Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS Observatory does not recognize Let's Encrypt Certs #439

Open
abuechler opened this issue May 10, 2023 · 12 comments
Open

TLS Observatory does not recognize Let's Encrypt Certs #439

abuechler opened this issue May 10, 2023 · 12 comments

Comments

@abuechler
Copy link

The report for let's encrypt own website shows an error "This site uses an untrusted or invalid certificate"

Checked on the 10th of May 2023:

image

@532910
Copy link

532910 commented Aug 10, 2023

Can confirm!

@JulienPalard
Copy link

Maybe related to mozilla/http-observatory-website#291

@gene1wood
Copy link

Ya, here's some more info on the cause of this issue : mozilla/http-observatory-website#291 (comment)

@JulienPalard
Copy link

@vagoston
Copy link

@JulienPalard, is there a chance to update the trust stores? I think ISRG Root X1 should be there on its own right by now.
https://letsencrypt.org/2023/07/10/cross-sign-expiration
I tried to figure out how to do that, I wanted to help with a PR, but https://github.com/kirei/catt is way outdated and not working anymore, at least I couldn't make that work. What would be the best way to collect the trusted certs?

@BenWilson-Mozilla
Copy link

FWIW - From a Mozilla CA Root Program perspective, as I understand it, we have been transitioning away from maintaining this TLS Observatory repository and focusing on this repository - https://github.com/mozilla/CCADB-Tools. We are also using the CCADB.

@vagoston
Copy link

@BenWilson-Mozilla Thanks for mentioning CCADB. Forgive me if I miss something, but it seems to me that CCADB is not going to replace tls-observatory. CCADB is not grading end certificates, but collecting root and intermediate certificates.
@JulienPalard Would you welcome a PR for replacing catt? If you put together something for a technical design, I might be able to find some time to implement that. I'm thinking of downloading CCADB records at startup and use that as a single truststore. (Only adding records where Apple: Included; Google Chrome: Included; Microsoft: Included; Mozilla: Included in the csv)

@JulienPalard
Copy link

@JulienPalard Would you welcome a PR for replacing catt?

I'll obviously welcome any work forward on this, but I'm not from Mozilla and I'm not a Go developer. So I would not be able to review, nor to merge your work.

@janbrasna
Copy link

There was supposed to be a new version of Observatory on MDN now, that might have the dependency on TLS Observatory removed(?), but there's no news about the launch since the original post:

"…once the MDN Observatory launches on January 25th 31st 2024."

Maybe @gene1wood knows more, and probably even the location of the repo for the new MDN Observatory version to help introspect its dependence on tls-observatory.services.mozilla.com/api/v1/certificate API endpoint that returns the outdated roots info from its db… (refs #440)

@gene1wood
Copy link

@LeoMcA can speak to the HTTP Observatory launch on MDN and it's backing repo.

@vagoston
Copy link

vagoston commented Apr 9, 2024

@LeoMcA, it would help a lot to know the release date and the planned changes.

@janbrasna
Copy link

New MDN Observatory 2.0 launched last month: https://developer.mozilla.org/en-US/blog/mdn-http-observatory-launch/

The source is hosted now under MDN: https://github.com/mdn/mdn-http-observatory

There is no TLS scanning currently present, and no plans to include it as per the announcement post linked above.

A sunset is planned for current Obs v1 in the coming months, with uncertainty about TLS Obs fate (whether that is also being included in the sunset plans, and a future removal is planned; or it's gonna be kept around in its current state, with no further maintenance to be expected…)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants