You are not logged in.
Hey all,
I'm running into some issues regarding TLS certificates. For a few weeks already, several `apple.com` sites no longer properly load for me, because assets they use (CSS files, etc) can't be loaded. An example that does not load is https://store.storeimages.cdn-apple.com … v-plus.css.
It seems that the certificate of store.storeimages.cdn-apple.com is signed by Apple IST CA 2 (SHA1: 31:13:4A:0F:94:F8:A5:A6:15:4B:5D:09:5F:68:37:E8:35:8D:39:1D), which appears as the root when inspecting the certificate from Chromium. However, Chromium does not trust it. This can be reproduced with curl as well:
$ curl https://store.storeimages.cdn-apple.com/4668/store.apple.com/shop/Catalog/global/css/web/programs/apple-tv-plus.css
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.When using Firefox on the same machine however, the page loads just fine. Inspecting the certificate using Firefox, it actually finds a certificate authority above Apple IST CA 2, namely Baltimore CyberTrust Root (SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74).
I assume this is related to the fact that Firefox uses its own trust store, while Chromium and curl use the system one.
Is this a known problem? Shall I file a bug with ArchLinux?
Thanks a lot!
Offline
Hi, I encountered the same problem. I don't think it is Archlinux's problem.
Basically, the Applt IST CA 2 is signed by two root CA. One of them (GeoTrust Global CA) got removed by upstream (https://developer.mozilla.org/en-US/doc … ease_notes) while the other one (Baltimore CyberTrust) remains valid.
However, the apple cdn is configured to return the GeoTrust certificate chain, which of course gets rejected. Firefox is able to discover the other valid certificate chain, regardless of apple cdn returning the wrong chain.
I won't recommend, but as a workaround, you may want to install the intermediate certificate discovered by Firefox to your system/browser. (refer to https://wiki.archlinux.org/index.php/Us … rtificate)
-----BEGIN CERTIFICATE-----
MIIEnjCCA4agAwIBAgIQBVLH7/7sKSup8Th7B6+SnzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE4MTIxMjEyMDAwMFoXDTI1MDUwNzEyMDAwMFowYjEcMBoGA1UEAxMTQXBwbGUgSVNUIENBIDIgLSBHMTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoTCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0JOhHUdDIBayC2vrw9W06MeYzfPev+hN6eM2gAf8RRtqfEWGrlbTpAl/YQ1rXX5Sa320yDnE9Gc694POGW+GL35FfkccZ1LKlQVd4jZRhcDUZ4A1bxXdPv0d0v2PNFDY7HYqvuPT2uT9yOsoApYRlxdhHOnEWTtC3DLRCR3aptFDhv9esryMz2bbAYsCrpRI8ziP/eoyqAjshpdRlCQ+SUmWU+h5oUCB6QW7k5VR/OP9fBFL954IsxVJFQf50Tegm0sy9rXE3GrR/Art9uDFKaCoi3H+DZK8/lRwGAptx+0M+8ktBsOMhfzLhlzWNo4Siwl/+xkaONXwlDB6D6aM8wIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFNh6lER8kHCQFp7dF5wBRAOG1iopMB8GA1UdIwQYMBaAFOWdWTCCR1jMrPoIVDaGezq1BE3wMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vT21uaXJvb3QyMDI1LmNybDBbBgNVHSAEVDBSMAwGCiqGSIb3Y2QFCwQwCAYGZ4EMAQICMDgGCmCGSAGG/WwAAgQwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzANBgkqhkiG9w0BAQsFAAOCAQEAWgDobaZ4Dq8zSOdyWvCa+Tad60OIwE9qkz2o33KFCcAM/CvxXrcXTTYo9VJHninE+G9SguIdukkDDAOHMT8WvsqomydMXknQJVbREOAXKUKgS5q0/9ou9N1FjJvkhPGFzAbuLnSJtLomfJPxHW4h3l6bdliQodVQXd3xUbXRqTKNUbF9bIh4601+KhyZL0u0B/eTppf/1O5S+qFAyRADr1lvfIeNHZv11iyf4u7euLBsXjyT3vPwxrihpAwB5pu/DhJWh4iv70Q7pcvAaRRfiJgMj3A0fFgvqvGbW9jmt04+Cr/PjpWeMFt3KKj3DRh4jJKjJUGt+JxdGGJ4tCGyCw==
-----END CERTIFICATE-----
Offline
Same issue here, but also on Firefox.
I've rollback ca-certificates-mozilla to an older version (3.59.1-1) and it works fine.
Offline