SOLVED ixsystems certificate error

[elvisimprsntr]

Trying to download the nightly SCALE update file and receive the following error. I have cleared my browser cache and cookies.

https://update.freenas.org/scale/TrueNAS-SCALE-Angelfish-Nightlies/TrueNAS-SCALE.update

Not sure if it's related, but my SCALE testing platform stopped picking up new nightly updates since updating to nightly TrueNAS-SCALE-22.02-MASTER-20211124-112925

 

[Inexcusable]

Go Daddy certificate, has this been revoked in response to the Go Daddy hacks?

 

[elvisimprsntr]

Go Daddy certificate, has this been revoked in response to the Go Daddy hacks?

Seems plausible

GoDaddy data breach hits 1.2 million Managed WordPress customers

GoDaddy said in a data breach notification published today that the data of up to 1.2 million of its customers was exposed after hackers gained access to the company's Managed WordPress hosting environment.

www.bleepingcomputer.com

GoDaddy hack exposes accounts of 1.2 million customers

Web-hosting firm and domain registrar GoDaddy has revealed that it has suffered cyber attack which saw a hacker gain access to details of over one million customers.

www.bitdefender.com

Now how do we get ixsystems to acknowledge and fix it?

 

[danb35]

@morganL, any input on this? @Kris Moore? @JoshDW19?

 

[morganL]

Can we confirm if anyone else is seeing the same issue?

 

[danb35]

Can we confirm if anyone else is seeing the same issue?

Well, I am:

 

[danb35]

ssllabs.com is giving an F for update.freenas.org as well:

SSL Server Test: update.freenas.org (Powered by Qualys SSL Labs)

The issue is, again, that the cert is revoked:

SSLLabs shows the same F grade for each of eight IP addresses (four each IPv4 and IPv6 addresses), but I haven't looked at each report to confirm that each is for the same reason (though that seems likely).

 

[elvisimprsntr]

With all that evidence, seems like an open and shut case. No plea bargin.

@morganL

 

[danb35]

I'd file a bug on it, but I don't see a category in Jira for the iX web services.

 

[danb35]

And, of course, if they used Let's Encrypt, this would be a non-issue.

 

[elvisimprsntr]

Hopefully this lands in someone's inbox who can do something about it

 

[jgreco]

And, of course, if they used Let's Encrypt, this would be a non-issue.

Well, not really. LetsEncrypt is its own ball of sh!+, with a need to run certbot or acme.sh or whatever, to maintain the certificates, and this isn't universally compatible with what could be a CDN or other traditional high volume distribution system. LetsEncrypt hasn't even managed to provide stability to the point where the stuff they originally released will still work today, and those of us who are actually responsible for maintaining at-scale infrastructure find it to be rather frustrating to design and redesign things as time passes. This compares poorly to the relatively simple act of simply renewing, downloading, and installing a new 2 year certificate. I certainly would have spent much less time doing three such renewals than I've spent fighting insipid, idiotic, and/or arbitrary changes in LetsEncrypt-based systems, some of which have broken with zero warning or notice.

 

[morganL]

It has an internal ticket to resolve.... I don't know what the cause was.

 

[Jaron]

This has been resolved. There was a certificate change which wasnt updated at the CDN. All should be working now.

 

[elvisimprsntr]

Confirmed