Problems with DigiCert Global Root G2 TLS certificate

asked 2018-07-25 16:07:31 +0300

funkyboris gravatar image

updated 2019-09-01 15:36:50 +0300

Hi folks

I am having problems with my digital certificates. On 2018-06-03 my email accounts stopped working. When trying to sync my mail I get asked to check the certificate.

The server in question (mail.your-server.de) with TLS (port 993), presents a certificate from DigiCert (CN = RapidSSL TLS RSA CA G1) which in turn refers to CN = DigiCert Global Root G2 as the root certificate.

The DigiCert Global Root G2 is among those listed at the Sailfish certificate manager.

When comparing the public signatures of the two, I find for some reason that the one in the Sailfish OS version of the signature has "00:" prefixed to its value, whereas the one in Firefox on my laptop does not. Otherwise, they seem similar.

I installed openssl on my jolla as suggested in this thread. The one-liner

openssl s_client -showcerts -connect mail.your-server.de:993

returns

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = *.your-server.de
verify return:1

...

This is the same result I get when running the same command on my laptop.

I have also tried to delete the account and re-establish it as suggested in this thread. No dice - still asks me to check certificate.

I don't want to disable certificate validity check. It has worked flawlessly in the past and as far as I can tell, it still should.


EDIT (2018-12-11)

This one is still relevant as of Sailfish 3.0. I have tried to delete the mail account from Jolla (Settings app -> Accounts -> select account -> drop down -> delete account) after which I tried to create it again. It fails with the message that the certificate validation fails, and that I need to allow all untrusted certificates if I want to access that account.

It is still not in my best interest to disable validation of certificates against trusted sources.

Will someone from Sailfish please look into this? I have been unable to access my personal mail account on my Jolla for over 6 months now.


EDIT (2019-09-01)

We are now well past the anniversary for the reporting of this bug. Running v 3.1.0.11. Mail application still fails to fetch mail with the error message "Check certificate".

edit retag flag offensive close delete

Comments

well, your certificate is a *.your-server.de but your mail server is at mail.your-server.de and therefore cannot be matched with your server FQDN.

Nieldk ( 2018-07-25 18:33:35 +0300 )edit

@Nieldk iirc there's exceptions for third-level wildcard certs.

tortoisedoc ( 2018-07-25 21:25:52 +0300 )edit

@Nieldk erhm.. no?

https://en.wikipedia.org/wiki/Wildcard_certificate

*.your-server.de matches mail.your-server.de. That is the whole point. Besides, Firefox gets the validation right, as does Thunderbird and plain OpenSSL from CLI. Only Sailfish chokes on the certificate.

funkyboris ( 2018-07-26 03:23:14 +0300 )edit

Try: https://www.ssllabs.com/ssltest/ (remember to tick: Do not show the results on the boards)

Is it a cert you have bought from DigiCert?

emva ( 2018-07-26 15:17:58 +0300 )edit

@emva: your-server.de is not "my server". It is a managed server hosted by Hetzner.de - a professinal hosting provider. I did not have anything to do with its setup, and it hosts hundreds if not thousands of other clients. If there was a problem with their TLS setup, I would not be the only one affected. Again, you are missing the point: Everyone is satisfied with the certificate, except Sailfish OS and even this has not always been the case. It stopped working a couple of weeks ago.

funkyboris ( 2018-07-26 15:23:47 +0300 )edit