Certificate error

Discussion in 'STH Suggestions and Updates' started by lmk, Nov 10, 2014.

  1. lmk

    lmk Member

    Joined:
    Dec 11, 2013
    Messages:
    128
    Likes Received:
    20
    Hi @Patrick

    There is an error with Google Canary and the length of validity on the forums.servethehome.com certificate.

    It blocks access and does not seem to allow an exception to continue to the site.

    The problem started this morning and it appears it is as a result of a recent update to Google Canary and the 4-5 year expiration of the certificate.

    The error is below:

    -----
    Your connection is not private

    Attackers might be trying to steal your information from forums.servethehome.com (for example, passwords, messages, or credit cards).

    Advanced

    NET::ERR_CERT_VALIDITY_TOO_LONG
    ----
     
    #1
  2. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,624
    Likes Received:
    4,580
    Hmmm.... interesting. I wonder if anyone else is getting this error.
     
    #2
  3. Alfa147x

    Alfa147x Member

    Joined:
    Feb 7, 2014
    Messages:
    103
    Likes Received:
    10
    I'm on Chromium Version 38.0.2125.111 (290379)

    I'm not experiencing anything funky

    Edit: I'm on OS X
     
    #3
    Last edited: Nov 10, 2014
  4. lmk

    lmk Member

    Joined:
    Dec 11, 2013
    Messages:
    128
    Likes Received:
    20
    Google Canary Version 41.0.2215.0 canary (64-bit) and Version 41.0.2216.0 canary (64-bit) showing same behaviour.
     
    #4
  5. lmk

    lmk Member

    Joined:
    Dec 11, 2013
    Messages:
    128
    Likes Received:
    20
    #5
  6. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,624
    Likes Received:
    4,580
    #6
  7. Entz

    Entz Active Member

    Joined:
    Apr 25, 2013
    Messages:
    269
    Likes Received:
    62
    #7
    Patrick likes this.
  8. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,624
    Likes Received:
    4,580
    Thanks @Entz !!!! That saved me hours of trying to fix something due to a chrome daily bug. It is certainly the SHA-1 related check going off at the wrong time.
     
    #8
  9. lmk

    lmk Member

    Joined:
    Dec 11, 2013
    Messages:
    128
    Likes Received:
    20
    @Patrick I am glad to help :)

    If it is your site's certificate, then the quick/sledgehammer solution would be to get a shorter certificate (which is, as you said, ridiculous).

    Unfortunately, it is not clear if it is only that particular certificate.

    I just took some time to try and get some answers...

    1) I confirmed your certificate shows as SHA-256. However, taking a look through the chain, I wonder if the root being SHA-1 is the culprit.

    imgur: the simple image sharer

    2) It may be a continuation of Google et al driving for better security (re: sunsetting the older SHA-1, etc).

    Chromium Blog: Gradually Sunsetting SHA-1

    So, given that I am using a bleeding edge version, I may be the first to see what will happen with the rest of the browsers.

    My Canary is living up to it's namesake :)
     
    #9
  10. lmk

    lmk Member

    Joined:
    Dec 11, 2013
    Messages:
    128
    Likes Received:
    20
    @Entz just read through the filed bug. I did see a mention that it may be a SHA-1, found along the chain, too.

    Interested to see what it turns out to be.
     
    #10
  11. Patrick

    Patrick Administrator
    Staff Member

    Joined:
    Dec 21, 2010
    Messages:
    11,624
    Likes Received:
    4,580
    SHA-1 is OK for CA root servers. Should be fine. The Qualsys checker penalizes if you do not use the newer version (and hence why @eva2000 gave me a heads-up to change awhile back.)
     
    #11
    eva2000 likes this.
  12. Entz

    Entz Active Member

    Joined:
    Apr 25, 2013
    Messages:
    269
    Likes Received:
    62
    Indeed it will. Really would hate for sites that bought longer Certificates (cost savings) to suddenly get black listed because of a date issue.
     
    #12
  13. lmk

    lmk Member

    Joined:
    Dec 11, 2013
    Messages:
    128
    Likes Received:
    20
    Update:

    "There was a bug in the code that caused this warning to be triggered more aggressively than intended. It's being fixed."

    Looking further, it seems:

    "The 39 month check kicks in since the hardcoded dates are set in seconds, while
    start is in microseconds since the epoch. Adding 6 zeros to the hardcoded dates
    should fix the issue."​
     
    #13
    Entz and Patrick like this.
  14. eva2000

    eva2000 Active Member

    Joined:
    Apr 15, 2013
    Messages:
    242
    Likes Received:
    48
    yup SHA1 for CA root is fine ... SSLlab test looks fine, just you have to update openssl system package and Centmin Mod Nginx static OpenSSL for TLS_FALLBACK_SCSV support as well SSL - POODLE attacks on SSLv3 vulnerability and Nginx - Updating OpenSSL 1.0.1j for Centmin Mod
    Code:
    Downgrade attack prevention    No, TLS_FALLBACK_SCSV not supported (more info)
     
    #14
  15. lmk

    lmk Member

    Joined:
    Dec 11, 2013
    Messages:
    128
    Likes Received:
    20
    Today's update has fixed it, Version 41.0.2217.0 canary (64-bit)
     
    #15
  16. TangoWhiskey9

    TangoWhiskey9 Active Member

    Joined:
    Jun 28, 2013
    Messages:
    402
    Likes Received:
    59
    Is this all just because you're using the daily? I'm not having the problem but I don't want to update if it's present.
     
    #16
  17. lmk

    lmk Member

    Joined:
    Dec 11, 2013
    Messages:
    128
    Likes Received:
    20
    If you are using Canary, either keep the version you have (that is working) or update to the one released with the fix (41.0.2217.0).

    I do not update daily and it only updated (which happened to be exactly when the break was released) when restarting my computer.
     
    #17
Similar Threads: Certificate error
Forum Title Date
STH Suggestions and Updates Getting an error that my ip is banned Nov 19, 2019
STH Suggestions and Updates Gruber Review - Content not found error Jan 20, 2013

Share This Page