Closed Bug 972679 Opened 8 years ago Closed 4 years ago

https://www.va.gov triggers "untrusted connection" error page, due to server misconfiguration (missing issuer chain)

Categories

(Web Compatibility :: Desktop, defect)

x86_64
Linux
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: dholbert, Unassigned)

References

()

Details

(Whiteboard: [country-us] [sitewait] [ssl])

Attachments

(7 files)

STEPS TO REPRODUCE:
0. Start with a fresh Firefox profile. (imporant)
1. Load https://www.myhealth.va.gov

ACTUAL RESULTS: "This Connection is Untrusted" page, with:
> Technical Details
> www.myhealth.va.gov uses an invalid security certificate.
> The certificate is not trusted because no issuer chain
> was provided. (Error code: sec_error_unknown_issuer)

You can't work around it by replacing "https" with "http", either, because their http site redirects you to https.

Reproduced in Firefox 27.0 release, as well as today's Nightly build. I get a similar cert error in Opera 12.16, as well, so this isn't a Firefox bug.  

Hence, filing as Tech Evangelism.

This was initially reported at input.mozilla.org, here:
 https://input.mozilla.org/en-US/dashboard/response/4203315
> I'm a disabled veteran and every time I try to contact
> www. myhealth.va.gov the site crashes. I need to get doctors
> instructions through this site. Please do what you can to
> fix it. Mark
This actually happens for https://www.va.gov/ , too.
Summary: https://www.myhealth.va.gov/ triggers "untrusted connection" error page, due to missing issuer chain → https://www.myhealth.va.gov/ and https://www.va.gov/ trigger "untrusted connection" error page, due to missing issuer chain
Opera 12.16 has cert errors for both sites, too. It only supports showing one error at a time, so I couldn't screenshot both at once; here's just the error when visiting the "myhealth" URL.
Attachment #8375974 - Attachment description: screenshot of both sites, side-by-side, in Firefox Nightly (showing cert errors) → screenshot of cert error in Firefox Nightly at both sites (side by side)
Strangely, Chrome doesn't report any cert errors at the "myhealth" site, even with a fresh profile -- possibly because it comes pre-cached with the intermediate cert that's involved here.

It does, however, report a cert error for the toplevel https://www.va.gov site, so here's a screenshot of that.
Just as a sanity-check that it's not just me, I tested & was able to reproduce this using Firefox 27 and Opera 12.16 on a different Windows XP computer.

(I couldn't reproduce with IE or Safari or Chrome on that system, though -- likely because those all tie into the system-provided certificate store, which must either ship with the intermediate cert or have cached the intermediate cert from an earlier load of a different site.)
This certificate-checker site also confirms that the site is misconfigured:
 http://www.digicert.com/help/index.htm?host=www.va.gov
 http://www.digicert.com/help/index.htm?host=www.myhealth.va.gov
...though it only shows an error some fraction of the time. (It had an error 2 out of 3 times that I tried, for both sites). That randomness is probably due to a load-balancer at va.gov, with some of its HTTPS servers being correct and some being broken.

When that digicert site reports an error, it's all the way at the bottom, and it says

> [red X]
> SSL Certificate is not trusted
> [...] you probably just need to install one or more Intermediate certificates.

I've notified a friend of mine who works at the VA about this; hopefully she'll be able to get it on the right folks' radar.
Summary: https://www.myhealth.va.gov/ and https://www.va.gov/ trigger "untrusted connection" error page, due to missing issuer chain → https://www.myhealth.va.gov/ and https://www.va.gov/ trigger "untrusted connection" error page, due to server misconfiguration (missing issuer chain)
As of today Firefox 32.0.3

Not trusted: https://www.va.gov/
Trusted:     https://www.myhealth.va.gov/
Assignee: english-us → nobody
Component: English US → Desktop
Whiteboard: [country-us] [contactready] [ssl]
Summary: https://www.myhealth.va.gov/ and https://www.va.gov/ trigger "untrusted connection" error page, due to server misconfiguration (missing issuer chain) → www.va.gov triggers "untrusted connection" error page, due to server misconfiguration (missing issuer chain)
Daniel, 

If you still have contacts,
it would be cool to ping them about it.
The first one has been solved (see previous comment)
Flags: needinfo?(dholbert)
I can confirm comment 11, in Firefox Nightly -- https://www.va.gov/ is still broken.

I'll email my friend at the VA to see if she can get someone to take a look at fixing it.
Flags: needinfo?(dholbert)
Summary: www.va.gov triggers "untrusted connection" error page, due to server misconfiguration (missing issuer chain) → https://www.va.gov triggers "untrusted connection" error page, due to server misconfiguration (missing issuer chain)
Whiteboard: [country-us] [contactready] [ssl] → [country-us] [sitewait] [ssl]
I emailed my friend (who wasn't sure exactly who to tell about it, but said she'd forward my email to a few people). I also sent the VA a tweet, and (to their credit!) they replied almost immediately:
  https://twitter.com/CodingExon/status/517054453661188096
The VA has always had issues with certs. I opened a trouble ticket with vaforvets.va.gov last year (they were using Cybertrust Public Issuing CA 1 at the time) and while they "escalated" to Tier-II, all I got back was "We are pleased to inform you that your Request ticket reference number I130913_x has been resolved with the following resolution:

Member is now an official registered member."
 
Informed them that I still needed to create a cert exception & never heard back from them. Now that vaforvets.va.gov is using "Veterans Affairs Device CA B2" you'll still need to add an exception to get to https://vaforvets.va.gov, or for that matter and foo.bar.va.gov 
www.va.gov is still acceptiong SSL3:
====
Protocol Support

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
SL 3.0 is an outdated protocol version with known vulnerabilities. How can I fix this?"

Even downloading and installing the appropriate certs from the Dept of Treasury <http://pki.treas.gov/crl_certs.htm> on both the OS and the browser (seaMonkey 2.30 - linux & Windows) & including the US Govt doesn't seem to help.
(In reply to NoOp from comment #15)
> The VA has always had issues with certs. I opened a trouble ticket with
> vaforvets.va.gov last year

I can confirm that https://vaforvets.va.gov/ has a cert error & won't load in Firefox (on my Linux desktop at least). https://www.digicert.com/help/index.htm?host=vaforvets.va.gov agrees.

> Now that vaforvets.va.gov is using "Veterans Affairs Device
> CA B2" you'll still need to add an exception to get to
> https://vaforvets.va.gov, or for that matter and foo.bar.va.gov 

(RE "foo.bar.va.gov" -- at least one such site *does* work correctly, per comment 11: https://www.myhealth.va.gov/ )

> www.va.gov is still acceptiong SSL3:

(That's probably bad, due to POODLE vulnerability revelations, but it's unrelated to the rest of this bug; let's not let this bug scope-creep too much.)
The only reason why myhealth.va.gov is working is because they are using a public cert:
'VeriSign Class 3 Secure Server CA - G3' and not 'Veterans Affairs Device CA B2'.
Cert chain has been corrected: https://www.ssllabs.com/ssltest/analyze.html?d=www.va.gov
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.