Results 1 to 3 of 3
  1. #1
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    686

    Default 2 USA IRS Government certs not trusted

    SSL Inspector is saying these aren't trusted, but vanilla Chrome trusts them just fine. Do you guys need to release an update of trusted CAs to SSL Inspector?

    Code:
    ews-sdc.federalreserve.org
    www.ipp.fms.treas.gov
    For the time being I downloaded the 2 certs and uploaded them to the SSL Inspector as trusted (which is a pretty cool feature you guys created).

    Please let me know.

    Thanks!
    -
    Doug

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Those sites are not bundling the L1K intermediate cert, so they won't be trusted because the chain can not be verified.

    Some browsers will go and fetch intermediate certs using the URL so thats why some browsers work and others do not.

    standard openssl does not:
    ~ # sudo update-ca-certificates
    Updating certificates in /etc/ssl/certs...
    0 added, 0 removed; done.
    Running hooks in /etc/ca-certificates/update.d...


    done.
    done.
    ~ # wget 'https://www.ipp.fms.treas.gov'
    --2018-05-18 17:45:19-- https://www.ipp.fms.treas.gov/
    Resolving www.ipp.fms.treas.gov (www.ipp.fms.treas.gov)... 199.169.195.17, 2605:3100:fffc:100::111
    Connecting to www.ipp.fms.treas.gov (www.ipp.fms.treas.gov)|199.169.195.17|:443... connected.
    ERROR: The certificate of ‘www.ipp.fms.treas.gov’ is not trusted.
    ERROR: The certificate of ‘www.ipp.fms.treas.gov’ hasn't got a known issuer.


    You are free to add the cert to the trust chain manually, probably the easiest.

    Or talk to them about their issue...
    If you use them for APIs and anything openssl based, this is your only option unfortunately unless you want to manually import their intermediate cert into every single machine...
    given these are IIS servers and its government, good luck with that....
    Last edited by dmorris; 05-18-2018 at 05:51 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler dmor's Avatar
    Join Date
    Jun 2009
    Posts
    686

    Default

    Lol
    #GovernmentFail

    Thanks for confirming once again Untangle is awesome!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2