certificate not renewed?

[communicant]

For several days now, when I log on to Fastmail, my browser warns me that the validity of the site cannot be verified by a current certificate. This usually means that someone has forgotten to renew it, but if that is the case here, then it is surprising. After all, this isn't a one-man shop where something can be overlooked during a holiday. It is somewhat disturbing that something so basic could be overlooked by an operation like Fastmail, and for days on end. Is there some other explanation?

[sflorack]

Check the blog: http://blog.fastmail.fm/2012/09/06/f...icate-updated/

[FredOnline]

there was a period of about 30 minutes where some users with old browsers might have seen “invalid certificate” errors

A reminder to keep up to date?

It seems the Fastmail guys are busy doing . . . whatever, so are not being pro-active, and only reacting after the fact?

[communicant]

For me it has been more like three days than thirty minutes, though I have noticed that with some services, when certificates change, a warning persists indefinitely even though everything is OK. This may be one of those cases where the warning is not going to stop appearing, perhaps because of my old browser, or perhaps because the issuing authority is different, or simply as the result of an electronic glitch of some sort. As long as I know things are in order I shall just ignore it, though it is yet another small but repetitive step to go through each day when logging on. (Sigh.)

[nbarr]

Have you tried cleaning your cache ?

[communicant]

Quote:

Originally Posted by nbarr

Have you tried cleaning your cache ?

I completely reset my browser (which includes clearing the cache and much else) after every single online session.

[robn]

As noted, I blogged about this:

http://blog.fastmail.fm/2012/09/06/f...icate-updated/

No lack of proactivity here - the existing certificate didn't expire until November, but the new one arrived so we installed it. The minor mistake I made was to not chain the signing certificate properly, which can cause problems on very old browsers (mainly IE6) that aren't carrying that particular CA certificate.

So it should all be working properly now. The only place we're aware of that might not be quite right is on browsers that don't handle wildcard certificates properly. As far as we're aware though, that's a very small number of ancient cellphone browsers/WAP clients.

To help figure out where the problem is it would be useful to know the browser/platform you're using, the exact hostname you're accessing (eg fastmail.fm vs www.fastmail.fm vs beta.fastmail.fm) and any information about the certificate you can get from your browser (subject, fingerprint, etc).

[jff6791]

I've also been experiencing certificate problems for the past few days using Chrome browser. This is what comes up when accessing the site:
========================================
The site's security certificate is not trusted!
You attempted to reach www.fastmail.fm, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.

Help me understand
When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your computer trusts. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended, and not a third party (such as an attacker on your network).

In this case, the certificate has not been verified by a third party that your computer trusts. Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with www.fastmail.fm instead of an attacker who generated his own certificate claiming to be www.fastmail.fm. You should not proceed past this point.

If, however, you work in an organization that generates its own certificates, and you are trying to connect to an internal website of that organization using such a certificate, you may be able to solve this problem securely. You can import your organization's root certificate as a "root certificate", and then certificates issued or verified by your organization will be trusted and you will not see this error next time you try to connect to an internal website. Contact your organization's help staff for assistance in adding a new root certificate to your computer.
====================================

Similar result with IE8:
====================================
There is a problem with this website's security certificate.


The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information


If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help.

============================================

Not getting these warnings with any other web sites .

John

[robn]

Quote:

Originally Posted by jff6791

I've also been experiencing certificate problems for the past few days using Chrome browser. This is what comes up when accessing the site:

Could you please post the certificate fingerprint? Go through to the page (there should be a "access the page anyway" type link or button on the warning screen). Click the padlock in the left of the location bar, then find the "certifcation information" link. The fingerprint (and lots of other interesting info) is in there.

Fyi, this is what I see: http://i.imgur.com/Vavhr.png and http://i.imgur.com/JlZlO.png.

The more information you can give from these screens the better, but the fingerprint is the most important one.

[Berenburger]

Quote:

Originally Posted by jff6791

I've also been experiencing certificate problems for the past few days using Chrome browser. ......

I'm also using Chrome, but not experiencing these problems. Are you up-to-date with your OS and browsers?

@RobN: Please ask Edwin for the representative status.

[drew]

I am using linux and latest Firefox and signed in now
to the beta.fastmail.fm webmail interface and
it had no trouble with certificate.
So does it relate to the old interface maybe?

[communicant]

Quote:

Originally Posted by robn

Could you please post the certificate fingerprint? Go through to the page (there should be a "access the page anyway" type link or button on the warning screen). Click the padlock in the left of the location bar, then find the "certifcation information" link. The fingerprint (and lots of other interesting info) is in there. [...]

The more information you can give from these screens the better, but the fingerprint is the most important one.

If this is what you mean, here is what Safari gives me as the fingerprint --

SHA1 7F 55 9E D0 CE D2 71 A2 A4 86 0A 01 AD 1C A0 08 4A 43 88 52

MDS FA 5A 3B 3B 9A 87 B6 C1 D6 AC 93 9C 89 36 4F 59

Is that any use to you?

[robn]

Yes - it tells us that something weird is happening! As far as we're able to tell everything is fine, but clearly its not, so we need more information.

To communicant and jff6791 (and anyone else seeing the problem): Please post the your browser and version and your OS and version.

[jff6791]

Quote:

Originally Posted by robn

Yes - it tells us that something weird is happening! As far as we're able to tell everything is fine, but clearly its not, so we need more information.

To communicant and jff6791 (and anyone else seeing the problem): Please post the your browser and version and your OS and version.

Browser is Chrome 10.0.648.205. OS XP SP3 Version 5.1.2600. Windows updates on auto. The thumbprint for the certificate comes up as: 7f 55 9e d0 ce d2 71 a2 a4 86 0a 01 ad 1c a0 08 4a 43 88 52. It also says "Windows does not have enough information to verify this certificate"

[communicant]

robn, please ask the admin for representative status. (See the post from Berenburger a little earlier in this thread, which has a clickable link to Edwin for your use.) Reps of email providers who post here (like several of your colleagues at FastMail) are asked to do this when they first post, and they are then identified as such automatically.