This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --lIBBQOd5xJlfx4grVHn7GK3iqTHQD3nfF Content-Type: multipart/mixed; boundary="jIWnohbHnrLDBm9w209XrI73urH0UDQwx"; protected-headers="v1" From: =?UTF-8?B?TWFyYyBEZXF1w6huZXMgKER1Y2sp?= <duck@redhat.com> To: oVirt Infra <infra@ovirt.org> Message-ID: <cc4752b6-816a-be6b-7ecf-4bfebd35c301@redhat.com> Subject: About www.ovirt.org TLS cert --jIWnohbHnrLDBm9w209XrI73urH0UDQwx Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Quack, So the Digicert system does not warn you about all certs but only if you were configured to be in some access list at creation or renewal time. I was not in RH when www.ovirt.org cert was issued, so=E2=80=A6 Fortunately I was kindly warned by another guy having access to the system. I requested a renewal yesterday but today it is not yet done. So let's hope it is done when I wake up or during the day. Just to keep you informed. \_o< --jIWnohbHnrLDBm9w209XrI73urH0UDQwx-- --lIBBQOd5xJlfx4grVHn7GK3iqTHQD3nfF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAlk27HoACgkQVen596wc RD+SpA//QiFxb61/wvRNhhP8xya1JMVDTORSPe3JiPIXvv1VT0jCHwsc6+bbExnW Tq8cjDFvKYXch00KKFEt6IrsfPyIUvwhzzr7OHu/EPutzUg7JmOGNBFXMZIDD5rD 3sW9v/jsPqKhjIjamwu7PcEEz0C+Lc3q7TLyszPfDHVxIZ8ufZgjEK52QSUOVbT3 XCbltnlVieHzHyI772bUDwaCUFpLNTy/XiRM76GX8xiYPYD78KD8FZNkiDx3RYpx hSpKAcGfeegas/LXg+40Ml38Pd6a/GGEfwQL2+wNAKnId3Q8AcftCtcgz4Kb1aZt toXLHQg0IFGLd7SBgterZ9oWjqH46anntzrnc9SYg21dgDwosALcG9RQxuSkwd0d G8qvydsmEYZ3TyseFjVjE0JsR1ZIyYlLvqRB2ZebpD2JZjiOhMtHfKH9UvFDw4P+ ktZ2iDIOPl/oEBCP7/45p0NjKZrLZdYRpHm3dhJ4UqRtGadvQmYn83bH95FDBtqc K/Wlvh5+OovJbpBwq+2ezJzZ1TYCkktqYq9WYpirkxBI/4+OdccDk/b25/mjIQyU vjFB6PO60Nc3H2T8ST4EFv7i4j46h3Uot3l8sa/i3CVxHaK3gQJQ+4WReoJVBj3R NjB1AkkYhn7PRmtjQ2Wp9A6cwILhWGZYVm2ueyZlXss9pD6L9No= =q4vV -----END PGP SIGNATURE----- --lIBBQOd5xJlfx4grVHn7GK3iqTHQD3nfF--
Content preview: On Wed, Jun 07, 2017 at 02:55:06AM +0900, Marc Dequènes (Duck) wrote: > Quack, > > So the Digicert system does not warn you about all certs but only if you > were configured to be in some access list at creation or renewal time. I > was not in RH when www.ovirt.org cert was issued, so… > > Fortunately I was kindly warned by another guy having access to the > system. I requested a renewal yesterday but today it is not yet done. So
let's hope it is done when I wake up or during the day. [...]
Content analysis details: (-1.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-SA-Exim-Connect-IP: 2a02:1398:804::199 X-SA-Exim-Mail-From: ewoud+ovirt@kohlvanwijngaarden.nl X-SA-Exim-Scanned: No (on mail.xentower.nl); SAEximRunCond expanded to false X-BeenThere: infra@ovirt.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "List for ovirt.org infrastructure team" <infra.ovirt.org> List-Unsubscribe: <http://lists.ovirt.org/mailman/options/infra>, <mailto:infra-request@ovirt.org?subject=unsubscribe> List-Archive: <http://lists.ovirt.org/pipermail/infra/> List-Post: <mailto:infra@ovirt.org> List-Help: <mailto:infra-request@ovirt.org?subject=help> List-Subscribe: <http://lists.ovirt.org/mailman/listinfo/infra>, <mailto:infra-request@ovirt.org?subject=subscribe> X-List-Received-Date: Mon, 12 Jun 2017 10:03:52 -0000 On Wed, Jun 07, 2017 at 02:55:06AM +0900, Marc Dequènes (Duck) wrote:
Quack,
So the Digicert system does not warn you about all certs but only if you were configured to be in some access list at creation or renewal time. I was not in RH when www.ovirt.org cert was issued, so…
Fortunately I was kindly warned by another guy having access to the system. I requested a renewal yesterday but today it is not yet done. So let's hope it is done when I wake up or during the day.
The chain is incomplete causing some requests to fail, see https://www.ssllabs.com/ssltest/analyze.html?d=www.ovirt.org&latest You can replicate it by using curl on the command line. Browsers often have the chain cached and don't see the problem.
Content preview: On Mon, Jun 12, 2017 at 12:03:46PM +0200, Ewoud Kohl van Wijngaarden wrote: >On Wed, Jun 07, 2017 at 02:55:06AM +0900, Marc Dequènes (Duck) wrote: >> Quack, >> >> So the Digicert system does not warn you about all certs but only if you >> were configured to be in some access list at creation or renewal time. I >> was not in RH when www.ovirt.org cert was issued, so… >> >> Fortunately I was kindly warned by another guy having access to the >> system. I requested a renewal yesterday but today it is not yet done. So >> let's hope it is done when I wake up or during the day. > > The chain is incomplete causing some requests to fail, see > https://www.ssllabs.com/ssltest/analyze.html?d=www.ovirt.org&latest > > You can replicate it by using curl on the command line. Browsers often > have the chain cached and don't see the problem. [...] Content analysis details: (-1.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-SA-Exim-Connect-IP: 2a02:1398:804::199 X-SA-Exim-Mail-From: ewoud+ovirt@kohlvanwijngaarden.nl X-SA-Exim-Scanned: No (on mail.xentower.nl); SAEximRunCond expanded to false X-BeenThere: infra@ovirt.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "List for ovirt.org infrastructure team" <infra.ovirt.org> List-Unsubscribe: <http://lists.ovirt.org/mailman/options/infra>, <mailto:infra-request@ovirt.org?subject=unsubscribe> List-Archive: <http://lists.ovirt.org/pipermail/infra/> List-Post: <mailto:infra@ovirt.org> List-Help: <mailto:infra-request@ovirt.org?subject=help> List-Subscribe: <http://lists.ovirt.org/mailman/listinfo/infra>, <mailto:infra-request@ovirt.org?subject=subscribe> X-List-Received-Date: Sun, 18 Jun 2017 08:26:30 -0000 On Mon, Jun 12, 2017 at 12:03:46PM +0200, Ewoud Kohl van Wijngaarden wrote:
On Wed, Jun 07, 2017 at 02:55:06AM +0900, Marc Dequènes (Duck) wrote:
Quack,
So the Digicert system does not warn you about all certs but only if you were configured to be in some access list at creation or renewal time. I was not in RH when www.ovirt.org cert was issued, so…
Fortunately I was kindly warned by another guy having access to the system. I requested a renewal yesterday but today it is not yet done. So let's hope it is done when I wake up or during the day.
The chain is incomplete causing some requests to fail, see https://www.ssllabs.com/ssltest/analyze.html?d=www.ovirt.org&latest
You can replicate it by using curl on the command line. Browsers often have the chain cached and don't see the problem.
This is still an issue.
participants (2)
-
Ewoud Kohl van Wijngaarden -
Marc Dequènes (Duck)