Certificates trusted by Mozilla fail the check

[daknob]

Sites with certificates trusted by the latest Mozilla Firefox are being reported as not trusted.
More specifically, I have observed such behavior from VeriSign Class 3 Public Primary Certification Authority - G5 and AddTrust Public Services Root so far. Will update this bug if I find more root CAs included in the moz-certs.pem and reported as not trusted.

[benjaminp]

See if curl fails, too. Browsers tend to be more aggressive building trust chains when there are missing intermediate certs than openssl.

[daknob]

Nope, curl(1) does not fail on getting the site over https.

[daknob]

To make a clarification, I visit the aforementioned websites with Firefox and there is no error but the script reports an error in the certificate and that it's not trusted by Firefox.

[daknob]

Update: Two websites that make sure of the same Root CA are being reported one as trusted and the other as not trusted. The site reported as not trusted has an EV Certificate if that helps.

[benjaminp]

What are the sites?

[daknob]

https://www.nbg.gr/
https://www.alpha.gr/

[benjaminp]

I think we're hitting the recent removal of 1024-bit certs from the Mozilla cert bundle and the fact that OpenSSL doesn't support certificate path discovery. Does it work with my recent change to moz-certs.pem?

[daknob]

Some sites (mostly EV's) have been fixed. Others unfortunately continue to be reported as not trusted.. I am still looking for a better file / solution to this problem as we speak..

[daknob]

I have manually added the Root CA's again into the moz-certs.pem file and it still cannot mark the websites as trusted. Checked the signature of the certificate presented and the certificate added in the file and they are identical.. Problem with OpenSSL? Something else?

[benjaminp]

I think I fixed https://www.nbg.gr/ hanging.

[benjaminp]

Both www.nbg.gr and www.alpha.gr work for me now.

[daknob]

Yup, they seem to work fine.
The problem now is that the script gets EPERM ( Issue #27 ) instead of anything else to show a better error message.

[benjaminp]

So, is this issue resolved?