutil -f -urlfetch -verify freenas.org.crt
Issuer:
    CN=Go Daddy Secure Certificate Authority - G2
    OU=http://certs.godaddy.com/repository/
    O=GoDaddy.com, Inc.
    L=Scottsdale
    S=Arizona
    C=US
  Name Hash(sha1): b6080d5f6c6b76eb13e438a5f8660ba85233344e
  Name Hash(md5): fbbe8c9c941c0ec5baba52c7c5198e31
Subject:
    CN=*.freenas.org
    OU=Domain Control Validated
  Name Hash(sha1): 48542463445e3242f2b48b2a9e0ea96866e8c086
  Name Hash(md5): 448791c3cf4289063cc79e464f3ef760
Cert Serial Number: 1672f510697e80fe

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  NotBefore: 2015-08-14 18:16
  NotAfter: 2016-08-22 03:34
  Subject: CN=*.freenas.org, OU=Domain Control Validated
  Serial: 1672f510697e80fe
  SubjectAltName: DNS Name=*.freenas.org, DNS Name=freenas.org
  Cert: b87c381fda9c48dd7542c242ce05ad2584a71fde
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://certificates.godaddy.com/repository/gdig2.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (d0)" Time: 0
    [0.0] http://crl.godaddy.com/gdig2s1-108.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com/

  --------------------------------
    CRL (null):
    Issuer: CN=Go Daddy Validation Authority - G2, O=GoDaddy Inc., L=Scottsdale, S=Arizona, C=US
    ThisUpdate: 2016-03-08 13:04
    NextUpdate: 2016-03-10 01:04
    CRL: d9bfb99ba4737d9bc804eecd829263bb05530d28
  Issuance[0] = 2.16.840.1.114413.1.7.23.1
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  NotBefore: 2011-05-03 07:00
  NotAfter: 2031-05-03 07:00
  Subject: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  Serial: 07
  Cert: 27ac9369faf25207bb2627cefaccbe4ef9c319b8
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL" Time: 0
    [0.0] http://crl.godaddy.com/gdroot-g2.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0
    [0.0] http://ocsp.godaddy.com/

  --------------------------------
    CRL (null):
    Issuer: CN=Go Daddy Root Validation Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
    ThisUpdate: 2016-03-07 19:08
    NextUpdate: 2016-03-09 07:08
    CRL: 5d63acf33f46d94cda947685f13cd3508911e6dd
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
  Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
  Application[6] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination
  Application[7] = 1.3.6.1.5.5.7.3.7 IP security user

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  NotBefore: 2009-09-01 00:00
  NotAfter: 2037-12-31 23:59
  Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
  Serial: 00
  Cert: 47beabc922eae80e78783462a79f45c254fde68b
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[3] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
  Application[5] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
  Application[6] = 1.3.6.1.5.5.7.3.6 IP security tunnel termination
  Application[7] = 1.3.6.1.5.5.7.3.7 IP security user

Exclude leaf cert:
  Chain: 5342ddf58207d0c89b39be1ef303a45cab3b7ba0
Full chain:
  Chain: 99762356d551e2fd572a0dbc1e3e91ae0d1bac04
------------------------------------
Verified Issuance Policies:
    2.16.840.1.114413.1.7.23.1
Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

 

[anodos]

Mobile site? You mean XenForo formatted for small screens? That's the same website, I can even turn my phone into landscape orientation and the layout immediately switches to the full desktop view (sure, it barely fits in my pocket, but the point stands). And I didn't get any certificate warnings, though I do occasionally get a really irritating "Use tapatalk!" message.

Neither Firefox nor Edge are complaining about the certificate here.

Sounds like you might have had a Man-in-the-Middle experience. :D

Most likely not a mitm attack. I reset my phone to factory defaults and used multiple networks to verify... I haven't even visited a jihadist website for a while.

 

[ChriZ]

A lot of the time is happening to me, too.
And it is getting annoying since Ajax is not functioning when trying to view alerts or quick posting.
But as I said it isn't happening all the time. ATM it is working fine - two hours ago not... In a few hours it may start throwing warnings again. This is happening for the past week or so.

 

[DrKK]

since there is basically no real money invested in maintaining this site

Um, sir, I don't know if you're aware, but XenForo and the plugins that are necessary to administer a site like this is a very non-trivial and ongoing expense.

 

[solarisguy]

Brand new Firefox 38.7.0 ESR, Windows, attempting https://forums.freenas.org/ immediately gets me (as usual...)

This Connection is Untrusted
You have asked Firefox to connect securely to forums.freenas.org, but we can't confirm that your connection is secure.

Technical Details
forums.freenas.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)

And so starts my daily routine, clicking through that I agree to everything...

 

[Robert Trevellyan]

Firefox 38.7.0

That's a bit old. Maybe the root certificates are out of date.

 

[gpsguy]

Yeah, I installed Firefox 45.0 ESR on my work pc today.

That's a bit old.

 

[jgreco]

That's a bit old. Maybe the root certificates are out of date.

I'm happy to see that SSL is inflicting misery on other people too.

Brand new Firefox 38.7.0 ESR, Windows, attempting https://forums.freenas.org/ immediately gets me (as usual...)

This Connection is Untrusted
You have asked Firefox to connect securely to forums.freenas.org, but we can't confirm that your connection is secure.

Technical Details
forums.freenas.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)

And so starts my daily routine, clicking through that I agree to everything...

Confirmed, I just downloaded the PortableApps version of ESR 38.6.1 and ... bam.

Okay. More info. This uses an intermediate cert from GoDaddy "Go Daddy Secure Certificate Authority - G2", and the cert loaded into ESR 38 seems to be serial 07 from 5/3/2011-2031, SHA-256 starting with 97:3a, SHA1 starting with 27:AC, with the root as serial 0, 8/31/2009-2037, SHA-256 45:14 SHA1 47:BE.

Oops. I'm also getting this on Firefox 44.0.2. There it's saying "This site attempts to identify itself with invalid information" and then "This certificate is not trusted because it hasn't been verified as issued by a trusted authority using a secure signature."

 

[jgreco]

Someone forgot to configure the certificate chain in the webserver. Sorry, staring at too many things here.

@dlavigne can you please post a sysadmin request to review the webserver config and make sure that the certificate chain configuration is valid? In particular, one should be able to test this with

# openssl s_client -connect forums.freenas.org:443

and not get the "unable to verify the first certificate" error.

 

[dlavigne]

Will do.

 

[dlavigne]

This is supposed to be fixed now.

 

[jgreco]

It's not. You need to include both GoDaddies in the chain.

Go Daddy Secure Certificate Authority - G2

*AND*

Go Daddy Root Certificate Authority - G2

What you have right now is

Code:

>openssl s_client -connect forums.freenas.org:443
[......]
    Start Time: 1457537709
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

When you get it right, the last line will show verified, like this

Code:

  Verify return code: 0 (ok)

 

[dlavigne]

Thanks, I'll let the sysadmin know.