This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] SSL issue with atlas.ripe.net
- Previous message (by thread): [atlas] SSL issue with atlas.ripe.net
- Next message (by thread): [atlas] modifications to Atlas front-end servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bjørn Mork
bjorn at mork.no
Thu Mar 2 09:52:40 CET 2017
"Pier Carlo Chiodi - Active Network S.p.A." <pc.chiodi at activenetwork.it> writes: > Some connections (not all) to https://atlas.ripe.net fail because of > what seems to be an invalid certs chain. It looks like that an > intermediate cert is missing. I see the same problem. Extra data point: The requests appear to be served by one or more Apache instances and one or more nginx instances. The chain is complete and validation suceccessful for Apache. The chain is incomplete and validation fails for nginx. Apache: bjorn at miraculix:/tmp$ openssl s_client -connect 193.0.6.158:443 -servername atlas.ripe.net CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = NL, ST = Noord-Holland, L = Amsterdam, O = RIPE NCC, CN = atlas.ripe.net verify return:1 Server did acknowledge servername extension. --- Certificate chain 0 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=RIPE NCC/CN=atlas.ripe.net i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA --- .. --- SSL handshake has read 4752 bytes and written 773 bytes Verification: OK --- .. --- HEAD / HTTP/1.0 HTTP/1.1 400 Bad Request Date: Thu, 02 Mar 2017 08:47:32 GMT Server: Apache Strict-Transport-Security: max-age=15768000 Connection: close Content-Type: text/html; charset=iso-8859-1 closed nginx: bjorn at miraculix:/tmp$ openssl s_client -connect 193.0.6.158:443 -servername atlas.ripe.net CONNECTED(00000003) depth=0 C = NL, ST = Noord-Holland, L = Amsterdam, O = RIPE NCC, CN = atlas.ripe.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = NL, ST = Noord-Holland, L = Amsterdam, O = RIPE NCC, CN = atlas.ripe.net verify error:num=21:unable to verify the first certificate verify return:1 Server did acknowledge servername extension. --- Certificate chain 0 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=RIPE NCC/CN=atlas.ripe.net i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA --- .. --- SSL handshake has read 2578 bytes and written 325 bytes Verification error: unable to verify the first certificate --- .. --- HEAD / HTTP/1.0 HTTP/1.1 403 Forbidden Server: nginx/1.10.2 Date: Thu, 02 Mar 2017 08:47:40 GMT Content-Type: text/html Content-Length: 169 Connection: close Strict-Transport-Security: max-age=15768000; includeSubDomains closed Bjørn
- Previous message (by thread): [atlas] SSL issue with atlas.ripe.net
- Next message (by thread): [atlas] modifications to Atlas front-end servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]