Skip to content
This repository has been archived by the owner on Feb 28, 2024. It is now read-only.

[BUG-228848] Legitimate SSL certificates being rejected #6834

Closed
3 tasks
sl-service-account opened this issue May 31, 2020 · 10 comments
Closed
3 tasks

[BUG-228848] Legitimate SSL certificates being rejected #6834

sl-service-account opened this issue May 31, 2020 · 10 comments

Comments

@sl-service-account
Copy link

sl-service-account commented May 31, 2020

What just happened?

As of the 30th of may, HTTP requests to the CasperUpdate endpoint fail due to SSL validation

The endpoint is https://update.casperdns.com:8443

The certificate is valid, non-revoked, and has been installed since July 2019

What were you doing when it happened?

default
{
state_entry()
{
llHTTPRequest("https://update.casperdns.com:8443/?", <HTTP_METHOD, "GET">, "");
}

http_response(key request_id, integer status, list metadata, string body)
{
    if (body == "FAIL|Missing header 1")
    {
        llOwnerSay("It worked");    
    } 
    else
    {
        llOwnerSay("It didn't work");   
    }
}

}

What were you expecting to happen instead?

The valid SSL certificate should be accepted

Other information

The last request I had from inworld was at 2020-05-30 3:48:38 AM

Links

Related

Duplicates

Original Jira Fields
Field Value
Issue BUG-228848
Summary Legitimate SSL certificates being rejected
Type Bug
Priority Unset
Status Closed
Resolution Accepted
Reporter Casper Warden (casper.warden)
Created at 2020-05-31T16:33:27Z
Updated at 2022-10-28T23:05:56Z
{
  'Build Id': 'unset',
  'Business Unit': ['Platform'],
  'Date of First Response': '2020-05-31T11:58:04.411-0500',
  "Is there anything you'd like to add?": 'The last request I had from inworld was at 2020-05-30 3:48:38  AM',
  'ReOpened Count': 0.0,
  'Severity': 'Unset',
  'System': 'SL Simulator',
  'Target Viewer Version': 'viewer-development',
  'What just happened?': 'As of the 30th of may, HTTP requests to the CasperUpdate endpoint fail due to  SSL validation\r\n\r\nThe endpoint is https://update.casperdns.com:8443\r\n\r\nThe certificate is valid, non-revoked, and has been installed since July 2019',
  'What were you doing when it happened?': 'default\r\n{\r\n    state_entry()\r\n    {\r\n        llHTTPRequest("https://update.casperdns.com:8443/?", [HTTP_METHOD, "GET"], "");\r\n    }\r\n\r\n    http_response(key request_id, integer status, list metadata, string body)\r\n    {\r\n        if (body == "FAIL|Missing header 1")\r\n        {\r\n            llOwnerSay("It worked");    \r\n        } \r\n        else\r\n        {\r\n            llOwnerSay("It didn\'t work");   \r\n        }\r\n    }\r\n}\r\n',
  'What were you expecting to happen instead?': 'The valid SSL certificate should be accepted',
}
@sl-service-account
Copy link
Author

Ghost Menjou commented at 2020-05-31T16:58:04Z

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

 

Sectigo root CA has expired, maybe LL still uses it?

 

That cert is deffo signed by Sectigo, so it has to be related

@sl-service-account
Copy link
Author

Casper Warden commented at 2020-05-31T17:01:26Z

Yeah, I think you're right Ghost - it seems LL's CA certificate store hasn't been updated in many years :/

@sl-service-account
Copy link
Author

Amalia Illios commented at 2020-05-31T17:55:31Z

Yes, I had the same issue for my logging and other scripts since 10:38 or so UTC May 30th. Seems the CA Certificates on the LL servers haven't been updated in a very long time. I worked around using the cross-signed cert they offer for legacy systems for now, but this really needs to be fixed.

@sl-service-account
Copy link
Author

Grumpity Linden commented at 2020-06-01T03:37:36Z

Thank you for the report, Casper et al. We're investigating. 

@sl-service-account
Copy link
Author

Oz Linden commented at 2020-06-01T23:53:16Z, updated at 2020-06-02T13:56:37Z

We have prepared a simulator build with an updated certificate authority store (we use the certificate authority list published by Mozilla); it appears to solve some of the other problems that have been reported, but not the specific one for update.casperdns.com 

The new build can be tested now on aditi in the region Mino Vulcan

I believe that the problem with update.casperdns.com is that the server is returning a cert signed by 

Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

X509v3 Authority Key Identifier: keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1

That certificate is in turn signed by 

Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

X509v3 Authority Key Identifier: keyid:53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB

Our updated build has the USERTRUST CA, but does not have the intermediate root for Sectigo.

If you configure update.casperdns.com to return the Sertigo CA in the chain, I believe it will work with our new build.

@sl-service-account
Copy link
Author

Whirly Fizzle commented at 2020-06-02T10:35:46Z, updated at 2020-06-02T10:37:46Z

Looks likely a fix is coming on main grid on Tuesday - see this post: https://community.secondlife.com/forums/topic/455707-deploy-plan-for-the-week-of-2020-06-01/

Edit to add: After reading Oz's post above again, this main grid fix possibly wont fix Caspers server.

@sl-service-account
Copy link
Author

Oz Linden commented at 2020-06-02T13:55:17Z

added a link to the Debian bug log for this issue

@sl-service-account
Copy link
Author

Casper Warden commented at 2020-06-02T17:49:27Z

Oz, you're right that my cert chain doesn't include that intermediate root - but that's because it's been part of the standard CA bundle since 2010 :)

But, i will update my chain to include it. Thanks for your prompt attention to this issue!

@sl-service-account
Copy link
Author

Casper Warden commented at 2020-06-02T18:05:38Z

I've updated my application to use a temporary intermediate certificate provided by Sectigo which has a few more years on it, so I'm back online throughout the grid.

Do you guys have a plan of attack for keeping the CA Certs up to date? Of course these will all eventually expire.

@sl-service-account
Copy link
Author

Oz Linden commented at 2020-06-02T19:36:17Z

Yes 

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant