[outages] Akamai Cert Issues today
Sajal Kayan
sajal83 at gmail.com
Wed Sep 30 18:19:07 EDT 2015
https://news.ycombinator.com/item?id=6872318
www.irs.gov was never on https . The error is bad user experience, but its
common for all CDNs who listen on 443 regardless if customer has ssl
activated or not.
-Sajal
On Thu, Oct 1, 2015 at 5:14 AM Sajal Kayan <sajal83 at gmail.com> wrote:
> Question: was www.irs.gov ever on https ?
>
> On Thu, Oct 1, 2015 at 5:05 AM Sajal Kayan <sajal83 at gmail.com> wrote:
>
>> Agree with Chris Swingler
>>
>> https://cincinnati.com/ Gives NET::ERR_CERT_COMMON_NAME_INVALID . That
>> does not appear to be chain issues. Its because cincinnati.com is not in
>> the common name or in the SAN.
>>
>> The certificate provided is valid only for
>>
>> CN : a248.e.akamai.net
>> SAN:-
>> DNS Name: a248.e.akamai.net
>> DNS Name: *.akamaihd.net
>> DNS Name: *.akamaihd-staging.net
>> DNS Name: *.akamaized.net
>> DNS Name: *.akamaized-staging.net
>>
>> Looks like someone messed up DNS config, or forgot to add some SANs.
>>
>> https://pulse.turbobytes.com/results/560c5bb9ecbe400bf8001bc6/
>>
>> -Sajal
>>
>> On Thu, Oct 1, 2015 at 5:00 AM Jim Witherell <jawitherell at yahoo.com>
>> wrote:
>>
>>> Another item: go to sslshopper.com and click "ssl checker" and type in
>>> www.Cincinnati.com or www. and see that the chain is broken.
>>>
>>> Sent from Yahoo Mail on Android
>>> <https://overview.mail.yahoo.com/mobile/?.src=Android>
>>> ------------------------------
>>> *From*:"Jeff Walter" <jwalter at weebly.com>
>>> *Date*:Wed, Sep 30, 2015 at 5:55 PM
>>>
>>> *Subject*:Re: [outages] Akamai Cert Issues today
>>>
>>> It's not a problem with the CN or the SANs on the certificate. The issue
>>> is a broken trust path. My guess would be they're using a new root CA that
>>> doesn't have good coverage yet.
>>>
>>> On Wed, Sep 30, 2015 at 2:52 PM, Sajal Kayan via Outages <
>>> outages at outages.org> wrote:
>>>
>>>> Certificate validates for me (on chrome)
>>>> And also https://pulse.turbobytes.com/results/560c589decbe400bf8001bbf/ .
>>>> Tested from multiple points. The tool does TLS validations.
>>>> Unrelated: That endpoint seems to be blackholed from china...
>>>>
>>>> What common name do you see in the cert given to you? I see "
>>>> a248.e.akamai.net" which is valid.
>>>>
>>>> -Sajal
>>>>
>>>> On Thu, Oct 1, 2015 at 4:16 AM Jim Witherell via Outages <
>>>> outages at outages.org> wrote:
>>>>
>>>>> e noticed SSL warnings based around Akamai's "*a248.e.akamai.net
>>>>> <http://a248.e.akamai.net>*" certificate today.
>>>>> NET::ERR_CERT_COMMON_NAME_INVALID is the most common error we're seeing.
>>>>> Can anyone comment on what may be going on? Looks like the cert was renewed
>>>>> or issued on 8/27/2015. Wonder why we are noticing the errors from
>>>>> multiple points on the internet now?
>>>>>
>>>>> Jim Witherell
>>>>>
>>>>> Cincinnati OH
>>>>> _______________________________________________
>>>>> Outages mailing list
>>>>> Outages at outages.org
>>>>> https://puck.nether.net/mailman/listinfo/outages
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Outages mailing list
>>>> Outages at outages.org
>>>> https://puck.nether.net/mailman/listinfo/outages
>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20150930/e059152e/attachment.htm>
More information about the Outages
mailing list