Can anyone get through to the USNO website?

General discussion and chat (archived)
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29306
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-17, 00:15

I looked at the certificate package pointed to and it simply doesn't seem to apply to the USNO since they are using a different root. (They are using DoD Root CA 3, and the linked site uses DoD Root CA 2).

What you can do is use the DoD Root cert they want to use (attached here, unzip it somewhere) and import it into Pale Moon:
  1. Go to Preferences -> Advanced -> tab Certificates
  2. Click the button "View certificates"
  3. In the Certificate Manager that opens, select the tab "Authorities"
  4. Click "Import..."
  5. Select "DoDRootCA3.crt"
  6. In the window that opens, select to trust it to identify websites (leave the rest unchecked):
    dodrootca3-import.gif
  7. OK out of it and close the manager
You should now be able to visit the USNO website and other U.S. DoD websites over https.
Attachments
DoDRootCA3.zip
(1.06 KiB) Downloaded 11 times
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2407
Joined: 2012-06-28, 01:20

Re: Can anyone get through to the USNO website?

Post by ron_1 » 2019-01-17, 01:44

Thanks MC. You went above and beyond the call of duty on this one. :thumbup:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29306
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-17, 02:06

helloimustbegoing wrote:Thanks MC. You went above and beyond the call of duty on this one. :thumbup:
Do I get a medal now? :angel:
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

Dustie_Rose
Apollo supporter
Apollo supporter
Posts: 42
Joined: 2016-11-14, 15:34
Location: Texas U.S.

Re: Can anyone get through to the USNO website?

Post by Dustie_Rose » 2019-01-25, 06:00

https://www.zdnet.com/article/governmen ... -are-down/

i don't know if it is too late for this, in case you all heard of Government shutdown, (US) causing this issue. One of several posts I read about it this month.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29306
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-01-25, 09:05

Although the Gov't Shutdown fallout for their websites somewhat related in that government-provided websites won't be reachable, this is actually a completely unrelated thing to what's going on in this thread. We're not talking about expired certificates, but rather untrusted certificates because the issuer is untrusted.
Also, the DoD isn't shut down ;) That machine runs 24/7/365 no matter what happens in Washington.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2407
Joined: 2012-06-28, 01:20

Re: Can anyone get through to the USNO website?

Post by ron_1 » 2019-01-31, 22:51

I received an email today from someone at the site:
We have installed commercially recognized certificates. Please let us know if you continue to have problems with our site.
Thank you,
jlb
I already installed the cert MC supplied, so I can't test it. Out of curiosity, can someone here who didn't install the cert test the site now and see if it works? Thanks.

https://www.usno.navy.mil/USNO

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1323
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Can anyone get through to the USNO website?

Post by Isengrim » 2019-01-31, 22:59

I have to confirm an exception for their certificate before I can connect properly. Is this the confirmation that you are looking for?
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2407
Joined: 2012-06-28, 01:20

Re: Can anyone get through to the USNO website?

Post by ron_1 » 2019-01-31, 23:22

Isengrim wrote:
I have to confirm an exception for their certificate before I can connect properly.
It doesn't sound like they fixed it then (notwithstanding the email).

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29306
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Can anyone get through to the USNO website?

Post by Moonchild » 2019-02-01, 00:29

helloimustbegoing wrote:I received an email today from someone at the site:
We have installed commercially recognized certificates. Please let us know if you continue to have problems with our site.
Thank you,
jlb
I already installed the cert MC supplied, so I can't test it. Out of curiosity, can someone here who didn't install the cert test the site now and see if it works? Thanks.

https://www.usno.navy.mil/USNO
I tested it with Qualys SSL Labs and the trust issue is still there - and i don't see any differences in their cert chain either; it doesn't look like the cert installation was done correctly (or maybe they forgot to reload/restart the web server?)
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
hitokage
Moon lover
Moon lover
Posts: 95
Joined: 2014-05-03, 02:19
Location: Frederick, MD

Re: Can anyone get through to the USNO website?

Post by hitokage » 2019-02-04, 06:49

Moonchild wrote:Then they need to go through the proper channels and get themselves audited as a CA. It's not something that "just happens" or "is just accepted because of reputation or status".
The CA/B forum is a good start for that if they want to go that route. I think though that they might not want to do this as a CA audit requires them to disclose a lot of their internal operations which the DoD is likely not willing to do (since they are going to issue certs for their organization only and not be a public CA). That's why I suggested cross-signing to them: get an accepted issuer/trusted root to sign their intermediate cert and vouch for them as a CA on the public Internet.
The webmasters can't actually do very much. The IT personnel can't actually do too much either. The problem is finding the senior DoD officials (probably the Secretary of Defense's office) that have the power to approve this, and getting them to understand why it needs to be done. It is possible that there have been attempts to resolve this, but for whatever reason they were unable. It is also possible that is actually be worked on.

Locked