2 USA IRS Government certs not trusted

[dmor]

SSL Inspector is saying these aren't trusted, but vanilla Chrome trusts them just fine. Do you guys need to release an update of trusted CAs to SSL Inspector?

Code:

ews-sdc.federalreserve.org
www.ipp.fms.treas.gov

For the time being I downloaded the 2 certs and uploaded them to the SSL Inspector as trusted (which is a pretty cool feature you guys created).

Please let me know.

Thanks!
-
Doug

[dmorris]

Those sites are not bundling the L1K intermediate cert, so they won't be trusted because the chain can not be verified.

Some browsers will go and fetch intermediate certs using the URL so thats why some browsers work and others do not.

standard openssl does not:
~ # sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...


done.
done.
~ # wget 'https://www.ipp.fms.treas.gov'
--2018-05-18 17:45:19-- https://www.ipp.fms.treas.gov/
Resolving www.ipp.fms.treas.gov (www.ipp.fms.treas.gov)... 199.169.195.17, 2605:3100:fffc:100::111
Connecting to www.ipp.fms.treas.gov (www.ipp.fms.treas.gov)|199.169.195.17|:443... connected.
ERROR: The certificate of ‘www.ipp.fms.treas.gov’ is not trusted.
ERROR: The certificate of ‘www.ipp.fms.treas.gov’ hasn't got a known issuer.


You are free to add the cert to the trust chain manually, probably the easiest.

Or talk to them about their issue...
If you use them for APIs and anything openssl based, this is your only option unfortunately unless you want to manually import their intermediate cert into every single machine...
given these are IIS servers and its government, good luck with that....

[dmor]

Lol
#GovernmentFail

Thanks for confirming once again Untangle is awesome!