[BUG-228848] Legitimate SSL certificates being rejected #6834
Comments
|
Ghost Menjou commented at 2020-05-31T16:58:04Z
Sectigo root CA has expired, maybe LL still uses it?
That cert is deffo signed by Sectigo, so it has to be related |
|
Casper Warden commented at 2020-05-31T17:01:26Z Yeah, I think you're right Ghost - it seems LL's CA certificate store hasn't been updated in many years :/ |
|
Amalia Illios commented at 2020-05-31T17:55:31Z Yes, I had the same issue for my logging and other scripts since 10:38 or so UTC May 30th. Seems the CA Certificates on the LL servers haven't been updated in a very long time. I worked around using the cross-signed cert they offer for legacy systems for now, but this really needs to be fixed. |
|
Grumpity Linden commented at 2020-06-01T03:37:36Z Thank you for the report, Casper et al. We're investigating. |
|
Oz Linden commented at 2020-06-01T23:53:16Z, updated at 2020-06-02T13:56:37Z We have prepared a simulator build with an updated certificate authority store (we use the certificate authority list published by Mozilla); it appears to solve some of the other problems that have been reported, but not the specific one for update.casperdns.com The new build can be tested now on aditi in the region Mino Vulcan I believe that the problem with update.casperdns.com is that the server is returning a cert signed by
That certificate is in turn signed by
Our updated build has the USERTRUST CA, but does not have the intermediate root for Sectigo. If you configure update.casperdns.com to return the Sertigo CA in the chain, I believe it will work with our new build. |
|
Whirly Fizzle commented at 2020-06-02T10:35:46Z, updated at 2020-06-02T10:37:46Z Looks likely a fix is coming on main grid on Tuesday - see this post: https://community.secondlife.com/forums/topic/455707-deploy-plan-for-the-week-of-2020-06-01/ Edit to add: After reading Oz's post above again, this main grid fix possibly wont fix Caspers server. |
|
Oz Linden commented at 2020-06-02T13:55:17Z added a link to the Debian bug log for this issue |
|
Casper Warden commented at 2020-06-02T17:49:27Z Oz, you're right that my cert chain doesn't include that intermediate root - but that's because it's been part of the standard CA bundle since 2010 :) But, i will update my chain to include it. Thanks for your prompt attention to this issue! |
|
Casper Warden commented at 2020-06-02T18:05:38Z I've updated my application to use a temporary intermediate certificate provided by Sectigo which has a few more years on it, so I'm back online throughout the grid. Do you guys have a plan of attack for keeping the CA Certs up to date? Of course these will all eventually expire. |
|
Oz Linden commented at 2020-06-02T19:36:17Z Yes |
What just happened?
As of the 30th of may, HTTP requests to the CasperUpdate endpoint fail due to SSL validation
The endpoint is https://update.casperdns.com:8443
The certificate is valid, non-revoked, and has been installed since July 2019
What were you doing when it happened?
default
{
state_entry()
{
llHTTPRequest("https://update.casperdns.com:8443/?", <HTTP_METHOD, "GET">, "");
}
}
What were you expecting to happen instead?
The valid SSL certificate should be accepted
Other information
The last request I had from inworld was at 2020-05-30 3:48:38 AM
Links
Related
Duplicates
Original Jira Fields
The text was updated successfully, but these errors were encountered: