Content preview: On Mon, Jun 12, 2017 at 12:03:46PM +0200, Ewoud Kohl van Wijngaarden wrote: >On Wed, Jun 07, 2017 at 02:55:06AM +0900, Marc Dequènes (Duck) wrote: >> Quack, >> >> So the Digicert system does not warn you about all certs but only if you >> were configured to be in some access list at creation or renewal time. I >> was not in RH when www.ovirt.org cert was issued, so… >> >> Fortunately I was kindly warned by another guy having access to the >> system. I requested a renewal yesterday but today it is not yet done. So >> let's hope it is done when I wake up or during the day. > > The chain is incomplete causing some requests to fail, see > https://www.ssllabs.com/ssltest/analyze.html?d=www.ovirt.org&latest > > You can replicate it by using curl on the command line. Browsers often > have the chain cached and don't see the problem. [...] Content analysis details: (-1.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-SA-Exim-Connect-IP: 2a02:1398:804::199 X-SA-Exim-Mail-From: ewoud+ovirt@kohlvanwijngaarden.nl X-SA-Exim-Scanned: No (on mail.xentower.nl); SAEximRunCond expanded to false X-BeenThere: infra@ovirt.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "List for ovirt.org infrastructure team" <infra.ovirt.org> List-Unsubscribe: <http://lists.ovirt.org/mailman/options/infra>, <mailto:infra-request@ovirt.org?subject=unsubscribe> List-Archive: <http://lists.ovirt.org/pipermail/infra/> List-Post: <mailto:infra@ovirt.org> List-Help: <mailto:infra-request@ovirt.org?subject=help> List-Subscribe: <http://lists.ovirt.org/mailman/listinfo/infra>, <mailto:infra-request@ovirt.org?subject=subscribe> X-List-Received-Date: Sun, 18 Jun 2017 08:26:30 -0000 On Mon, Jun 12, 2017 at 12:03:46PM +0200, Ewoud Kohl van Wijngaarden wrote:
On Wed, Jun 07, 2017 at 02:55:06AM +0900, Marc Dequènes (Duck) wrote:
Quack,
So the Digicert system does not warn you about all certs but only if you were configured to be in some access list at creation or renewal time. I was not in RH when www.ovirt.org cert was issued, so…
Fortunately I was kindly warned by another guy having access to the system. I requested a renewal yesterday but today it is not yet done. So let's hope it is done when I wake up or during the day.
The chain is incomplete causing some requests to fail, see https://www.ssllabs.com/ssltest/analyze.html?d=www.ovirt.org&latest
You can replicate it by using curl on the command line. Browsers often have the chain cached and don't see the problem.
This is still an issue.