Problems with DigiCert Global Root G2 TLS certificate
asked 2018-07-25 16:07:31 +0200
Hi folks
I am having problems with my digital certificates. On 2018-06-03 my email accounts stopped working. When trying to sync my mail I get asked to check the certificate.
The server in question (mail.your-server.de) with TLS (port 993), presents a certificate from DigiCert (CN = RapidSSL TLS RSA CA G1) which in turn refers to CN = DigiCert Global Root G2 as the root certificate.
The DigiCert Global Root G2 is among those listed at the Sailfish certificate manager.
When comparing the public signatures of the two, I find for some reason that the one in the Sailfish OS version of the signature has "00:" prefixed to its value, whereas the one in Firefox on my laptop does not. Otherwise, they seem similar.
I installed openssl on my jolla as suggested in this thread. The one-liner
openssl s_client -showcerts -connect mail.your-server.de:993
returns
CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1 verify return:1 depth=0 CN = *.your-server.de verify return:1 ...
This is the same result I get when running the same command on my laptop.
I have also tried to delete the account and re-establish it as suggested in this thread. No dice - still asks me to check certificate.
I don't want to disable certificate validity check. It has worked flawlessly in the past and as far as I can tell, it still should.
EDIT (2018-12-11)
This one is still relevant as of Sailfish 3.0. I have tried to delete the mail account from Jolla (Settings app -> Accounts -> select account -> drop down -> delete account) after which I tried to create it again. It fails with the message that the certificate validation fails, and that I need to allow all untrusted certificates if I want to access that account.
It is still not in my best interest to disable validation of certificates against trusted sources.
Will someone from Sailfish please look into this? I have been unable to access my personal mail account on my Jolla for over 6 months now.
EDIT (2019-09-01)
We are now well past the anniversary for the reporting of this bug. Running v 3.1.0.11. Mail application still fails to fetch mail with the error message "Check certificate".
EDIT (2020-07-12)
Coming up on the two year anniversary of this bug, this is still a problem.
Intermediate certificate has changed in the interrim, so that it is now "Thawte TLS RSA CA G1"
openssl s_client -showcerts -connect mail.your-server.de:993
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
verify return:1
depth=0 CN = *.your-server.de
verify return:1
...
Still running on Jolla Phone, now with Sailfish OS v. 3.3.0.16.
well, your certificate is a *.your-server.de but your mail server is at mail.your-server.de and therefore cannot be matched with your server FQDN.
Nieldk ( 2018-07-25 18:33:35 +0200 )edit@Nieldk iirc there's exceptions for third-level wildcard certs.
tortoisedoc ( 2018-07-25 21:25:52 +0200 )edit@Nieldk erhm.. no?
https://en.wikipedia.org/wiki/Wildcard_certificate
*.your-server.de matches mail.your-server.de. That is the whole point. Besides, Firefox gets the validation right, as does Thunderbird and plain OpenSSL from CLI. Only Sailfish chokes on the certificate.
funkyboris ( 2018-07-26 03:23:14 +0200 )editTry: https://www.ssllabs.com/ssltest/ (remember to tick: Do not show the results on the boards)
Is it a cert you have bought from DigiCert?
emva ( 2018-07-26 15:17:58 +0200 )edit@emva: your-server.de is not "my server". It is a managed server hosted by Hetzner.de - a professinal hosting provider. I did not have anything to do with its setup, and it hosts hundreds if not thousands of other clients. If there was a problem with their TLS setup, I would not be the only one affected. Again, you are missing the point: Everyone is satisfied with the certificate, except Sailfish OS and even this has not always been the case. It stopped working a couple of weeks ago.
funkyboris ( 2018-07-26 15:23:47 +0200 )edit