Discussion:
[asterisk-dev] NET::ERR_CERT_SYMANTEC_LEGACY: Re-issue your RapidSSL certificate!
Alexander Traud
2018-08-05 10:18:13 UTC
Permalink
All asterisk.org (sub-) domains are secured by a SSL/TLS certificate from RapidSSL which chains up to the trust anchor "GeoTrust Global CA". That trust anchor belonged to Symantec. Since Chrome 70, Google removes all trust in former Symantec trust anchors. When you re-issue your certificate, the new owner DigiCert is going to give you a certificate chain to a new and still trusted anchor, for free: <http://products.geotrust.com/orders/orderinformation/authentication.do>

Reasoning:

Google Chrome 70 entered the Developer channel (aka "unstable") <http://www.chromium.org/getting-involved/dev-channel> on Friday <http://chromereleases.googleblog.com/2018/08/dev-channel-update-for-desktop_3.html> and therefore is available to Linux users now. Because Asterisk is very much developer centric, I expect that several Asterisk users and developers are using Google Chrome in that channel. Therefore and because the re-issue is free and because you could have gone for it since December already, please, re-issue as soon as possible.

Technical Notes:

Enter CSR: If you enter the CSR used by our original order, you do not have to change the private key on your server. Only the public certificates must be changed.

Hashing Algorithm = SHA-1 root: Your chain is going to resolve to "DigiCert Global Root CA". Therefore, I recommend to add the intermediate certificate to "Baltimore CyberTrust Root" <http://ssl-tools.net/subjects/8051060132ad9ac27d5187a0e887fb01620155ee>. This gives broader compatibility, even with legacy SSL/TLS clients, at no additional costs.

Hashing Algorithm = SHA-256 root: Your chain is going to resolve to "DigiCert Global Root G2". Therefore, consider to add the intermediate to "VeriSign Class 3 Public Primary Certification Authority - G5" <http://ssl-tools.net/subjects/39d28b71fe1d19b65fb3f1288f23bc04595c4395> and "VeriSign Class 3 Public Primary Certification Authority - G3" <https://crt.sh/?caid=443> and "VeriSign Class 3 Public Primary Certification Authority" (G1) <http://ssl-tools.net/subjects/7a838e245f34e61aaa343e930d5a325a60c56d6c>. Although those three anchors are not trusted either, up-to-date SSL/TLS clients stop at the first trusted anchor in the chain and do not see those older ones. This gives the broadest compatibility with legacy platforms. However <https://bugzilla.mozilla.org/show_bug.cgi?id=1401384#c10>: "[DigiCert is] strongly advising subscribers not to use [this particular] cross-sign and, if used, remove [this] cross-sign prior to September 2018 as [DigiCert is] not sure how the distrust will impact [this] cross-sign." Therefore, I went for the Hashing Algorithm "SHA-1 root" on all my installations.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.d
Dan Jenkins
2018-08-05 18:39:09 UTC
Permalink
Ha! Already informed them on Friday via other means. I'm told there is now
an IT ticket open
Post by Alexander Traud
All asterisk.org (sub-) domains are secured by a SSL/TLS certificate from
RapidSSL which chains up to the trust anchor "GeoTrust Global CA". That
trust anchor belonged to Symantec. Since Chrome 70, Google removes all
trust in former Symantec trust anchors. When you re-issue your certificate,
the new owner DigiCert is going to give you a certificate chain to a new
and still trusted anchor, for free: <
http://products.geotrust.com/orders/orderinformation/authentication.do>
Google Chrome 70 entered the Developer channel (aka "unstable") <
http://www.chromium.org/getting-involved/dev-channel> on Friday <
http://chromereleases.googleblog.com/2018/08/dev-channel-update-for-desktop_3.html>
and therefore is available to Linux users now. Because Asterisk is very
much developer centric, I expect that several Asterisk users and developers
are using Google Chrome in that channel. Therefore and because the re-issue
is free and because you could have gone for it since December already,
please, re-issue as soon as possible.
Enter CSR: If you enter the CSR used by our original order, you do not
have to change the private key on your server. Only the public certificates
must be changed.
Hashing Algorithm = SHA-1 root: Your chain is going to resolve to
"DigiCert Global Root CA". Therefore, I recommend to add the intermediate
certificate to "Baltimore CyberTrust Root" <
http://ssl-tools.net/subjects/8051060132ad9ac27d5187a0e887fb01620155ee>.
This gives broader compatibility, even with legacy SSL/TLS clients, at no
additional costs.
Hashing Algorithm = SHA-256 root: Your chain is going to resolve to
"DigiCert Global Root G2". Therefore, consider to add the intermediate to
"VeriSign Class 3 Public Primary Certification Authority - G5" <
http://ssl-tools.net/subjects/39d28b71fe1d19b65fb3f1288f23bc04595c4395>
and "VeriSign Class 3 Public Primary Certification Authority - G3" <
https://crt.sh/?caid=443> and "VeriSign Class 3 Public Primary
Certification Authority" (G1) <
http://ssl-tools.net/subjects/7a838e245f34e61aaa343e930d5a325a60c56d6c>.
Although those three anchors are not trusted either, up-to-date SSL/TLS
clients stop at the first trusted anchor in the chain and do not see those
older ones. This gives the broadest compatibility with legacy platforms.
"[DigiCert is] strongly advising subscribers not to use [this particular]
cross-sign and, if used, remove [this] cross-sign prior to September 2018
as [DigiCert is] not sure how the distrust will impact [this] cross-sign."
Therefore, I went for the Hashing Algorithm "SHA-1 root" on all my
installations.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
http://lists.digium.com/mailman/listinfo/asterisk-dev
Joshua Colp
2018-08-06 13:51:33 UTC
Permalink
Post by Dan Jenkins
Ha! Already informed them on Friday via other means. I'm told there is now
an IT ticket open
Indeed, I have brought it up with them and it is on their side to get new ones issued and deployed. I don't have a time frame on when they will be doing it, though.
--
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-d
Loading...