Closed Bug 926163 Opened 11 years ago Closed 8 years ago
Categories
(NSS :: CA Certificates Code, task)
Product:
NSS ▾
Component:
CA Certificates Code ▾
Type:
task
Priority: Not set Severity: normal
Tracking
(Not tracked)
Status:
RESOLVED WORKSFORME
People
(Reporter: aros, Unassigned)
Details
Attachments
(2 files)
GoDaddy G2 Cross Certificate 11 years ago Wayne Thayer (old account) 1.58 KB, application/x-x509-ca-cert | Details | |
Old GoDaddy G2 Cross Certificate - Fails in NSS 11 years ago Wayne Thayer (old account) 1.17 KB, application/x-x509-ca-cert | Details |
Artem S. Tashkinov | ||
Description•11 years ago | ||
User Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)Build ID: 20130910160258Steps to reproduce:Open https://devtalk.nvidia.com/Actual results:This Connection is UntrustedYou have asked Firefox to connect securely to devtalk.nvidia.com, but we can't confirm that your connection is secure.Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.(Error code: sec_error_unknown_issuer)Expected results:It should work.(It works in Google Chrome 30, Opera 12.16, Internet Explorer 10/11).
Bill Gianopoulos [:WG9s] | ||
Updated•11 years ago |
Assignee: nobody → nobody
Component: Untriaged → CA Certificates
Product: Firefox → NSS
Version: 24 Branch → trunk
Artem S. Tashkinov | ||
Comment 1•11 years ago | ||
What's worse I cannot even replace a built-in Go-Daddy certificate.I delete it from Certificate Manager -> Authorities, close this window, open it again, and the certificate is back there again as if I haven't just deleted it.It seems like Authorities are set read only in Firefox ...
Component: CA Certificates → Untriaged
Product: NSS → Firefox
Version: trunk → 24 Branch
Artem S. Tashkinov | ||
Updated•11 years ago |
Component: Untriaged → CA Certificates
Product: Firefox → NSS
Version: 24 Branch → trunk
totalinz | ||
Comment 2•11 years ago | ||
Can confirm that "Go Daddy Secure Certificate Authority - G2" also is causing issues with other domains. https://www.dreamcatcher.school.nz/Looking in the list: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/ shows "Go Daddy Root Certificate Authority - G2" which I suspect is similar, but of course slightly older (hence included).The new CA needs to be included.
totalinz | ||
Comment 3•11 years ago | ||
(In reply to totalinz from comment #2)> Can confirm that "Go Daddy Secure Certificate Authority - G2" also is> causing issues with other domains. https://www.dreamcatcher.school.nz/> > Looking in the list:> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/> included/ shows "Go Daddy Root Certificate Authority - G2" which I suspect> is similar, but of course slightly older (hence included).> > The new CA needs to be included.Same bugs here:https://bugzilla.mozilla.org/show_bug.cgi?id=632475https://bugzilla.mozilla.org/show_bug.cgi?id=632461
Kathleen Wilson | ||
Comment 4•11 years ago | ||
(In reply to Artem S. Tashkinov from comment #1)> What's worse I cannot even replace a built-in Go-Daddy certificate.> > I delete it from Certificate Manager -> Authorities, close this window, open> it again, and the certificate is back there again as if I haven't just> deleted it.> > It seems like Authorities are set read only in Firefox ...That sounds like bug #950268 which is targeted to be fixed in FF29.
Kathleen Wilson | ||
Comment 5•11 years ago | ||
Artem, Are you still seeing problems with SSL certs chaining up to "Go Daddy Secure Certificate Authority - G2"?I'm trying (unsuccessfully to reproduce the problem). I'm on FF27, but that shouldn't matter since the "Go Daddy Secure Certificate Authority - G2" root cert was included in FF6.
Brian Smith (:briansmith, :bsmith, use NEEDINFO?) | ||
Comment 6•11 years ago | ||
(In reply to totalinz from comment #2)> Can confirm that "Go Daddy Secure Certificate Authority - G2" also is> causing issues with other domains. https://www.dreamcatcher.school.nz/"Go Daddy Secure Certificate Authority - G2" is an intermediate certificate that chains to "Go Daddy Root Certificate Authority - G2". So, the problem is likely caused by the sites not sending the intermediate certificate.https://devtalk.nvidia.com/ is now using a GeoTrust/RapidSSL certificate, so it is no longer relevant.totalinz: Is the site working for you now in Firefox? If it is now working for you, my guess is that when you wrote your comment (comment 2), https://dreamcatcher.school.nz was mis-configured and was failing to send its intermediate certificate. Now, it seems like the site has over-corrected and is sending too many certificates. It doesn't need to send the "Root" one. If you can contact the administrator of dreamcatcher.school.nz, please send her/him this link: https://www.ssllabs.com/ssltest/analyze.html?d=dreamcatcher.school.nz.If you are still having trouble accessing dreamcatcher.school.nz in Firefox, please let me know. I have a pretty good idea of what the cause of the trouble is, if it still isn't working for you. (It works for me.)Thanks!Wayne, are there multiple intermediate certificates with the subject name "Go Daddy Secure Certificate Authority - G2"? If so, could you please attach those intermediates to this bug, so that we can diagnose the chain building problem.
Wayne Thayer (old account) | ||
Comment 7•11 years ago | ||
This site is sending an outdated cross certificate that includes an extra piece of subject information that causes NSS to fail to build the chain to the older GoDaddy SHA-1 root when the newer SHA-2 "G2" root is disabled. The serial and issue date of the broken certificate is 20 03 and 5/3/2011. The certificate that should be used is serial 1b e7 15 with issue date of 1/1/2014. I'm attaching both.
Flags: needinfo?(waynezilla)
Wayne Thayer (old account) | ||
Comment 8•11 years ago | ||
Attached file GoDaddy G2 Cross Certificate — Details
This is the certificate that should be used.
Wayne Thayer (old account) | ||
Comment 9•11 years ago | ||
Attached file Old GoDaddy G2 Cross Certificate - Fails in NSS — Details
This certificate contains an extra piece of subject information which causes NSS to fail to build a chain.
totalinz | ||
Comment 10•11 years ago | ||
Yes this appears to be resolved. The issue was an old GoDaddy bundle on the server from what we found. It wasn't until we started striking a few issues on other browsers a few days later we managed to isolate the issue.(In reply to Brian Smith (:briansmith, :bsmith; NEEDINFO? for response) from comment #6)> (In reply to totalinz from comment #2)> > Can confirm that "Go Daddy Secure Certificate Authority - G2" also is> > causing issues with other domains. https://www.dreamcatcher.school.nz/> > "Go Daddy Secure Certificate Authority - G2" is an intermediate certificate> that chains to "Go Daddy Root Certificate Authority - G2". So, the problem> is likely caused by the sites not sending the intermediate certificate.> > https://devtalk.nvidia.com/ is now using a GeoTrust/RapidSSL certificate, so> it is no longer relevant.> > totalinz: > > Is the site working for you now in Firefox? If it is now working for you, my> guess is that when you wrote your comment (comment 2),> https://dreamcatcher.school.nz was mis-configured and was failing to send> its intermediate certificate. Now, it seems like the site has over-corrected> and is sending too many certificates. It doesn't need to send the "Root"> one. If you can contact the administrator of dreamcatcher.school.nz, please> send her/him this link:> https://www.ssllabs.com/ssltest/analyze.html?d=dreamcatcher.school.nz.> > If you are still having trouble accessing dreamcatcher.school.nz in Firefox,> please let me know. I have a pretty good idea of what the cause of the> trouble is, if it still isn't working for you. (It works for me.)> > Thanks!> > Wayne, are there multiple intermediate certificates with the subject name> "Go Daddy Secure Certificate Authority - G2"? If so, could you please attach> those intermediates to this bug, so that we can diagnose the chain building> problem.
Flags: needinfo?(arron)
Brian Smith (:briansmith, :bsmith, use NEEDINFO?) | ||
Comment 11•11 years ago | ||
(In reply to Wayne Thayer from comment #7)> This site is sending an outdated cross certificate that includes an extra> piece of subject information that causes NSS to fail to build the chain to> the older GoDaddy SHA-1 root when the newer SHA-2 "G2" root is disabled. The> serial and issue date of the broken certificate is 20 03 and 5/3/2011. The> certificate that should be used is serial 1b e7 15 with issue date of> 1/1/2014. I'm attaching both.1. Is it the OU=https://certs.godaddy.com/ that is the problem, or is it something else? 2. Other implementations are able to build the path successfully. Do you know why? Are they using AIA caIssuers to fetch some other intermediate that helps them resolve the problem?3. Is this simply a bug in NSS, in your opinion?
Wayne Thayer (old account) | ||
Comment 12•11 years ago | ||
1. Yes, it's the OU field causing the issue.2. I don't think caIssuers is the reason other implementations work. I suspect they are using the AKI which properly identified the parent certificate.3. As I understand it, this is not a bug in NSS - a strict interpretation of the RFC requires the subject to match even if an AKI is included.
Brian Smith (:briansmith, :bsmith, use NEEDINFO?) | ||
Comment 13•11 years ago | ||
(In reply to Wayne Thayer from comment #12)> 1. Yes, it's the OU field causing the issue.> 2. I don't think caIssuers is the reason other implementations work. I> suspect they are using the AKI which properly identified the parent> certificate.> 3. As I understand it, this is not a bug in NSS - a strict interpretation of> the RFC requires the subject to match even if an AKI is included.Thanks Wayne.I want to make sure I understand the issue completely:1. Previously, GoDaddy was giving its customers the " Old GoDaddy G2 Cross Certificate - Fails in NSS" certificate, which chained to an older GoDaddy root.2. That certificate is actually invalid because it contains an OU in its subject field that is not in the issuer field of the end-entity certificates GoDaddy distributed.3. There is a working certificate "GoDaddy G2 Cross Certificate" that Wayne attached to this bug, which chains to an older GoDaddy root.4. There is another working certificate, not attached to this bug, which chains to the newer GoDaddy root.5. There are probably a large number of websites that send the broken chain.Is this all correct? If so, I recommend we do the following:1. Wayne should attach the working intermediate certificate that chains to the newer GoDaddy root to this bug.2. NSS team should add that intermediate certificate to NSS without any trust bits set (trust inherited from the root).This will work around the problem for sites that are sending the older, wrong, intermediate.
Flags: needinfo?(waynezilla)
OS: Windows 7 → All
Hardware: x86_64 → All
Wayne Thayer (old account) | ||
Comment 14•11 years ago | ||
Brian - your statements 1-3 are correct.4 - sort of. To maximize the browser recognition of GoDaddy SHA-2 certificates, we have cross-signed the new root with the old one. This results in two possible certificate chains:(1) end-entity --> Go Daddy Secure Certificate Authority - G2 --> Go Daddy Root Certificate Authority - G2 (self-signed root already shipped with Firefox)(2) end-entity --> Go Daddy Secure Certificate Authority - G2 --> Go Daddy Root Certificate Authority - G2 ("cross certificate" signed by SHA-1 root) --> Go Daddy Class 2 Certification Authority (SHA-1 root shipped with Firefox)5 - no, not many. This just started when we switched over to issuing SHA-2 certificates by default and was corrected quickly.I think that adding the cross certificate to NSS could cause more issues than it fixes as we are trying to retire the SHA-1 root that it chains to in the next 5 years.
Flags: needinfo?(waynezilla)
Dana Keeler (she/her) (use needinfo) [:keeler] | ||
Comment 15•10 years ago | ||
https://www.careerjunction.co.za/ has a similar issue where it appears to not send an intermediate necessary for certificate verification to find a trusted path.
Artem S. Tashkinov | ||
Comment 16•8 years ago | ||
Haven't seen any errors for a long while. Closing.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.