Page 2 of 2
Re: Can anyone get through to the USNO website?
Posted: 2019-01-17, 00:15
by Moonchild
I looked at the certificate package pointed to and it simply doesn't seem to apply to the USNO since they are using a different root. (They are using DoD Root CA 3, and the linked site uses DoD Root CA 2).
What you can do is use the DoD Root cert they want to use (attached here, unzip it somewhere) and import it into Pale Moon:
- Go to Preferences -> Advanced -> tab Certificates
- Click the button "View certificates"
- In the Certificate Manager that opens, select the tab "Authorities"
- Click "Import..."
- Select "DoDRootCA3.crt"
- In the window that opens, select to trust it to identify websites (leave the rest unchecked):
dodrootca3-import.gif
- OK out of it and close the manager
You should now be able to visit the USNO website and other U.S. DoD websites over https.
Re: Can anyone get through to the USNO website?
Posted: 2019-01-17, 01:44
by ron_1
Thanks MC. You went above and beyond the call of duty on this one.
Re: Can anyone get through to the USNO website?
Posted: 2019-01-17, 02:06
by Moonchild
helloimustbegoing wrote:Thanks MC. You went above and beyond the call of duty on this one.
Do I get a medal now?
Re: Can anyone get through to the USNO website?
Posted: 2019-01-25, 06:00
by Dustie_Rose
https://www.zdnet.com/article/governmen ... -are-down/
i don't know if it is too late for this, in case you all heard of Government shutdown, (US) causing this issue. One of several posts I read about it this month.
Re: Can anyone get through to the USNO website?
Posted: 2019-01-25, 09:05
by Moonchild
Although the Gov't Shutdown fallout for their websites somewhat related in that government-provided websites won't be reachable, this is actually a completely unrelated thing to what's going on in this thread. We're not talking about expired certificates, but rather untrusted certificates because the issuer is untrusted.
Also, the DoD isn't shut down
That machine runs 24/7/365 no matter what happens in Washington.
Re: Can anyone get through to the USNO website?
Posted: 2019-01-31, 22:51
by ron_1
I received an email today from someone at the site:
We have installed commercially recognized certificates. Please let us know if you continue to have problems with our site.
Thank you,
jlb
I already installed the cert MC supplied, so I can't test it. Out of curiosity, can someone here who
didn't install the cert test the site now and see if it works? Thanks.
https://www.usno.navy.mil/USNO
Re: Can anyone get through to the USNO website?
Posted: 2019-01-31, 22:59
by Isengrim
I have to confirm an exception for their certificate before I can connect properly. Is this the confirmation that you are looking for?
Re: Can anyone get through to the USNO website?
Posted: 2019-01-31, 23:22
by ron_1
Isengrim wrote:
I have to confirm an exception for their certificate before I can connect properly.
It doesn't sound like they fixed it then (notwithstanding the email).
Re: Can anyone get through to the USNO website?
Posted: 2019-02-01, 00:29
by Moonchild
helloimustbegoing wrote:I received an email today from someone at the site:
We have installed commercially recognized certificates. Please let us know if you continue to have problems with our site.
Thank you,
jlb
I already installed the cert MC supplied, so I can't test it. Out of curiosity, can someone here who
didn't install the cert test the site now and see if it works? Thanks.
https://www.usno.navy.mil/USNO
I tested it with Qualys SSL Labs and the trust issue is still there - and i don't see any differences in their cert chain either; it doesn't look like the cert installation was done correctly (or maybe they forgot to reload/restart the web server?)
Re: Can anyone get through to the USNO website?
Posted: 2019-02-04, 06:49
by hitokage
Moonchild wrote:Then they need to go through the proper channels and get themselves audited as a CA. It's not something that "just happens" or "is just accepted because of reputation or status".
The CA/B forum is a good start for that if they want to go that route. I think though that they might not want to do this as a CA audit requires them to disclose a lot of their internal operations which the DoD is likely not willing to do (since they are going to issue certs for their organization only and not be a public CA). That's why I suggested cross-signing to them: get an accepted issuer/trusted root to sign their intermediate cert and vouch for them as a CA on the public Internet.
The webmasters can't actually do very much. The IT personnel can't actually do too much either. The problem is finding the senior DoD officials (probably the Secretary of Defense's office) that have the power to approve this, and getting them to understand why it needs to be done. It is possible that there have been attempts to resolve this, but for whatever reason they were unable. It is also possible that is actually be worked on.