Bad certificate for community.spark.io


#1

Both Chrome and Firefox are complaining that community.spark.io is not who they say they are. Either there is a bad cert somewhere out there, or I have screwed up in some weird way, or paranoid me is subject to a MITM attack. My nameserver and Google’s each resolve community.spark.io to 54.83.47.88


#2

I get the same IP for community.spark.io, so you’re clear there.

Chrome doesn’t seem to complain about the cert, but Firefox gets upset:

community.spark.io uses an invalid security certificate.

The certificate is not trusted because it was issued by an invalid CA certificate.

(Error code: sec_error_inadequate_key_usage)```

#3

I’m getting the same error on api.spark.io. My ruby app that connects to it is failing now as well:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Using https://www.sslshopper.com/ssl-checker.html#hostname=api.spark.io shows an “Unkown error”, and Firefox claims:

The certificate is not trusted because it was issued by an invalid CA certificate.
(Error code: sec_error_inadequate_key_usage)

Chrome ignores CRLs (certificate revokation lists) and other mechanisms to revoke certs, so I wonder if that’s what happened.


#4

@zachary pushed a new SSL certificate few hours ago. Thanks for sharing so they can fix it! :slight_smile:


#5

ok thanks, i see where is the probleme, i still receveid cert issued on 13/01/14
and probably this one is revoked. So probably some cache somewhere that is not yet updated
with new cert.


#6

The forum works on my Win 7 Chrome, my KitKat 4.4 Chrome but NOT on my IOS 7 Chrome (!!!). Anyone else with is problem?


#7

Firefox (Win 7 & Precise) says that the AD:6D:28:18:E7:E1:D3:4F:6A:68:79:F2:8D:EA:B6:CE:72:AD:3D:2B certificate is not trusted, but Chrome (same Win 7) is okay with the same one.


#8

The acknowledgement of the error on the Spark.io status page …

Update - We’ve submitted a support ticket to Comodo and are awaiting their response.
Apr 19, 15:03 CDT
Identified - We’ve identified an issue with some versions of Firefox that don’t appear to trust COMODO’s ECC root certificate authority, trying to identify a fix for this issue.
Apr 19, 11:05 CDT

… does not fully describe the extent of the problem. For me, on Ubuntu 12.04 (up to date, and rebooted 5 mins ago to check all this again, and I’ve also completely cleared Chrome’s cache) both Firefox and Chrome complain about the https://community.spark.io/ site. On Firefox I have to create an exception to the certificate checking. On Chrome I cannot get access at all. Naming @zachary purposefully. I’ve also sent e-mail to the general spark address.


#9

Thanks all. Still working on it with Comodo. No idea what’s causing the problems. Also, FYI, none of the old certificates have been revoked yet. www.spark.io is still using the old certificate. API & community are using the new one. As I find out more, I’ll post to status page.


#10

Hey guys, not sure if it is related, but on Linux (Ubuntu 12.04) using either chromium or firefox, I still get the cert error and any use of the IDE to compile or flash gets a 404. Even trying to flash from another box that doesn’t get the SSL warning results in the UI saying the device is flashed, but my spark core doesn’t even blink. Is this all related? Is the core erroring out the cert?


#11

NSA ? :slight_smile: Got to Love those Guys.


#12

Status has been updated:

Update - Comodo says “there may be a problem with Firefox and our EC certificates”. They are investigating the issue.
Apr 21, 09:04 CDT

In Firefox, I get a

(Error code: sec_error_inadequate_key_usage


#13

Both the status page here and Comodo seem not to reflect the full picture. As already reported (and not only by me, and there is another forum topic on this certificate issue) Chome (on Ubuntu 12.04) will not allow access to community.spark.io - Chrome says the certificate is improperly formatted. Considering that the status page has been updated but the status only acknowledges a Firefox problem can someone [@zachary ?] please ensure Comodo are told about this too? Thanks


#14

I see the same issue using curl

===

  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Bad certificate received. Subject = ‘CN=*.spark.io,OU=PremiumSSL Wildcard,O=Spark Devices,STREET=1010 W Lake St Suite 100-105,L=Minneapolis,ST=Minnesota,postalCode=55408,C=US’, Issuer = ‘CN=COMODO ECC Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’
  • NSS error -8102
  • Closing connection #0
  • Peer certificate cannot be authenticated with known CA certificates

#15

It sounds like the latest Firefox nightly v31a1 fixes the problem. It’s set to release next week, and Comodo is pushing Mozilla to release faster.

@psb777 Thank you—please post the exact version number of Chrome that fails on Ubuntu 12.04. I’d love it if someone else could reproduce.

@jShaf Is there an update available for your CA certificate bundle? If not, what operating system are you on?

Comodo’s going to get us a re-issued certificate that’s more broadly accepted.


#16

google-chrome-stable/stable uptodate 34.0.1847.116-1
firefox/precise-security uptodate 28.0+build2-0ubuntu0.12.04.1
both the above fail on an up to date Ubuntu 12.04 as I described: Firefox requires the setting up of a certificate exception, and Chrome does not allow access at all.
I believe @lemouchon has long since reported the same problem also in Ubuntu in the topic https://community.spark.io/t/issue-with-ssl-certificate-of-the-forum-in-chrome-and-firefox-on-linux/3978

It seems to me that Comodo wrongly blames Firefox for their error.


#17

All fixed everyone. Comodo issued us a fully functional certificate, and it’s been installed on the community and the API. Thanks for your patience and your help debugging!


#18

i confirm works now. Many thanks for your work and great support.