bspk/mkjwk.org

SSL configuration incorrect

liamdawson opened this issue · 1 comments

When I visit https://mkjwk.org/ in Firefox, I'm required to add an exception, as some policy checks fail. Furthermore, openssl s_client reports an error:

○ openssl s_client -connect mkjwk.org:443
CONNECTED(00000005)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=mkjwk.org
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEcjCCA1qgAwIBAgIQdTbOX+rl+kJqZ5Wj6kEGrjANBgkqhkiG9w0BAQsFADBj
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEeMBwGA1UEAxMVdGhhd3RlIERWIFNTTCBDQSAt
IEcyMB4XDTE0MTAxNjAwMDAwMFoXDTE4MTAxNTIzNTk1OVowFDESMBAGA1UEAwwJ
bWtqd2sub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw6NmjeXU
f9IooiCCkFPzmOcLPO7cR1n+pnYFoTPRg5vwWHljTQggqMJnm/GotBwoKUI6yyPS
VKnBap0V2nHN+EIedYAhi+A/pJPefOZUzmOSmg2DyOOSuBgVfUTk90OdJTBCzWUc
P/K5yoh724/w+5nfOvnziqQFGHp15m9HR5XPx8WeCbxFsbB8J/bVp2jY8wlV94nU
qMlnlVaLXmXAeuK7snweoI/BFfV+0ezCnfzTNVfcg7tamoqhPdim9qZj7oLrV0w6
0sFhAcJy6rd5xV1uQ/Y63dfcLhK3J/zla8ma9kjkJD84GCQUG0GWI1HT+w35CIOf
Ci8I2wzWXHwlHwIDAQABo4IBbzCCAWswFAYDVR0RBA0wC4IJbWtqd2sub3JnMAkG
A1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3RuLnN5bWNiLmNvbS90
bi5jcmwwcgYDVR0gBGswaTBnBgpghkgBhvhFAQc2MFkwJgYIKwYBBQUHAgEWGmh0
dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBzOi8v
d3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTAfBgNVHSMEGDAWgBSfuMGpbPL1wCIq
lO1cmazU7NfGBzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3Ru
LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3RuLnN5bWNiLmNvbS90bi5j
cnQwDQYJKoZIhvcNAQELBQADggEBAJe+/NdvFlmmHayjCgs3gMLTY6vWDMDX9pqa
D/+MhMGvVx1X+qzsXGeUFvvwubcwvwZevJhe0FkSF3mUlYpItI6C+t8CcCH4UxgX
8i3P0qBeXfrdyLXmQVPKc2tjrx/QD7GAMVQmQySS9imP3AWiVBKVbD2apd9KGevN
c2tF9p5qYHjveMY4iwuIw5H+YjLUGQcwH6Yr9j6sfVmMEO9o0vLYqnzl8I07kYr+
yZLO4MpYcCRQWmBEqgA8NBaikpB/iHVZd9L8C14eyB5ZDgiSUGWwCigXB4JzXvKU
XVa/v2vveOTxqj5yKFOqOYB8pwPInmX4YW2wavyzgbRfk5jpxiI=
-----END CERTIFICATE-----
subject=/CN=mkjwk.org
issuer=/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4169 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 00E0DDA37A7043CB03A8392E79EB5B2DA9E448C05936BDA52C6CEF83725446B6
    Session-ID-ctx: 
    Master-Key: 97895A10708085B9301A112643F8BCE5C7301C95C65932EF26EE99113360E586A0A53C9564CCF6E94363305612283545
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - be c3 34 ff fa 80 f5 e9-06 48 97 e3 3e 4e ae 6d   ..4......H..>N.m
    0010 - 8b e9 fc f7 ed 66 2b 9c-d8 94 7a 83 45 c5 1d a9   .....f+...z.E...
    0020 - 72 8a ce c3 6a 23 9f 89-84 a1 51 d1 f0 eb cb 5b   r...j#....Q....[
    0030 - c8 b4 8d f2 12 fd c6 71-f8 68 1e 2d ae b0 d2 62   .......q.h.-...b
    0040 - 6b 02 9f 40 60 2b 53 c6-0b 5d 02 f6 f0 cb 09 14   k..@`+S..]......
    0050 - ea 66 6d bf 55 1c 28 24-3b 40 b6 a2 f1 a4 28 84   .fm.U.($;@....(.
    0060 - b0 93 13 47 ee d9 17 49-0b a2 20 8d 0b 0a 5f 70   ...G...I.. ..._p
    0070 - ce 12 a9 6f d8 a4 c5 37-b1 82 76 c8 cf 93 6b ba   ...o...7..v...k.
    0080 - f4 d7 f1 27 3f 08 55 a9-7e d2 2b 67 65 a5 10 5d   ...'?.U.~.+ge..]
    0090 - bb d6 31 1e 93 26 4d 73-d1 03 d5 f2 6f c3 ad ec   ..1..&Ms....o...
    00a0 - 90 d6 49 77 fb 2a 8e f5-db 1c de 4b ef 2a f9 1c   ..Iw.*.....K.*..
    00b0 - c7 5f e7 d6 a6 3f db 47-ef 14 92 f0 4f 9f 9c 17   ._...?.G....O...

    Start Time: 1523238798
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

This is a known issue, the server where this is hosted needs to have its TLS certificates updated but nobody's had the bandwidth to do that recently.