Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[zetsfinetoo]

I've been getting this message every time I try to load df wiki page on my phone's chrome browser for a few weeks now, the certificate is fine on my pc's chrome browser tho. Any solution? It's annoying to tap 2 extra times to load every wiki page.

[A_Curious_Cat]

Sounds like you may need to update the list of ca (root) certificates used by your machine.  If your on Windows, you should just be able to use Windows Update.  If your on Linux, I'd need to know which distribution you're using (on mine the package to update is called "ca-certificates").

[Starver]

(zets says "on my phone's chrome browser", and the screenshot has phonelike elements...) I'm guessing Android, or at least I can test my Android tablet. And... No problem here. Chrome and Firefox both uncomplaining, using https, no warnings/broken padlocks/anything else of note, on both https://dwarffortresswiki.org/ and any sub-pages I click on from there (just to make sure).

I know I can go down from 4G to H+, H and even E at times (when off LAN), and it can disrupt downloads. Occasionally I get a page, but without (valid?) .CSS, and it gives a 'straight unformatted' page[1]. Sometimes I get a part page or the signal blips me into "No internet connection". (This isn't DF-Wiki, specifically, and I'm not sure it's happened for that. It's really more places that I'm far more frequently checking whilst out in the wilds/in the radio-shadow just down the road.) ...is it possible that you glitched the latest certificate update, and it hasn't then worked this out and corrected itself?

Also, perhaps you're actually on a non-private connection... If it were a Windows PC, I'd be looking for suspicious changes to the "hosts" file (".hosts" or similar would probably exist within your phone, too, but as likely to be protected from both your and malware access... not sure where I'd look for it, or the setting that gives the ability to reconfigure it 'wizardwise').

And that's cyrillic for Kb/s, yes? Perhaps your phone connection is being officially 'Man-In-The-Middle'd by your service provider (your desktop connection is not, or it's being done 'better').



Plenty of options, and probably all of them utterly wrong. Force-reload the page? See if other https links give the same behaviour? Does it go wrong connected on your home wireless (that "x"ed signal bar, in that, or other connections that you might have) as well as when on mobile internet?


But if it's a site issue, I can't replicate[2], and there surely would be others mentioning this if it's been that kind of error "for a few weeks". Or whoever messed up the Trust Authority chain will know what they goofed, already. (It's happened before, I vaguely remember a 2007-8ish(? or 1997-8ish, even?) 'global mess-up' that hit a significant swathe of the internet. It needed, IIRC, a global updating via the messed up Certificate server/whatever, and took a couple of days and possibly relevent browser/internet settings being flushed, by impatient people, to hurry up the re-update. But before so much of a "https or nothing!" approach was widespread.)

So, you might need to do a bit of leg-work to try to give a bit more info (or find out it's definitely 'just' your issue), if my attempt to assist isn't waaay off the mark. (I just tripped up over this thread, sorry for then jumping in.)


[1] Always fun. Some sites selectively hide input (like a Wiki (different wiki) that has its history contract certain details into a single line, but unCSSed gives them as 'a line per (new user created/whatever)', with timestamps on each rather than just the 'topmost'. And this is something I can do deliberately on desktop but I've never tried to invoke on the tablet, just work with it when it goes 'au naturel'.

[2] Maybe I've got far too trusting a certificate hierarchy, somehow!

[zetsfinetoo]

>And that's cyrillic for Kb/s, yes?

Yes, and im on windows pc/android phone. My pc internet is wired, second bar with x is the second sim card I think.

I don't know much about tech stuff, but I've tried other websites/game wikis, and df wiki is the only website that does this issue, so I'm guessing it's not a problem on my end.

But it probably is since I'm the only one reporting it? idk, could it be both? My phone's pretty old, maybe nobody else reporting since nobody else has the same phone/android version/whatever else, and dwarffortresswiki.org specifically has some problem with it?

...so i've checked with other phone browsers. firefox says its not secure while loading the page, and that it's secure after finished loading. my default phone browser (not chrome or firefox) stops me from accessing the page and says that the site's certificate is from unreliable source, but when i tap continue and it loads the page anyway, it says the certificate is valid. i just dont know.

[A_Curious_Cat]

What version is the operating system on your phone?

[zetsfinetoo]

android 6.0.1 mmb29m

[A_Curious_Cat]

android 6.0.1 mmb29m

 

That’s absolutely ancient.  You should look into upgrading the version of Android on your phone!

[zetsfinetoo]

its last updated 2018 and they dont support my phone anymore. anyway how would it be the problem regarding one specific website's certificate?

[zetsfinetoo]

apparently i have exactly the same issue with df bug tracker dwarffortressbugtracker.com. i'm guessing somebody who manages technical side of both sites did something to cause it.

[Quietust]

When you see the "certificate not trusted" error, can you view the certificate's detailed properties? In particular, can you see the Issuer DN and the Fingerprints?

The current certificate in use on the wiki is issued to "CN = catsplode.com" (with SubjectAltName extensions for "[www.]dwarffortresswiki.org") by "CN = R3, O = Let's Encrypt, C = US", and its Fingerprints are "1B:B1:08:BC:D7:8D:0D:2C:2A:1A:49:A7:B9:EA:23:D8:0C:0B:89:F9:A1:2D:26:5A:28:30:FA:B3:39:67:FB:85" (for SHA-256) and "BF:56:4B:2B:E3:AB:D6:84:8B:88:6A:03:7A:F8:41:8E:31:1F:EA:58" (for SHA-1).

If the certificate you're seeing has those properties, then it's possible your device is just too old to recognize the current Let's Encrypt CA/Root. If its properties are different, then you're probably being man-in-the-middle attacked as described above.

[zetsfinetoo]

properties seems the same as you wrote

i guess since i'm the only one getting it its my problem, but it was fine before and started to happen recently, and its only these two df sites, and i just hoped its fixable on website's owner end. well, im not buying new phone just to have easier access to df wiki, so i guess i'll keep suffering if nothing else can be done.

[Quietust]

So it looks like your phone just doesn't trust Let's Encrypt certificates, which isn't surprising if it's particularly old (Let's Encrypt explicitly calls out Android 7 as being an "old" operating system along with Windows XP, and you're only running Android 6). In all likelihood, the DF Wiki and Bug Tracker are the only sites you happen to visit which use Let's Encrypt certificates, and it's possible they recently changed how their certs are issued.

If you can manually install the ISRG Root X1 certificate as a Trusted Root, you might be able to make those errors go away, though the ability to install trusted roots might be limited depending on the version of Android you're running (and the specific phone you're using might further restrict those options).

[zetsfinetoo]

the thing is, since my last message, chrome browser now says that connection is secure and doesnt spam me with warnings for some reason, i wonder what changed. i've tried some random website with lets encrypt certificate and firefox gets triggered still, just like i've described above "firefox says its not secure while loading the page, and that it's secure after finished loading"

i guess problem is solved for now. if chrome reverts back to hating df wiki i'll try to install this thing you've linked. thank you for your help.

[Quietust]

In case you're still curious, this article explains exactly what happened.

In particular:

On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.

and

If you use Android 7.0 or earlier, you may need to take action to ensure you can still access websites secured by Let’s Encrypt certificates. We recommend installing and using Firefox Mobile, which uses its own trust store instead of the Android OS trust store, and therefore trusts ISRG Root X1.