[Open-scap] PCI Website - TLS Failures - Missing Intermediate Certificate
Alexander Scheel
ascheel at redhat.com
Fri Jul 27 14:49:33 UTC 2018
All,
While debugging an issue in our testsuite, it has come to our attention
that your website is not serving the intermediate certificate. This works
fine in most browsers because browsers cache intermediate certificates:
https://superuser.com/questions/351516/do-intermediate-certificates-get-cached-in-firefox
However, your site does not serve an intermediate cert:
https://www.ssllabs.com/ssltest/analyze.html?d=pcisecuritystandards.org&s=192.230.74.66&latest
For browsers who haven't visited a website with a Go Daddy intermediate cert,
the website will display an error. The same will happen for users not using a
browser that caches intermediate certs. Here is Go Daddy's page with their
intermediate certs:
http://certs.godaddy.com/repository/
Do you mind updating your website to serve an intermediate certificate as well?
For reference, here is output of curl on your website:
$ curl https://www.pcisecuritystandards.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
openssl reports a similar error. Note that only one certificate (your server's)
is included in the output:
$ openssl s_client -connect www.pcisecuritystandards.org:443 -servername www.pcisecuritystandards.org
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = *.pcisecuritystandards.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.pcisecuritystandards.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.pcisecuritystandards.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgIJAOcfzZnk82rnMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MDEyNDE0MjkwMFoX
DTE5MDIwOTE4MzkzOFowSDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMSMwIQYDVQQDDBoqLnBjaXNlY3VyaXR5c3RhbmRhcmRzLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKT3YNqh/Gs54MnOkYG+fJ+gHw8s1Pa2
Bt6wFIqwHlY2BtvyfP9/c1wbFpCue3IVDUBJFwM1TiBYePHqEjUiWE8emxcSPo7Q
Kmvuo6FTp2tfMtNeqCs0WqEcSiYQlqd1gFysDLTWCfA7sAT+gdMPFPXEwHIXd17z
pxYt0vzQhg5bW14JcNaYBPm7V15oqojzdjS/pESl9f/keW8IcvdcsnMtvXLyVV4A
+q57HM4UPNchLAB/OMj48yHhpIO3YYdFyp+4CgVohm4awat4jYccnW4K4szAezoz
mFu7lm7lfIQs5Zp3a+478k4tc9BNReZEaUJXfLGDNPwdsJp3VOiOzTcCAwEAAaOC
AdIwggHOMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMA4GA1UdDwEB/wQEAwIFoDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
LmdvZGFkZHkuY29tL2dkaWcyczEtODAzLmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG
/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRk
eS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRo
dHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIu
Y3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMD8GA1UdEQQ4MDaC
GioucGNpc2VjdXJpdHlzdGFuZGFyZHMub3JnghhwY2lzZWN1cml0eXN0YW5kYXJk
cy5vcmcwHQYDVR0OBBYEFIG2cY2L7kSAnYqOCQOP10qm/2mwMA0GCSqGSIb3DQEB
CwUAA4IBAQAP2yQrBBDU89ILG5S3r+1oUzTAOr5flHgWtS2doxEoLkXfpPDx+k+z
Uw3YzKjj8cxnoK940C5oEqroTdL7j1Kod+lLFFkSNtta+7dkONJlRoiocHsFB9mn
LYjqCioCkHpFoD8xzyYlCYiFaPpFUCROUbCDCHeUDT5g8ltuPBB4e25YqFwBx9T0
cbNB1uojl9bqrz2BxNFQgyPUBTSP4DqW/bJ8wissIXg8techOi5XDUDO2/jkUAhw
LZExdBlSR1EaAImnZsMS1ruIMAWGimSY4FP5jJFassddX0Z4M42BPieaUf90jftm
Ogfv70pk6ztpQOYhgR6YTFo7WP9TFnwh
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.pcisecuritystandards.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Thank you,
-- Alex
Alexander Scheel
Security and Compliance
OpenSCAP Project
More information about the Open-scap-list
mailing list