Closed Bug 1442907 Opened 5 years ago Closed 5 years ago

MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED on www.eurostar.com

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED INVALID
Tracking Status
firefox60 --- affected

People

(Reporter: marco, Unassigned)

References

Details

When connecting to https://www.eurostar.com/, I'm seeing this error.

https://www.eurostar.com/

Un vincolo regole aggiuntivo non è stato rispettato durante la validazione di questo certificato.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Catena di certificati:

-----BEGIN CERTIFICATE-----
MIIE/jCCA+agAwIBAgIQVnGOFrkpeaRQxP2+NRWs0TANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEfMB0GA1UEAxMW
R2VvVHJ1c3QgU0hBMjU2IFNTTCBDQTAeFw0xNTEwMjEwMDAwMDBaFw0xODA3MjYy
MzU5NTlaMH4xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcU
BkxvbmRvbjEnMCUGA1UEChQeRXVyb3N0YXIgSW50ZXJuYXRpb25hbCBMaW1pdGVk
MQswCQYDVQQLFAJJUzEXMBUGA1UEAxQOKi5ldXJvc3Rhci5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDvRQ+jBDCgfO+DLMPpujReVcPHa4v+VEE
CX80y5ogzpXPyPGXJ9E/bUe4PNtjlAB66EEFZPGY4hVCyusyEVbJ9f6vVs0rMvVd
2Y0Nh+2omstmqhrwWmD9pcb55/y7s3N0ww70k2baomv1B07dRa63Q/auJ12auMz2
SuvRbJqQIQPwcriw5tW2uqFGPMoPaDsEnyxpFn6eIMPhl/BTdznxGEN/fscDpF68
5V3pdMENZN1+8wflGgokFfvI0kp9+lrtwnIYHZJZbLfH/IhTry38GVnRt/fN1VI0
6QKMUSBtZ0NpatALQtnG9mRa+da4dGHce9X9Pl0hDLUWlasqvKkLAgMBAAGjggGu
MIIBqjAnBgNVHREEIDAegg4qLmV1cm9zdGFyLmNvbYIMZXVyb3N0YXIuY29tMAkG
A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6
Ly9nai5zeW1jYi5jb20vZ2ouY3JsMIGdBgNVHSAEgZUwgZIwgY8GBmeBDAECAjCB
hDA/BggrBgEFBQcCARYzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNl
cy9yZXBvc2l0b3J5L2xlZ2FsMEEGCCsGAQUFBwICMDUMM2h0dHBzOi8vd3d3Lmdl
b3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUFGeO7YNP1h6dQAQMBEah
cDSyD3IwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ2ouc3lt
Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ2ouc3ltY2IuY29tL2dqLmNydDAN
BgkqhkiG9w0BAQsFAAOCAQEAESJVxZB5yAgw0hmEVY1JdgwEKTVKyQnOuHPAjAsF
w4S14k6aCnBcsQo6u23fkLmqJmqpg9e3ITGUTVz3AzKcgaK8tzSQtPt1gX8vqr1y
yJ9vikZqcUpTjVW/OX+0DhxFiDhV7tNn0PhxDYqqLQCqoMThMlmo3SziN8ldxDaH
n+BD8ERx/5Cy1CeyKS/OdJa+NEZ26pbK99fa3Vu1NmbeONtizu3wViaO+M5sFKWQ
jOn/+MXSgobUgnnWijUdnICELDXuBRN4r7+CBCdVHsIqcBQntRDOIJkA6UEwC9cs
IVBPzbRe5P3ntz0OxrMJPDqP0x6CkTmxu5/+HOFTvJu7FA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIQQYISfRLZxrMhOUMSVmQAuDANBgkqhkiG9w0BAQsFADCB
mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT
MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eSAtIEczMB4XDTEzMDUyMzAwMDAwMFoXDTIzMDUyMjIzNTk1OVowRjELMAkG
A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHzAdBgNVBAMTFkdlb1Ry
dXN0IFNIQTI1NiBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDGqQtdF6V9xs8q78Zm0UIeX4N4aJGv5qeL8B1EAQoZypzUix3hoZCjwVu011tq
i/wOSR7CYin+gBU5i4EqJ7X7EqgFIgvFLPXZmN0WLztm52KiQzKsj7WFyFIGLFzA
d/pn94PoXgWNyKuhFjKK0kDshjocI6mNtQDecr2FVf4GAWBdrbPgZXOlkhSelFZv
k+6vqTowJUqOCYTvt9LV15tJzenAXmdxIqxQkEMgXaGjFYP9/Kc5vGtlSBJg/90j
szqq9J+cN1NBokeTgTMJ5SLGyBxJoW6NzIOzms3qQ/IZ0yTLqCmuUsz0CCewhOrO
J7XhNBNzklyHhirGsGg2rcsJAgMBAAGjggFcMIIBWDA7BggrBgEFBQcBAQQvMC0w
KwYIKwYBBQUHMAGGH2h0dHA6Ly9wY2EtZzMtb2NzcC5nZW90cnVzdC5jb20wEgYD
VR0TAQH/BAgwBgEB/wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr
BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA7
BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9HZW9UcnVz
dFBDQS1HMy5jcmwwDgYDVR0PAQH/BAQDAgEGMCoGA1UdEQQjMCGkHzAdMRswGQYD
VQQDExJWZXJpU2lnbk1QS0ktMi00MTYwHQYDVR0OBBYEFBRnju2DT9YenUAEDARG
oXA0sg9yMB8GA1UdIwQYMBaAFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3
DQEBCwUAA4IBAQAQEOryENYIRuLBjz42WcgrD/5N7OP4tlYxeCXUdvII3e8/zYsc
fqp//AuoI2RRs4fWCfoi+scKUejOuPYDcOAbWrmxspMREPmXBQcpbG1XJVTo+Wab
Dvvbn+6Wb2XLH9hVzjH6zwL00H9QZv8veZulwt/Wz8gVg5aEmLJG1F8TqD6nNJwF
ONrP1mmVqSaHdgHXslEPgWlGJhyZtoNY4ztYj9y0ccC5v0KcHAOe5Eao6rnBzfZb
qTyW+3mkM3Onnni5cNxydMQyyAAbye9I0/s6m/r+eppAaRzI2ig3C9OjuX6WzCso
w1Zsb+nbUrH6mvvnr7WXpiLDxaiTsQDJB7J9
-----END CERTIFICATE-----


Mihai is instead seeing SEC_ERROR_UNKNOWN_ISSUES (and his Nightly says the site uses HSTS).
I get the following:

https://www.eurostar.com/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIE/jCCA+agAwIBAgIQVnGOFrkpeaRQxP2+NRWs0TANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEfMB0GA1UEAxMW
R2VvVHJ1c3QgU0hBMjU2IFNTTCBDQTAeFw0xNTEwMjEwMDAwMDBaFw0xODA3MjYy
MzU5NTlaMH4xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcU
BkxvbmRvbjEnMCUGA1UEChQeRXVyb3N0YXIgSW50ZXJuYXRpb25hbCBMaW1pdGVk
MQswCQYDVQQLFAJJUzEXMBUGA1UEAxQOKi5ldXJvc3Rhci5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDvRQ+jBDCgfO+DLMPpujReVcPHa4v+VEE
CX80y5ogzpXPyPGXJ9E/bUe4PNtjlAB66EEFZPGY4hVCyusyEVbJ9f6vVs0rMvVd
2Y0Nh+2omstmqhrwWmD9pcb55/y7s3N0ww70k2baomv1B07dRa63Q/auJ12auMz2
SuvRbJqQIQPwcriw5tW2uqFGPMoPaDsEnyxpFn6eIMPhl/BTdznxGEN/fscDpF68
5V3pdMENZN1+8wflGgokFfvI0kp9+lrtwnIYHZJZbLfH/IhTry38GVnRt/fN1VI0
6QKMUSBtZ0NpatALQtnG9mRa+da4dGHce9X9Pl0hDLUWlasqvKkLAgMBAAGjggGu
MIIBqjAnBgNVHREEIDAegg4qLmV1cm9zdGFyLmNvbYIMZXVyb3N0YXIuY29tMAkG
A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6
Ly9nai5zeW1jYi5jb20vZ2ouY3JsMIGdBgNVHSAEgZUwgZIwgY8GBmeBDAECAjCB
hDA/BggrBgEFBQcCARYzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNl
cy9yZXBvc2l0b3J5L2xlZ2FsMEEGCCsGAQUFBwICMDUMM2h0dHBzOi8vd3d3Lmdl
b3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUFGeO7YNP1h6dQAQMBEah
cDSyD3IwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ2ouc3lt
Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ2ouc3ltY2IuY29tL2dqLmNydDAN
BgkqhkiG9w0BAQsFAAOCAQEAESJVxZB5yAgw0hmEVY1JdgwEKTVKyQnOuHPAjAsF
w4S14k6aCnBcsQo6u23fkLmqJmqpg9e3ITGUTVz3AzKcgaK8tzSQtPt1gX8vqr1y
yJ9vikZqcUpTjVW/OX+0DhxFiDhV7tNn0PhxDYqqLQCqoMThMlmo3SziN8ldxDaH
n+BD8ERx/5Cy1CeyKS/OdJa+NEZ26pbK99fa3Vu1NmbeONtizu3wViaO+M5sFKWQ
jOn/+MXSgobUgnnWijUdnICELDXuBRN4r7+CBCdVHsIqcBQntRDOIJkA6UEwC9cs
IVBPzbRe5P3ntz0OxrMJPDqP0x6CkTmxu5/+HOFTvJu7FA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIQQYISfRLZxrMhOUMSVmQAuDANBgkqhkiG9w0BAQsFADCB
mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT
MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eSAtIEczMB4XDTEzMDUyMzAwMDAwMFoXDTIzMDUyMjIzNTk1OVowRjELMAkG
A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHzAdBgNVBAMTFkdlb1Ry
dXN0IFNIQTI1NiBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDGqQtdF6V9xs8q78Zm0UIeX4N4aJGv5qeL8B1EAQoZypzUix3hoZCjwVu011tq
i/wOSR7CYin+gBU5i4EqJ7X7EqgFIgvFLPXZmN0WLztm52KiQzKsj7WFyFIGLFzA
d/pn94PoXgWNyKuhFjKK0kDshjocI6mNtQDecr2FVf4GAWBdrbPgZXOlkhSelFZv
k+6vqTowJUqOCYTvt9LV15tJzenAXmdxIqxQkEMgXaGjFYP9/Kc5vGtlSBJg/90j
szqq9J+cN1NBokeTgTMJ5SLGyBxJoW6NzIOzms3qQ/IZ0yTLqCmuUsz0CCewhOrO
J7XhNBNzklyHhirGsGg2rcsJAgMBAAGjggFcMIIBWDA7BggrBgEFBQcBAQQvMC0w
KwYIKwYBBQUHMAGGH2h0dHA6Ly9wY2EtZzMtb2NzcC5nZW90cnVzdC5jb20wEgYD
VR0TAQH/BAgwBgEB/wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr
BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA7
BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9HZW9UcnVz
dFBDQS1HMy5jcmwwDgYDVR0PAQH/BAQDAgEGMCoGA1UdEQQjMCGkHzAdMRswGQYD
VQQDExJWZXJpU2lnbk1QS0ktMi00MTYwHQYDVR0OBBYEFBRnju2DT9YenUAEDARG
oXA0sg9yMB8GA1UdIwQYMBaAFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3
DQEBCwUAA4IBAQAQEOryENYIRuLBjz42WcgrD/5N7OP4tlYxeCXUdvII3e8/zYsc
fqp//AuoI2RRs4fWCfoi+scKUejOuPYDcOAbWrmxspMREPmXBQcpbG1XJVTo+Wab
Dvvbn+6Wb2XLH9hVzjH6zwL00H9QZv8veZulwt/Wz8gVg5aEmLJG1F8TqD6nNJwF
ONrP1mmVqSaHdgHXslEPgWlGJhyZtoNY4ztYj9y0ccC5v0KcHAOe5Eao6rnBzfZb
qTyW+3mkM3Onnni5cNxydMQyyAAbye9I0/s6m/r+eppAaRzI2ig3C9OjuX6WzCso
w1Zsb+nbUrH6mvvnr7WXpiLDxaiTsQDJB7J9
-----END CERTIFICATE-----
Blocks: 1434300
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
FWIW, this was due to https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/

As of March 12, EuroStar updated to a new DigiCert certificate.
You need to log in before you can comment on or make changes to this bug.