[asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!

Dan Jenkins dan.jenkins88 at gmail.com
Sun Aug 5 13:39:09 CDT 2018


Ha! Already informed them on Friday via other means. I'm told there is now
an IT ticket open

On Sun, 5 Aug 2018, 11:18 Alexander Traud, <pabstraud at compuserve.com> wrote:

> All asterisk.org (sub-) domains are secured by a SSL/TLS certificate from
> RapidSSL which chains up to the trust anchor "GeoTrust Global CA". That
> trust anchor belonged to Symantec. Since Chrome 70, Google removes all
> trust in former Symantec trust anchors. When you re-issue your certificate,
> the new owner DigiCert is going to give you a certificate chain to a new
> and still trusted anchor, for free: <
> http://products.geotrust.com/orders/orderinformation/authentication.do>
>
> Reasoning:
>
> Google Chrome 70 entered the Developer channel (aka "unstable") <
> http://www.chromium.org/getting-involved/dev-channel> on Friday <
> http://chromereleases.googleblog.com/2018/08/dev-channel-update-for-desktop_3.html>
> and therefore is available to Linux users now. Because Asterisk is very
> much developer centric, I expect that several Asterisk users and developers
> are using Google Chrome in that channel. Therefore and because the re-issue
> is free and because you could have gone for it since December already,
> please, re-issue as soon as possible.
>
> Technical Notes:
>
> Enter CSR: If you enter the CSR used by our original order, you do not
> have to change the private key on your server. Only the public certificates
> must be changed.
>
> Hashing Algorithm = SHA-1 root: Your chain is going to resolve to
> "DigiCert Global Root CA". Therefore, I recommend to add the intermediate
> certificate to "Baltimore CyberTrust Root" <
> http://ssl-tools.net/subjects/8051060132ad9ac27d5187a0e887fb01620155ee>.
> This gives broader compatibility, even with legacy SSL/TLS clients, at no
> additional costs.
>
> Hashing Algorithm = SHA-256 root: Your chain is going to resolve to
> "DigiCert Global Root G2". Therefore, consider to add the intermediate to
> "VeriSign Class 3 Public Primary Certification Authority - G5" <
> http://ssl-tools.net/subjects/39d28b71fe1d19b65fb3f1288f23bc04595c4395>
> and "VeriSign Class 3 Public Primary Certification Authority - G3" <
> https://crt.sh/?caid=443> and "VeriSign Class 3 Public Primary
> Certification Authority" (G1) <
> http://ssl-tools.net/subjects/7a838e245f34e61aaa343e930d5a325a60c56d6c>.
> Although those three anchors are not trusted either, up-to-date SSL/TLS
> clients stop at the first trusted anchor in the chain and do not see those
> older ones. This gives the broadest compatibility with legacy platforms.
> However <https://bugzilla.mozilla.org/show_bug.cgi?id=1401384#c10>:
> "[DigiCert is] strongly advising subscribers not to use [this particular]
> cross-sign and, if used, remove [this] cross-sign prior to September 2018
> as [DigiCert is] not sure how the distrust will impact [this] cross-sign."
> Therefore, I went for the Hashing Algorithm "SHA-1 root" on all my
> installations.
>
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20180805/f03042fd/attachment.html>


More information about the asterisk-dev mailing list