[outages] Akamai Cert Issues today

Sajal Kayan sajal83 at gmail.com
Wed Sep 30 18:05:17 EDT 2015


Agree with Chris Swingler

https://cincinnati.com/ Gives NET::ERR_CERT_COMMON_NAME_INVALID . That does
not appear to be chain issues. Its because cincinnati.com is not in the
common name or in the SAN.

The certificate provided is valid only for

CN : a248.e.akamai.net
SAN:-
DNS Name: a248.e.akamai.net
DNS Name: *.akamaihd.net
DNS Name: *.akamaihd-staging.net
DNS Name: *.akamaized.net
DNS Name: *.akamaized-staging.net

Looks like someone messed up DNS config, or forgot to add some SANs.

https://pulse.turbobytes.com/results/560c5bb9ecbe400bf8001bc6/

-Sajal

On Thu, Oct 1, 2015 at 5:00 AM Jim Witherell <jawitherell at yahoo.com> wrote:

> Another item: go to sslshopper.com and click "ssl checker" and type in
> www.Cincinnati.com or www. and see that the chain is broken.
>
> Sent from Yahoo Mail on Android
> <https://overview.mail.yahoo.com/mobile/?.src=Android>
> ------------------------------
> *From*:"Jeff Walter" <jwalter at weebly.com>
> *Date*:Wed, Sep 30, 2015 at 5:55 PM
>
> *Subject*:Re: [outages] Akamai Cert Issues today
>
> It's not a problem with the CN or the SANs on the certificate. The issue
> is a broken trust path. My guess would be they're using a new root CA that
> doesn't have good coverage yet.
>
> On Wed, Sep 30, 2015 at 2:52 PM, Sajal Kayan via Outages <
> outages at outages.org> wrote:
>
>> Certificate validates for me (on chrome)
>> And also https://pulse.turbobytes.com/results/560c589decbe400bf8001bbf/ .
>> Tested from multiple points. The tool does TLS validations.
>> Unrelated: That endpoint seems to be blackholed from china...
>>
>> What common name do you see in the cert given to you? I see "
>> a248.e.akamai.net" which is valid.
>>
>> -Sajal
>>
>> On Thu, Oct 1, 2015 at 4:16 AM Jim Witherell via Outages <
>> outages at outages.org> wrote:
>>
>>> e noticed SSL warnings based around Akamai's "*a248.e.akamai.net
>>> <http://a248.e.akamai.net>*" certificate today.
>>> NET::ERR_CERT_COMMON_NAME_INVALID is the most common error we're seeing.
>>> Can anyone comment on what may be going on? Looks like the cert was renewed
>>> or issued on 8/27/2015. Wonder why we are noticing the errors from
>>> multiple points on the internet now?
>>>
>>> Jim Witherell
>>>
>>> Cincinnati OH
>>> _______________________________________________
>>> Outages mailing list
>>> Outages at outages.org
>>> https://puck.nether.net/mailman/listinfo/outages
>>>
>>>
>> _______________________________________________
>> Outages mailing list
>> Outages at outages.org
>> https://puck.nether.net/mailman/listinfo/outages
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20150930/11d525c9/attachment.htm>


More information about the Outages mailing list