General discussion and chat (archived)
-
Moonchild
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Unread post
by Moonchild » 2019-01-17, 00:15
I looked at the certificate package pointed to and it simply doesn't seem to apply to the USNO since they are using a different root. (They are using DoD Root CA 3, and the linked site uses DoD Root CA 2).
What you can do is use the DoD Root cert they want to use (attached here, unzip it somewhere) and import it into Pale Moon:
- Go to Preferences -> Advanced -> tab Certificates
- Click the button "View certificates"
- In the Certificate Manager that opens, select the tab "Authorities"
- Click "Import..."
- Select "DoDRootCA3.crt"
- In the window that opens, select to trust it to identify websites (leave the rest unchecked):
dodrootca3-import.gif
- OK out of it and close the manager
You should now be able to visit the USNO website and other U.S. DoD websites over https.
You do not have the required permissions to view the files attached to this post.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
ron_1
- Moon Magic practitioner
- Posts: 2860
- Joined: 2012-06-28, 01:20
Unread post
by ron_1 » 2019-01-17, 01:44
Thanks MC. You went above and beyond the call of duty on this one.
-
Moonchild
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Unread post
by Moonchild » 2019-01-17, 02:06
helloimustbegoing wrote:Thanks MC. You went above and beyond the call of duty on this one.
Do I get a medal now?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
Dustie_Rose
- Apollo supporter
- Posts: 44
- Joined: 2016-11-14, 15:34
- Location: Texas U.S.
Unread post
by Dustie_Rose » 2019-01-25, 06:00
https://www.zdnet.com/article/governmen ... -are-down/
i don't know if it is too late for this, in case you all heard of Government shutdown, (US) causing this issue. One of several posts I read about it this month.
-
Moonchild
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Unread post
by Moonchild » 2019-01-25, 09:05
Although the Gov't Shutdown fallout for their websites somewhat related in that government-provided websites won't be reachable, this is actually a completely unrelated thing to what's going on in this thread. We're not talking about expired certificates, but rather untrusted certificates because the issuer is untrusted.
Also, the DoD isn't shut down
That machine runs 24/7/365 no matter what happens in Washington.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
ron_1
- Moon Magic practitioner
- Posts: 2860
- Joined: 2012-06-28, 01:20
Unread post
by ron_1 » 2019-01-31, 22:51
I received an email today from someone at the site:
We have installed commercially recognized certificates. Please let us know if you continue to have problems with our site.
Thank you,
jlb
I already installed the cert MC supplied, so I can't test it. Out of curiosity, can someone here who
didn't install the cert test the site now and see if it works? Thanks.
https://www.usno.navy.mil/USNO
-
Isengrim
- Board Warrior
- Posts: 1325
- Joined: 2015-09-08, 22:54
- Location: 127.0.0.1
Unread post
by Isengrim » 2019-01-31, 22:59
I have to confirm an exception for their certificate before I can connect properly. Is this the confirmation that you are looking for?
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story
-
ron_1
- Moon Magic practitioner
- Posts: 2860
- Joined: 2012-06-28, 01:20
Unread post
by ron_1 » 2019-01-31, 23:22
Isengrim wrote:
I have to confirm an exception for their certificate before I can connect properly.
It doesn't sound like they fixed it then (notwithstanding the email).
-
Moonchild
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Unread post
by Moonchild » 2019-02-01, 00:29
helloimustbegoing wrote:I received an email today from someone at the site:
We have installed commercially recognized certificates. Please let us know if you continue to have problems with our site.
Thank you,
jlb
I already installed the cert MC supplied, so I can't test it. Out of curiosity, can someone here who
didn't install the cert test the site now and see if it works? Thanks.
https://www.usno.navy.mil/USNO
I tested it with Qualys SSL Labs and the trust issue is still there - and i don't see any differences in their cert chain either; it doesn't look like the cert installation was done correctly (or maybe they forgot to reload/restart the web server?)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
hitokage
- Fanatic
- Posts: 101
- Joined: 2014-05-03, 02:19
- Location: Frederick, MD
Unread post
by hitokage » 2019-02-04, 06:49
Moonchild wrote:Then they need to go through the proper channels and get themselves audited as a CA. It's not something that "just happens" or "is just accepted because of reputation or status".
The CA/B forum is a good start for that if they want to go that route. I think though that they might not want to do this as a CA audit requires them to disclose a lot of their internal operations which the DoD is likely not willing to do (since they are going to issue certs for their organization only and not be a public CA). That's why I suggested cross-signing to them: get an accepted issuer/trusted root to sign their intermediate cert and vouch for them as a CA on the public Internet.
The webmasters can't actually do very much. The IT personnel can't actually do too much either. The problem is finding the senior DoD officials (probably the Secretary of Defense's office) that have the power to approve this, and getting them to understand why it needs to be done. It is possible that there have been attempts to resolve this, but for whatever reason they were unable. It is also possible that is actually be worked on.