[outages] juniper.net 404

Jeremy Chadwick jdc at koitsu.org
Sat Jan 4 15:04:21 EST 2014


Testing in a browser (Firefox) for https://juniper.net/ results in this:

juniper.net uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)

http://superuser.com/questions/452063/the-certificate-is-not-trusted-because-no-issuer-chain-was-provided

Usually this indicates that someone rolled out a SSL certificate without
either a) including the full CA chain (how to do this varies per
webserver), or b) did not include the full CA chain within the
certificate itself.  It often has to do with a missing root CA.

However, in the below output, I see mention of "Juniper Networks Root
CA", which implies Juniper is self-signing their certs rather than
getting them signed by an actual CA?  If so, that's pretty disgraceful.
Not that I have a problem with self-signed certs, but it's extremely
rude in this particular case, given Juniper's role.

Any errors below that say "unable to get local issuer certificate" are
issues on my side, not Juniper's.


$ echo | openssl s_client -showcerts -connect juniper.net:443 -servername juniper.net
CONNECTED(00000004)
depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec at juniper.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec at juniper.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec at juniper.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec at juniper.net
   i:/emailAddress=ca-admin at juniper.net/C=US/ST=California/L=Sunnyvale/O=Juniper Networks, Inc./OU=Juniper Certificate Authority/CN=Juniper Networks Root CA
-----BEGIN CERTIFICATE-----
MIIGXzCCBcigAwIBAgIKJbNoLAADAABiuDANBgkqhkiG9w0BAQUFADCBxzEjMCEG
CSqGSIb3DQEJARYUY2EtYWRtaW5AanVuaXBlci5uZXQxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxHzAdBgNVBAoT
Fkp1bmlwZXIgTmV0d29ya3MsIEluYy4xJjAkBgNVBAsTHUp1bmlwZXIgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MSEwHwYDVQQDExhKdW5pcGVyIE5ldHdvcmtzIFJvb3Qg
Q0EwHhcNMTMxMTE3MTgzODU0WhcNMTQxMjE1MjMwMTE4WjCBnTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEeMBwG
A1UEChMVSnVuaXBlck5ldHdvcmtzLEluYy4sMQswCQYDVQQLEwJJVDEUMBIGA1UE
AxMLanVuaXBlci5uZXQxIjAgBgkqhkiG9w0BCQEWE2luZm9zZWNAanVuaXBlci5u
ZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqrWoKPic/wxrgLOij
s5ZsCLfjZTSckKJa4pYHK6Of3s/sat4xv5mn4s7zRiEdrBysxh8to3AS/95yooQw
rIrSmdMj7SsBdL+LLneCRK3YjcPDl5wFrcDrDe3Lac3BrW7lf7pRXqbVQTkdRVqu
XsN0dPsVMJMwsVN67pDFTgzdC6lsr0hUk9KHuE4xzq6QtIw+wGeRC1LurCPyNeK3
IYOZoGBzCcAWml7IewOcsJungImRhP2gA+fd8GyMq/XtlYk3qe6wRUpdLHtWqVo+
crT3fi75+6sXQgPasClANFeUY8/trp/uMnDHYYk97fIvuA3ifQa4uHNlmZQqoPW4
FV09AgMBAAGjggL0MIIC8DAdBgNVHQ4EFgQUNZrcnIfODAcQB42DZSvxGVdG06Uw
HwYDVR0jBBgwFoAU4L0udxOaLltRmPqQUF3YFNFSLFkwggEsBgNVHR8EggEjMIIB
HzCCARugggEXoIIBE4aBxWxkYXA6Ly8vQ049SnVuaXBlciUyME5ldHdvcmtzJTIw
Um9vdCUyMENBKDMpLENOPWNhLWpucHIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9am5wcixE
Qz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNz
PWNSTERpc3RyaWJ1dGlvblBvaW50hklodHRwOi8vcGtpLWpucHIuam5wci5uZXQv
Q2VydEVucm9sbC9KdW5pcGVyJTIwTmV0d29ya3MlMjBSb290JTIwQ0EoMykuY3Js
MIIBNwYIKwYBBQUHAQEEggEpMIIBJTCBugYIKwYBBQUHMAKGga1sZGFwOi8vL0NO
PUp1bmlwZXIlMjBOZXR3b3JrcyUyMFJvb3QlMjBDQSxDTj1BSUEsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1qbnByLERDPW5ldD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2Vy
dGlmaWNhdGlvbkF1dGhvcml0eTBmBggrBgEFBQcwAoZaaHR0cDovL3BraS1qbnBy
LmpucHIubmV0L0NlcnRFbnJvbGwvY2Etam5wci5qbnByLm5ldF9KdW5pcGVyJTIw
TmV0d29ya3MlMjBSb290JTIwQ0EoMykuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBl
AGIAUwBlAHIAdgBlAHIwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MA0GCSqGSIb3DQEBBQUAA4GBAJgCkuAvazTRfAKkUzDam0qODNDq1OF8Umvssa3R
eKO4eXaoH3JZK73WQKJ4HxaIFnqy4JR2ehGGDqZJ4TIjacTEtitgt2dQXzt2YWT2
V4m3MNdF5dst6Zvdq+cHkOdz9UXkbKdAruD5pt0wyCkDjzVaU7Ztx1rVmtJYcNQj
oaKY
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec at juniper.net
issuer=/emailAddress=ca-admin at juniper.net/C=US/ST=California/L=Sunnyvale/O=Juniper Networks, Inc./OU=Juniper Certificate Authority/CN=Juniper Networks Root CA
---
No client certificate CA names sent
---
SSL handshake has read 1796 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 47F350E104F506A8E205A90913D792131A7C755FF5C9E0082D87A6CF72983DAA
    Session-ID-ctx:
    Master-Key: AA29B55910F21512DE89949C17BFB7AE1C6B57A6A2A5D0398460B3503A5B4C9EEB0B69A02A0691EB16AF234D72DC6915
    Key-Arg   : None
    Start Time: 1388865376
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---


$ openssl s_client -connect juniper.net:443 -servername juniper.net | openssl x509 -text
depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec at juniper.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec at juniper.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec at juniper.net
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:b3:68:2c:00:03:00:00:62:b8
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: emailAddress=ca-admin at juniper.net, C=US, ST=California, L=Sunnyvale, O=Juniper Networks, Inc., OU=Juniper Certificate Authority, CN=Juniper Networks Root CA
        Validity
            Not Before: Nov 17 18:38:54 2013 GMT
            Not After : Dec 15 23:01:18 2014 GMT
        Subject: C=US, ST=California, L=Sunnyvale, O=JuniperNetworks,Inc.,, OU=IT, CN=juniper.net/emailAddress=infosec at juniper.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:aa:ad:6a:0a:3e:27:3f:c3:1a:e0:2c:e8:a3:b3:
                    96:6c:08:b7:e3:65:34:9c:90:a2:5a:e2:96:07:2b:
                    a3:9f:de:cf:ec:6a:de:31:bf:99:a7:e2:ce:f3:46:
                    21:1d:ac:1c:ac:c6:1f:2d:a3:70:12:ff:de:72:a2:
                    84:30:ac:8a:d2:99:d3:23:ed:2b:01:74:bf:8b:2e:
                    77:82:44:ad:d8:8d:c3:c3:97:9c:05:ad:c0:eb:0d:
                    ed:cb:69:cd:c1:ad:6e:e5:7f:ba:51:5e:a6:d5:41:
                    39:1d:45:5a:ae:5e:c3:74:74:fb:15:30:93:30:b1:
                    53:7a:ee:90:c5:4e:0c:dd:0b:a9:6c:af:48:54:93:
                    d2:87:b8:4e:31:ce:ae:90:b4:8c:3e:c0:67:91:0b:
                    52:ee:ac:23:f2:35:e2:b7:21:83:99:a0:60:73:09:
                    c0:16:9a:5e:c8:7b:03:9c:b0:9b:a7:80:89:91:84:
                    fd:a0:03:e7:dd:f0:6c:8c:ab:f5:ed:95:89:37:a9:
                    ee:b0:45:4a:5d:2c:7b:56:a9:5a:3e:72:b4:f7:7e:
                    2e:f9:fb:ab:17:42:03:da:b0:29:40:34:57:94:63:
                    cf:ed:ae:9f:ee:32:70:c7:61:89:3d:ed:f2:2f:b8:
                    0d:e2:7d:06:b8:b8:73:65:99:94:2a:a0:f5:b8:15:
                    5d:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                35:9A:DC:9C:87:CE:0C:07:10:07:8D:83:65:2B:F1:19:57:46:D3:A5
            X509v3 Authority Key Identifier:
                keyid:E0:BD:2E:77:13:9A:2E:5B:51:98:FA:90:50:5D:D8:14:D1:52:2C:59

            X509v3 CRL Distribution Points:
                URI:ldap:///CN=Juniper%20Networks%20Root%20CA(3),CN=ca-jnpr,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=jnpr,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
                URI:http://pki-jnpr.jnpr.net/CertEnroll/Juniper%20Networks%20Root%20CA(3).crl

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=Juniper%20Networks%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=jnpr,DC=net?cACertificate?base?objectClass=certificationAuthority
                CA Issuers - URI:http://pki-jnpr.jnpr.net/CertEnroll/ca-jnpr.jnpr.net_Juniper%20Networks%20Root%20CA(3).crt

            1.3.6.1.4.1.311.20.2:
                ...W.e.b.S.e.r.v.e.r
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha1WithRSAEncryption
        98:02:92:e0:2f:6b:34:d1:7c:02:a4:53:30:da:9b:4a:8e:0c:
        d0:ea:d4:e1:7c:52:6b:ec:b1:ad:d1:78:a3:b8:79:76:a8:1f:
        72:59:2b:bd:d6:40:a2:78:1f:16:88:16:7a:b2:e0:94:76:7a:
        11:86:0e:a6:49:e1:32:23:69:c4:c4:b6:2b:60:b7:67:50:5f:
        3b:76:61:64:f6:57:89:b7:30:d7:45:e5:db:2d:e9:9b:dd:ab:
        e7:07:90:e7:73:f5:45:e4:6c:a7:40:ae:e0:f9:a6:dd:30:c8:
        29:03:8f:35:5a:53:b6:6d:c7:5a:d5:9a:d2:58:70:d4:23:a1:
        a2:98
-----BEGIN CERTIFICATE-----
MIIGXzCCBcigAwIBAgIKJbNoLAADAABiuDANBgkqhkiG9w0BAQUFADCBxzEjMCEG
CSqGSIb3DQEJARYUY2EtYWRtaW5AanVuaXBlci5uZXQxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxHzAdBgNVBAoT
Fkp1bmlwZXIgTmV0d29ya3MsIEluYy4xJjAkBgNVBAsTHUp1bmlwZXIgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MSEwHwYDVQQDExhKdW5pcGVyIE5ldHdvcmtzIFJvb3Qg
Q0EwHhcNMTMxMTE3MTgzODU0WhcNMTQxMjE1MjMwMTE4WjCBnTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEeMBwG
A1UEChMVSnVuaXBlck5ldHdvcmtzLEluYy4sMQswCQYDVQQLEwJJVDEUMBIGA1UE
AxMLanVuaXBlci5uZXQxIjAgBgkqhkiG9w0BCQEWE2luZm9zZWNAanVuaXBlci5u
ZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqrWoKPic/wxrgLOij
s5ZsCLfjZTSckKJa4pYHK6Of3s/sat4xv5mn4s7zRiEdrBysxh8to3AS/95yooQw
rIrSmdMj7SsBdL+LLneCRK3YjcPDl5wFrcDrDe3Lac3BrW7lf7pRXqbVQTkdRVqu
XsN0dPsVMJMwsVN67pDFTgzdC6lsr0hUk9KHuE4xzq6QtIw+wGeRC1LurCPyNeK3
IYOZoGBzCcAWml7IewOcsJungImRhP2gA+fd8GyMq/XtlYk3qe6wRUpdLHtWqVo+
crT3fi75+6sXQgPasClANFeUY8/trp/uMnDHYYk97fIvuA3ifQa4uHNlmZQqoPW4
FV09AgMBAAGjggL0MIIC8DAdBgNVHQ4EFgQUNZrcnIfODAcQB42DZSvxGVdG06Uw
HwYDVR0jBBgwFoAU4L0udxOaLltRmPqQUF3YFNFSLFkwggEsBgNVHR8EggEjMIIB
HzCCARugggEXoIIBE4aBxWxkYXA6Ly8vQ049SnVuaXBlciUyME5ldHdvcmtzJTIw
Um9vdCUyMENBKDMpLENOPWNhLWpucHIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUy
MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9am5wcixE
Qz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNz
PWNSTERpc3RyaWJ1dGlvblBvaW50hklodHRwOi8vcGtpLWpucHIuam5wci5uZXQv
Q2VydEVucm9sbC9KdW5pcGVyJTIwTmV0d29ya3MlMjBSb290JTIwQ0EoMykuY3Js
MIIBNwYIKwYBBQUHAQEEggEpMIIBJTCBugYIKwYBBQUHMAKGga1sZGFwOi8vL0NO
PUp1bmlwZXIlMjBOZXR3b3JrcyUyMFJvb3QlMjBDQSxDTj1BSUEsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1qbnByLERDPW5ldD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2Vy
dGlmaWNhdGlvbkF1dGhvcml0eTBmBggrBgEFBQcwAoZaaHR0cDovL3BraS1qbnBy
LmpucHIubmV0L0NlcnRFbnJvbGwvY2Etam5wci5qbnByLm5ldF9KdW5pcGVyJTIw
TmV0d29ya3MlMjBSb290JTIwQ0EoMykuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBl
AGIAUwBlAHIAdgBlAHIwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMB
MA0GCSqGSIb3DQEBBQUAA4GBAJgCkuAvazTRfAKkUzDam0qODNDq1OF8Umvssa3R
eKO4eXaoH3JZK73WQKJ4HxaIFnqy4JR2ehGGDqZJ4TIjacTEtitgt2dQXzt2YWT2
V4m3MNdF5dst6Zvdq+cHkOdz9UXkbKdAruD5pt0wyCkDjzVaU7Ztx1rVmtJYcNQj
oaKY
-----END CERTIFICATE-----
read:errno=0

-- 
| Jeremy Chadwick                                   jdc at koitsu.org |
| UNIX Systems Administrator                http://jdc.koitsu.org/ |
| Making life hard for others since 1977.             PGP 4BD6C0CB |

On Sat, Jan 04, 2014 at 02:41:22PM -0500, Chuck Anderson wrote:
> For me it fails on both a WiFi hotspot and VZW 4G from the phone, but
> it works from both lynx and elinks on a remote server via ConnectBot
> SSH.  I'm not at a desktop to try a regular desktop browser, but it
> does also fail with "request desktop site" on Chrome.
> 
> These all fail:
> 
> http://www.juniper.net
> https://www.juniper.net
> http://juniper.net
> https://juniper.net
> 
> The SSL ones return a "this cert is not signed by a trusted CA"
> 
> This works:
> 
> http://www.juniper.net/us/en
> 
> which redirects to the mobile site on m.juniper.net.
> 
> On Sat, Jan 04, 2014 at 11:32:32AM -0800, Scott Howard wrote:
> > Working fine on Comcast in the SF Bay Area.
> > 
> > Strangely, juniper.net redirects to https://www.juniper.net  (note the
> > https), however www.juniper.net does NOT redirect to https...
> > 
> >   Scott
> > 
> > 
> > 
> > On Sat, Jan 4, 2014 at 11:23 AM, Chuck Anderson <cra at wpi.edu> wrote:
> > 
> > > Using both Chrome and Firefox on my Android phone, I'm getting 404 for
> > > all of http://juniper.net.  Is anyone else seeing this?
> 
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages



More information about the Outages mailing list