Last modified: 2014-07-12 12:05:10 UTC
URL: https://zh.wikibooks.org/w/index.php?title=Special:用户登录&returnto=Wikibooks%3A首页&returntoquery=&fromhttp=1 Browser: Google Chrome 29.0.1547.66 OS: Microsoft Windows XP [5.1.2600]
Created attachment 13350 [details] Received SSL cert
How would I realize if it does not validate? Google Chrome says "Identity verified" when clicking on the locker icon in the URL bar.
(In reply to comment #2) > How would I realize if it does not validate? Google Chrome says "Identity > verified" when clicking on the locker icon in the URL bar. It doesn't say so for me on that computer. You may need to use the same OS to reproduce it.
this is a certificate that has common name *.wikipedia.org but it has a lot of "Certificate Subject Alt Name"s. So in a browser in certificate details you need to go to that section and you'll see all these.. i'm just pasting the beginning to show wikibooks.org is in it. DNS Name: *.wikipedia.org DNS Name: wikipedia.org DNS Name: m.wikipedia.org DNS Name: *.m.wikipedia.org DNS Name: wikibooks.org DNS Name: m.wikibooks.org DNS Name: *.wikibooks.org DNS Name: *.m.wikibooks.org ... and more .. so i guess there must be some old browsers who don't look at the alt. names but just the main CN and then throw warnings while it isn't a problem for most users.
Do you actually get a browser warning? what does that look like? the cert file you uploaded also includes wikibooks.
(In reply to comment #4) > > so i guess there must be some old browsers who don't look at the alt. names > but > just the main CN and then throw warnings while it isn't a problem for most > users. On that computer, the reported error was "issuer not trusted".
(In reply to comment #6) > On that computer, the reported error was "issuer not trusted". In that case it sounds like it is missing the root and/or intermediate cert of the CA, which in this case is DigiCert. You could go to: https://www.digicert.com/digicert-root-certificates.htm and download them and install in your browser. It should be 2 of them , "DigiCert High Assurance CA-3" (in the "intermediate cert"-section, plus the "DigiCert High Assurance EV Root CA". Your browser should offer some install dialog when you hit download. That should make it trust the issuer.
(In reply to comment #7) > (In reply to comment #6) > > On that computer, the reported error was "issuer not trusted". > > In that case it sounds like it is missing the root and/or intermediate cert > of > the CA, which in this case is DigiCert. > > You could go to: > > https://www.digicert.com/digicert-root-certificates.htm > > and download them and install in your browser. > > It should be 2 of them , "DigiCert High Assurance CA-3" (in the "intermediate > cert"-section, plus the "DigiCert High Assurance EV Root CA". Your browser > should offer some install dialog when you hit download. > > That should make it trust the issuer. Well that's not "my browser" or "my computer". I saw this on some public computer, and wondered whether this also happens on other OS / browsers in their default states.
As far as I know all the popular OS / browser combinations ship with the necessary root certificate. So it should not happen in the default state. It is expected that when the root we use is disabled or deleted then one gets a warning or error. I suspect that happened on that computer. You could check if the root is there under (from Chromium on Linux, hope this is similar for Chrome on Windows) Settings -> HTTPS/SSL: Manage certificates -> Authorities: Digicert Inc: DigiCert High Assurance EV Root CA. It should not say untrusted next to it and when you click the edit button "Trust this certificate for identifying websites." should be checked. (Most likely that was unchecked by another user.) Do you want to follow up on this on that public computer or one that has the same problem? If you find a configuration where that root is enabled and it doesn't work please open a new ticket. If you find a OS / browser combination that doesn't ship with this root or has it disabled per default please also report it.