Opened 6 years ago
Closed 6 years ago
#16122 closed task (fixed)
GRAFCAN HTTPS
| Reported by: | stoecker | Owned by: | javiersanp |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | External imagery source | Version: | |
| Keywords: | https | Cc: | Don-vip |
Description (last modified by )
Attachments (0)
Change History (9)
follow-up: 2 comment:1 by , 6 years ago
| Cc: | added |
|---|
comment:2 by , 6 years ago
Replying to stoecker:
@Vincent: They have a Let's Encrypt certificate, but no certificate chain. Maybe we should replace IdenTrust in our internal list with LE direct cert. The browsers already support LE for some time now.
Hmm, no. wouldn't work. We would have to add intermediate "Let's Encrypt Authority X3", which I don't like much.
Someone should contact them, so they can fix this:
https://www.ssllabs.com/ssltest/analyze.html?d=idecan1.grafcan.es&s=195.53.241.136
They do it right for
https://www.ssllabs.com/ssltest/analyze.html?d=www.grafcan.es
@javiersanp:
Do you know contact at GRAFCAN. Can you ask them to fix the certificate chain?
P.S. In WebStart it should work.
comment:3 by , 6 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | https added |
follow-up: 6 comment:5 by , 6 years ago
Yes, I can contact them, but I'm not sure about the technical statments you are mentioning. Could you please give me a brief resume describing the problem for them?
comment:6 by , 6 years ago
Replying to javiersanp:
Yes, I can contact them, but I'm not sure about the technical statments you are mentioning. Could you please give me a brief resume describing the problem for them?
Thats easy :-) See the two links above and click there on "Certification Paths > Click here to expand". For the failing one you see "Extra download", whereas the correct one has "Sent by server".
Essentially a certifcate consists of the X509 cert itself and a set of other intermediate certificates up to the root (called certificate chain). This chain can have a length of two or more entries. Typical is 3 or 4. Everything except the root must be send by the server. idecan1.grafcan.es has a length of 3, but does not send the "Let's Encrypt Intermediate X3 cert". It nevertheless works in browsers, because to prevent trouble they also include the missing certs usually. Java (and older systems) do not have this one.
I'd simply point them either to above links (the server has also some other issues) or to this ticket ;-)
comment:7 by , 6 years ago
| Summary: | GRFCAN HTTPS → GRAFCAN HTTPS |
|---|
comment:8 by , 6 years ago
Reported to GRAFCAN, they solved the problem. Tested and working.
Wiki updated.
@Vincent: They have a Let's Encrypt certificate, but no certificate chain. Maybe we should replace IdenTrust in our internal list with LE direct cert. The browsers already support LE for some time now.