[Ach] bettercrypto.org cert blocked in chrome 56
Raoul Bhatia
raoul at bhatia.at
Mon Nov 28 23:12:56 CET 2016
I've successfully transitioned existing StartSSL certificates + HPKP / HSTS to letsencrypt.sh (via the Debian package).
I know I am not the first to do such a thing, but maybe you'd like to have some quick pointers to get this resolved ASAP.
Raoul
PS. The most important thing is to initially tell letsencrypt.sh to reuse an existing private key for requesting new certs.
On November 28, 2016 11:04:57 PM GMT+01:00, "L. Aaron Kaplan" <kaplan at cert.at> wrote:
>
>> On 28 Nov 2016, at 22:59, Laurens Vets <laurens at daemon.be> wrote:
>>
>> On 2016-11-28 13:40, Tobias Pape wrote:
>>> Hi all,
>>> I use Chrome 56, and can no longer open https://bettercrypto.org/.
>>> The browser complains with ERR_CERT_AUTHORITY_INVALID for the
>StartCom
>>> issued certificate for
>>> bettercrypto.org. Since it uses HSTS, Chrome won't let me continue.
>>> Can someone (Aaron K?) replace the Cert, eg, with a Letsencrypt one?
>>> Can I do something there?
>>> Best regards
>>> -Tobias
>>> PS: FireFox 50 is OK with the site.
>>> PPS: So is Safari 9.1
>>> PPPS:
>>>
>https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
>>> may be the reason here.
>>> PPPPS: ssllabs is happy tho (A+):
>>> https://www.ssllabs.com/ssltest/analyze.html?d=bettercrypto.org
>>
>
>That sucks.
>Thanks for the heads up. I did not notice that when I re-issued the
>certificate.
>
>> This will also be the case with Firefox starting with version 51 and
>certs signed after October 21, 2016.
>>
>> More information:
>>
>https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
>>
>
>So, this is indeed a bummer. We will have to do a let's encrypt
>certificate (means extra work).
>
>Thanks for the notice.
--
DI (FH) Raoul Bhatia M.Sc.
E-Mail. raoul at bhatia.at
Tel. +43 699 10132530
More information about the Ach
mailing list