Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: invalid certificate issue  (Read 3669 times)

zetsfinetoo

  • Bay Watcher
    • View Profile
invalid certificate issue
« on: March 26, 2024, 11:57:47 am »

I've been getting this message every time I try to load df wiki page on my phone's chrome browser for a few weeks now, the certificate is fine on my pc's chrome browser tho. Any solution? It's annoying to tap 2 extra times to load every wiki page.

« Last Edit: March 26, 2024, 12:01:44 pm by zetsfinetoo »
Logged

A_Curious_Cat

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #1 on: March 26, 2024, 03:58:35 pm »

Sounds like you may need to update the list of ca (root) certificates used by your machine.  If your on Windows, you should just be able to use Windows Update.  If your on Linux, I'd need to know which distribution you're using (on mine the package to update is called "ca-certificates").
Logged
Really hoping somebody puts this in their signature.

Starver

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #2 on: March 26, 2024, 05:51:32 pm »

(zets says "on my phone's chrome browser", and the screenshot has phonelike elements...) I'm guessing Android, or at least I can test my Android tablet. And... No problem here. Chrome and Firefox both uncomplaining, using https, no warnings/broken padlocks/anything else of note, on both https://dwarffortresswiki.org/ and any sub-pages I click on from there (just to make sure).

I know I can go down from 4G to H+, H and even E at times (when off LAN), and it can disrupt downloads. Occasionally I get a page, but without (valid?) .CSS, and it gives a 'straight unformatted' page[1]. Sometimes I get a part page or the signal blips me into "No internet connection". (This isn't DF-Wiki, specifically, and I'm not sure it's happened for that. It's really more places that I'm far more frequently checking whilst out in the wilds/in the radio-shadow just down the road.) ...is it possible that you glitched the latest certificate update, and it hasn't then worked this out and corrected itself?

Also, perhaps you're actually on a non-private connection... If it were a Windows PC, I'd be looking for suspicious changes to the "hosts" file (".hosts" or similar would probably exist within your phone, too, but as likely to be protected from both your and malware access... not sure where I'd look for it, or the setting that gives the ability to reconfigure it 'wizardwise').

And that's cyrillic for Kb/s, yes? Perhaps your phone connection is being officially 'Man-In-The-Middle'd by your service provider (your desktop connection is not, or it's being done 'better').



Plenty of options, and probably all of them utterly wrong. Force-reload the page? See if other https links give the same behaviour? Does it go wrong connected on your home wireless (that "x"ed signal bar, in that, or other connections that you might have) as well as when on mobile internet?


But if it's a site issue, I can't replicate[2], and there surely would be others mentioning this if it's been that kind of error "for a few weeks". Or whoever messed up the Trust Authority chain will know what they goofed, already. (It's happened before, I vaguely remember a 2007-8ish(? or 1997-8ish, even?) 'global mess-up' that hit a significant swathe of the internet. It needed, IIRC, a global updating via the messed up Certificate server/whatever, and took a couple of days and possibly relevent browser/internet settings being flushed, by impatient people, to hurry up the re-update. But before so much of a "https or nothing!" approach was widespread.)

So, you might need to do a bit of leg-work to try to give a bit more info (or find out it's definitely 'just' your issue), if my attempt to assist isn't waaay off the mark. (I just tripped up over this thread, sorry for then jumping in.)


[1] Always fun. Some sites selectively hide input (like a Wiki (different wiki) that has its history contract certain details into a single line, but unCSSed gives them as 'a line per (new user created/whatever)', with timestamps on each rather than just the 'topmost'. And this is something I can do deliberately on desktop but I've never tried to invoke on the tablet, just work with it when it goes 'au naturel'.

[2] Maybe I've got far too trusting a certificate hierarchy, somehow! ;)
Logged

zetsfinetoo

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #3 on: March 26, 2024, 06:42:00 pm »

>And that's cyrillic for Kb/s, yes?

Yes, and im on windows pc/android phone. My pc internet is wired, second bar with x is the second sim card I think.

I don't know much about tech stuff, but I've tried other websites/game wikis, and df wiki is the only website that does this issue, so I'm guessing it's not a problem on my end.

But it probably is since I'm the only one reporting it? idk, could it be both? My phone's pretty old, maybe nobody else reporting since nobody else has the same phone/android version/whatever else, and dwarffortresswiki.org specifically has some problem with it?

...so i've checked with other phone browsers. firefox says its not secure while loading the page, and that it's secure after finished loading. my default phone browser (not chrome or firefox) stops me from accessing the page and says that the site's certificate is from unreliable source, but when i tap continue and it loads the page anyway, it says the certificate is valid. i just dont know.

Logged

A_Curious_Cat

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #4 on: March 26, 2024, 07:08:09 pm »

What version is the operating system on your phone?
Logged
Really hoping somebody puts this in their signature.

zetsfinetoo

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #5 on: March 26, 2024, 11:32:15 pm »

android 6.0.1 mmb29m
Logged

A_Curious_Cat

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #6 on: March 26, 2024, 11:53:30 pm »

android 6.0.1 mmb29m

 :o

That’s absolutely ancient.  You should look into upgrading the version of Android on your phone!
Logged
Really hoping somebody puts this in their signature.

zetsfinetoo

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #7 on: March 27, 2024, 12:09:46 am »

its last updated 2018 and they dont support my phone anymore. anyway how would it be the problem regarding one specific website's certificate?
Logged

zetsfinetoo

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #8 on: March 29, 2024, 12:43:02 am »

apparently i have exactly the same issue with df bug tracker dwarffortressbugtracker.com. i'm guessing somebody who manages technical side of both sites did something to cause it.
« Last Edit: March 29, 2024, 12:44:43 am by zetsfinetoo »
Logged

Quietust

  • Bay Watcher
  • Does not suffer fools gladly
    • View Profile
    • QMT Productions
Re: invalid certificate issue
« Reply #9 on: March 29, 2024, 08:46:47 am »

When you see the "certificate not trusted" error, can you view the certificate's detailed properties? In particular, can you see the Issuer DN and the Fingerprints?

The current certificate in use on the wiki is issued to "CN = catsplode.com" (with SubjectAltName extensions for "[www.]dwarffortresswiki.org") by "CN = R3, O = Let's Encrypt, C = US", and its Fingerprints are "1B:B1:08:BC:D7:8D:0D:2C:2A:1A:49:A7:B9:EA:23:D8:0C:0B:89:F9:A1:2D:26:5A:28:30:FA:B3:39:67:FB:85" (for SHA-256) and "BF:56:4B:2B:E3:AB:D6:84:8B:88:6A:03:7A:F8:41:8E:31:1F:EA:58" (for SHA-1).

If the certificate you're seeing has those properties, then it's possible your device is just too old to recognize the current Let's Encrypt CA/Root. If its properties are different, then you're probably being man-in-the-middle attacked as described above.
Logged
P.S. If you don't get this note, let me know and I'll write you another.
It's amazing how dwarves can make a stack of bones completely waterproof and magmaproof.
It's amazing how they can make an entire floodgate out of the bones of 2 cats.

zetsfinetoo

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #10 on: March 29, 2024, 10:57:55 am »

properties seems the same as you wrote

i guess since i'm the only one getting it its my problem, but it was fine before and started to happen recently, and its only these two df sites, and i just hoped its fixable on website's owner end. well, im not buying new phone just to have easier access to df wiki, so i guess i'll keep suffering if nothing else can be done.

« Last Edit: March 29, 2024, 10:59:47 am by zetsfinetoo »
Logged

Quietust

  • Bay Watcher
  • Does not suffer fools gladly
    • View Profile
    • QMT Productions
Re: invalid certificate issue
« Reply #11 on: March 31, 2024, 09:29:03 am »

So it looks like your phone just doesn't trust Let's Encrypt certificates, which isn't surprising if it's particularly old (Let's Encrypt explicitly calls out Android 7 as being an "old" operating system along with Windows XP, and you're only running Android 6). In all likelihood, the DF Wiki and Bug Tracker are the only sites you happen to visit which use Let's Encrypt certificates, and it's possible they recently changed how their certs are issued.

If you can manually install the ISRG Root X1 certificate as a Trusted Root, you might be able to make those errors go away, though the ability to install trusted roots might be limited depending on the version of Android you're running (and the specific phone you're using might further restrict those options).
« Last Edit: March 31, 2024, 09:31:29 am by Quietust »
Logged
P.S. If you don't get this note, let me know and I'll write you another.
It's amazing how dwarves can make a stack of bones completely waterproof and magmaproof.
It's amazing how they can make an entire floodgate out of the bones of 2 cats.

zetsfinetoo

  • Bay Watcher
    • View Profile
Re: invalid certificate issue
« Reply #12 on: March 31, 2024, 12:20:15 pm »

the thing is, since my last message, chrome browser now says that connection is secure and doesnt spam me with warnings for some reason, i wonder what changed. i've tried some random website with lets encrypt certificate and firefox gets triggered still, just like i've described above "firefox says its not secure while loading the page, and that it's secure after finished loading"

i guess problem is solved for now. if chrome reverts back to hating df wiki i'll try to install this thing you've linked. thank you for your help.
Logged

Quietust

  • Bay Watcher
  • Does not suffer fools gladly
    • View Profile
    • QMT Productions
Re: invalid certificate issue
« Reply #13 on: April 12, 2024, 06:07:54 pm »

In case you're still curious, this article explains exactly what happened.

In particular:
Quote
On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.
and
Quote
If you use Android 7.0 or earlier, you may need to take action to ensure you can still access websites secured by Let’s Encrypt certificates. We recommend installing and using Firefox Mobile, which uses its own trust store instead of the Android OS trust store, and therefore trusts ISRG Root X1.
Logged
P.S. If you don't get this note, let me know and I'll write you another.
It's amazing how dwarves can make a stack of bones completely waterproof and magmaproof.
It's amazing how they can make an entire floodgate out of the bones of 2 cats.