Closed
Bug 972679
Opened 10 years ago
Closed 7 years ago
https://www.va.gov triggers "untrusted connection" error page, due to server misconfiguration (missing issuer chain)
Categories
(Web Compatibility :: Site Reports, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: dholbert, Unassigned)
References
()
Details
(Whiteboard: [country-us] [sitewait] [ssl])
Attachments
(7 files)
screenshot of cert error in Firefox Nightly at both sites (side by side)
STEPS TO REPRODUCE: 0. Start with a fresh Firefox profile. (imporant) 1. Load https://www.myhealth.va.gov ACTUAL RESULTS: "This Connection is Untrusted" page, with: > Technical Details > www.myhealth.va.gov uses an invalid security certificate. > The certificate is not trusted because no issuer chain > was provided. (Error code: sec_error_unknown_issuer) You can't work around it by replacing "https" with "http", either, because their http site redirects you to https. Reproduced in Firefox 27.0 release, as well as today's Nightly build. I get a similar cert error in Opera 12.16, as well, so this isn't a Firefox bug. Hence, filing as Tech Evangelism. This was initially reported at input.mozilla.org, here: https://input.mozilla.org/en-US/dashboard/response/4203315 > I'm a disabled veteran and every time I try to contact > www. myhealth.va.gov the site crashes. I need to get doctors > instructions through this site. Please do what you can to > fix it. Mark
|
Reporter | |
Comment 1•10 years ago
|
||
This actually happens for https://www.va.gov/ , too.
Summary: https://www.myhealth.va.gov/ triggers "untrusted connection" error page, due to missing issuer chain → https://www.myhealth.va.gov/ and https://www.va.gov/ trigger "untrusted connection" error page, due to missing issuer chain
|
|
Reporter | |
Comment 2•10 years ago
|
||
|
|
Reporter | |
Comment 3•10 years ago
|
||
Opera 12.16 has cert errors for both sites, too. It only supports showing one error at a time, so I couldn't screenshot both at once; here's just the error when visiting the "myhealth" URL.
|
|
Reporter | |
Updated•10 years ago
|
Attachment #8375974 -
Attachment description: screenshot of both sites, side-by-side, in Firefox Nightly (showing cert errors) → screenshot of cert error in Firefox Nightly at both sites (side by side)
|
|
Reporter | |
Comment 4•10 years ago
|
||
Strangely, Chrome doesn't report any cert errors at the "myhealth" site, even with a fresh profile -- possibly because it comes pre-cached with the intermediate cert that's involved here. It does, however, report a cert error for the toplevel https://www.va.gov site, so here's a screenshot of that.
|
|
Reporter | |
Comment 5•10 years ago
|
||
Just as a sanity-check that it's not just me, I tested & was able to reproduce this using Firefox 27 and Opera 12.16 on a different Windows XP computer. (I couldn't reproduce with IE or Safari or Chrome on that system, though -- likely because those all tie into the system-provided certificate store, which must either ship with the intermediate cert or have cached the intermediate cert from an earlier load of a different site.)
|
|
Reporter | |
Comment 6•10 years ago
|
||
This certificate-checker site also confirms that the site is misconfigured: http://www.digicert.com/help/index.htm?host=www.va.gov http://www.digicert.com/help/index.htm?host=www.myhealth.va.gov ...though it only shows an error some fraction of the time. (It had an error 2 out of 3 times that I tried, for both sites). That randomness is probably due to a load-balancer at va.gov, with some of its HTTPS servers being correct and some being broken. When that digicert site reports an error, it's all the way at the bottom, and it says > [red X] > SSL Certificate is not trusted > [...] you probably just need to install one or more Intermediate certificates. I've notified a friend of mine who works at the VA about this; hopefully she'll be able to get it on the right folks' radar.
|
|
Reporter | |
Comment 7•10 years ago
|
||
|
|
Reporter | |
Comment 8•10 years ago
|
||
|
|
Reporter | |
Comment 9•10 years ago
|
||
|
|
Reporter | |
Comment 10•10 years ago
|
||
|
|
Reporter | |
Updated•10 years ago
|
Summary: https://www.myhealth.va.gov/ and https://www.va.gov/ trigger "untrusted connection" error page, due to missing issuer chain → https://www.myhealth.va.gov/ and https://www.va.gov/ trigger "untrusted connection" error page, due to server misconfiguration (missing issuer chain)
|
||
Comment 11•10 years ago
|
||
As of today Firefox 32.0.3 Not trusted: https://www.va.gov/ Trusted: https://www.myhealth.va.gov/
Assignee: english-us → nobody
Component: English US → Desktop
Whiteboard: [country-us] [contactready] [ssl]
|
|
||
Updated•10 years ago
|
Summary: https://www.myhealth.va.gov/ and https://www.va.gov/ trigger "untrusted connection" error page, due to server misconfiguration (missing issuer chain) → www.va.gov triggers "untrusted connection" error page, due to server misconfiguration (missing issuer chain)
|
|
||
Comment 12•10 years ago
|
||
Daniel, If you still have contacts, it would be cool to ping them about it. The first one has been solved (see previous comment)
Flags: needinfo?(dholbert)
|
|
Reporter | |
Comment 13•10 years ago
|
||
I can confirm comment 11, in Firefox Nightly -- https://www.va.gov/ is still broken. I'll email my friend at the VA to see if she can get someone to take a look at fixing it.
Flags: needinfo?(dholbert)
Summary: www.va.gov triggers "untrusted connection" error page, due to server misconfiguration (missing issuer chain) → https://www.va.gov triggers "untrusted connection" error page, due to server misconfiguration (missing issuer chain)
|
||
Updated•10 years ago
|
Whiteboard: [country-us] [contactready] [ssl] → [country-us] [sitewait] [ssl]
|
|
Reporter | |
Comment 14•10 years ago
|
||
I emailed my friend (who wasn't sure exactly who to tell about it, but said she'd forward my email to a few people). I also sent the VA a tweet, and (to their credit!) they replied almost immediately: https://twitter.com/CodingExon/status/517054453661188096
|
||
Comment 15•10 years ago
|
||
The VA has always had issues with certs. I opened a trouble ticket with vaforvets.va.gov last year (they were using Cybertrust Public Issuing CA 1 at the time) and while they "escalated" to Tier-II, all I got back was "We are pleased to inform you that your Request ticket reference number I130913_x has been resolved with the following resolution: Member is now an official registered member." Informed them that I still needed to create a cert exception & never heard back from them. Now that vaforvets.va.gov is using "Veterans Affairs Device CA B2" you'll still need to add an exception to get to https://vaforvets.va.gov, or for that matter and foo.bar.va.gov www.va.gov is still acceptiong SSL3: ==== Protocol Support TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0 SL 3.0 is an outdated protocol version with known vulnerabilities. How can I fix this?" Even downloading and installing the appropriate certs from the Dept of Treasury <http://pki.treas.gov/crl_certs.htm> on both the OS and the browser (seaMonkey 2.30 - linux & Windows) & including the US Govt doesn't seem to help.
|
|
Reporter | |
Comment 16•10 years ago
|
||
(In reply to NoOp from comment #15) > The VA has always had issues with certs. I opened a trouble ticket with > vaforvets.va.gov last year I can confirm that https://vaforvets.va.gov/ has a cert error & won't load in Firefox (on my Linux desktop at least). https://www.digicert.com/help/index.htm?host=vaforvets.va.gov agrees. > Now that vaforvets.va.gov is using "Veterans Affairs Device > CA B2" you'll still need to add an exception to get to > https://vaforvets.va.gov, or for that matter and foo.bar.va.gov (RE "foo.bar.va.gov" -- at least one such site *does* work correctly, per comment 11: https://www.myhealth.va.gov/ ) > www.va.gov is still acceptiong SSL3: (That's probably bad, due to POODLE vulnerability revelations, but it's unrelated to the rest of this bug; let's not let this bug scope-creep too much.)
|
|
||
Comment 17•10 years ago
|
||
The only reason why myhealth.va.gov is working is because they are using a public cert: 'VeriSign Class 3 Secure Server CA - G3' and not 'Veterans Affairs Device CA B2'.
|
|
||
Comment 18•7 years ago
|
||
Cert chain has been corrected: https://www.ssllabs.com/ssltest/analyze.html?d=www.va.gov
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
|
Assignee | |
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
| Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•