[Discuss] server certificates for the https protocol
Steven Kurylo
sk at infinitepigeons.org
Mon Jan 28 20:23:05 PST 2008
> Thanks for these ideas. Is it also possible that SF failed to renew
> something (depite [or because of] the future date on the EquiFax
> certificate)?
No. But I don't see a future date? The certificate was created in
October 07 and is valid until Dec 08.
> Everything was working fine without any warning messages a
> few days ago so failure to renew is a possibility from that perspective.
Now thats interesting. However I get the same error on my Ubuntu
dapper machine - the certificate isn't trusted:
$ openssl s_client -connect lasi.svn.sourceforge.net:443
depth=0 /C=US/ST=California/L=Fremont/O=VA Software
Corporation/OU=SourceForge.net/CN=*.svn.sourceforge.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Fremont/O=VA Software
Corporation/OU=SourceForge.net/CN=*.svn.sourceforge.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Fremont/O=VA Software
Corporation/OU=SourceForge.net/CN=*.svn.sourceforge.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Fremont/O=VA Software
Corporation/OU=SourceForge.net/CN=*.svn.sourceforge.net
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
So they probably changed their certificate, so its now signed by a CA
that our machines don't trust.
Digging further I found a list of fingerprints on their website:
http://www.geotrust.com/resources/root_certificates/index.asp
However this certificate isn't listed. I would email sourceforge to
ask them about the certificate.
> I tried https://lasi.svn.sourceforge.net on firefox. Is that what you meant
> by seeing if firefox already trusts "it"?
No I was thinking that under preferences, advanced, encryption, you
can view certificates. In the authorities section you can look at the
fingerprints for all the existing equifax certificates to see if they
match the one being shown.
--
Steven Kurylo
More information about the Discuss
mailing list