weird certificate behaviour browsing perlmonks.org with chrome

Hello folks (from Firefox)!

Since some days and only using Chrome (version 125.0.6422.113 (Official Build 64 bit) I cannot browse anymore perlmonks.org (nor www. .com .net etc.) because of the following weird error: NET::ERR_CERT_INVALID and inspecting the certificate I see the certificate presented is: css.perlmonks.com Common Name: <empty> issued by: Common Name: GTB Technologies, Inc (46115)

If I inspect it with openssl.exe (I'm on windows but I dont lean out of it.. :) and grep I see valid certs only:

 openssl s_client -showcerts -servername 66.39.54.27 -connect css.perl
+monks.org:443 2>/nul | grep CN
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectig
+o RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectig
+o RSA Domain Validation Secure Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USER
+Trust RSA Certification Authority
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sect
+igo RSA Domain Validation Secure Server CA
^C^C
[download]

without grepping the output I notice: Verify return code: 20 (unable to get local issuer certificate) but that shoud not be an issue.

The same happens with openssl .... -servername 216.92.34.251 ... (the other IP).

I cleaned the site's data and all data from all website stored in Chrome (not cleared cookies tho) and reboot happened in the meanwhile.

If I export the certificates I can also see right SAN (Subject Alternative Names):

openssl x509 -text -in css.perlmonks.com_TEST.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            82:1f:b9:20:57:2d:8f:be
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, CN = "GTB Technologies, Inc (46115)"
        Validity
            Not Before: Sep 19 00:00:00 2023 GMT
            Not After : Oct 19 23:59:59 2024 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:bb:b5:af:fa:d2:a4:b2:e0:7c:36:e5:48:65:
                    bf:a3:de:41:34:79:79:c8:99:9a:9e:3f:33:66:24:
                    ae:a3:62:2d:10:0a:ab:55:ff:e8:b8:1d:ef:2e:f7:
                    53:8a:ae:eb:0c:32:2e:a4:84:f1:6c:a4:77:23:9f:
                    aa:58:d0:d5:15:72:1d:f5:8d:d4:b4:9f:4b:4b:69:
                    cb:86:d7:d4:0d:11:9c:39:66:0b:7f:a2:52:d1:af:
                    57:a3:54:5b:4f:d5:8d:93:fc:60:4c:a1:36:bd:07:
                    36:b3:1d:ca:61:16:5d:1b:0d:80:40:d1:ee:b6:55:
                    4c:d4:52:c2:c1:39:9b:9f:71:3f:dd:11:fa:5f:b9:
                    36:a4:84:84:d9:9a:6c:fb:a8:f5:ad:a9:2e:b6:f1:
                    8b:bc:34:7e:0c:5f:85:73:9f:76:ed:f6:35:f1:11:
                    8f:f3:5d:38:e5:36:86:c2:09:a3:c3:1e:a0:e8:7b:
                    2d:00:fa:4c:2f:76:e4:47:7a:d6:c2:28:fc:05:75:
                    27:c3:56:88:6f:a1:23:7b:5e:da:c1:b1:a8:06:6f:
                    31:26:3e:2c:d0:18:1e:af:19:ca:94:fe:75:f3:bb:
                    ba:c0:b0:c1:8c:ce:93:82:99:8c:67:20:1e:ca:72:
                    1d:b9:7c:93:eb:e7:97:46:c6:31:34:49:0a:3e:ac:
                    af:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:css.perlmonks.com, DNS:css.perlmonks.net, DNS:css.
+perlmonks.org, DNS:perlmonks.com, DNS:perlmonks.net, DNS:perlmonks.or
+g, DNS:www.perlmonks.com, DNS:www.perlmonks.net, DNS:www.perlmonks.or
+g
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authenti
+cation
    Signature Algorithm: sha256WithRSAEncryption
         53:8e:f2:d6:cf:e8:e5:85:7d:6f:88:0d:66:82:c2:63:9f:0f:
         18:7e:0f:f2:db:c2:15:60:79:ce:a7:07:7d:6f:6d:7c:2e:83:
         f4:31:cf:4b:ba:49:18:e1:46:af:fc:a5:a8:12:24:55:73:44:
         16:ab:e0:eb:8d:4f:32:81:f2:00:ce:40:c4:59:ab:a3:84:6e:
         61:2f:41:5b:4e:51:33:bf:6a:f2:d5:37:0e:b0:e3:1a:e2:10:
         f9:07:3c:d0:17:86:48:ab:6f:8f:33:2c:2f:35:fe:09:68:92:
         18:bf:a5:b7:70:28:5b:3a:d6:cf:c1:e3:25:2b:17:6b:16:ce:
         89:ef:1c:1f:be:c7:e8:15:62:a3:88:23:35:2a:1b:00:49:bb:
         41:70:0f:fe:11:c5:c4:20:9f:b6:ae:a4:28:3f:a1:7c:cc:6e:
         74:59:1b:21:d3:99:79:ae:9d:ef:36:a5:e1:bb:32:3c:38:54:
         c8:de:39:0a:d0:4c:86:dd:79:20:00:44:f4:5b:6d:ca:df:3b:
         07:7c:3d:68:9e:ff:b4:f6:2c:64:ae:76:16:16:94:93:2c:6a:
         7a:91:54:f6:ca:29:cd:6f:b4:e5:1c:6b:04:2f:86:58:00:07:
         62:98:13:e7:7e:47:bf:19:f1:41:a5:21:7e:16:8d:0f:f4:56:
         91:4f:9e:86
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIJAIIfuSBXLY++MA0GCSqGSIb3DQEBCwUAMDUxCzAJBgNV
BAYTAlVTMSYwJAYDVQQDDB1HVEIgVGVjaG5vbG9naWVzLCBJbmMgKDQ2MTE1KTAe
Fw0yMzA5MTkwMDAwMDBaFw0yNDEwMTkyMzU5NTlaMAAwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDDu7Wv+tKksuB8NuVIZb+j3kE0eXnImZqePzNmJK6j
Yi0QCqtV/+i4He8u91OKrusMMi6khPFspHcjn6pY0NUVch31jdS0n0tLacuG19QN
EZw5Zgt/olLRr1ejVFtP1Y2T/GBMoTa9BzazHcphFl0bDYBA0e62VUzUUsLBOZuf
cT/dEfpfuTakhITZmmz7qPWtqS628Yu8NH4MX4Vzn3bt9jXxEY/zXTjlNobCCaPD
HqDoey0A+kwvduRHetbCKPwFdSfDVohvoSN7XtrBsagGbzEmPizQGB6vGcqU/nXz
u7rAsMGMzpOCmYxnIB7Kch25fJPr55dGxjE0SQo+rK+tAgMBAAGjgdwwgdkwgaoG
A1UdEQSBojCBn4IRY3NzLnBlcmxtb25rcy5jb22CEWNzcy5wZXJsbW9ua3MubmV0
ghFjc3MucGVybG1vbmtzLm9yZ4INcGVybG1vbmtzLmNvbYINcGVybG1vbmtzLm5l
dIINcGVybG1vbmtzLm9yZ4IRd3d3LnBlcmxtb25rcy5jb22CEXd3dy5wZXJsbW9u
a3MubmV0ghF3d3cucGVybG1vbmtzLm9yZzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBTjvLWz+jl
hX1viA1mgsJjnw8Yfg/y28IVYHnOpwd9b218LoP0Mc9LukkY4Uav/KWoEiRVc0QW
q+DrjU8ygfIAzkDEWaujhG5hL0FbTlEzv2ry1TcOsOMa4hD5BzzQF4ZIq2+PMywv
Nf4JaJIYv6W3cChbOtbPweMlKxdrFs6J7xwfvsfoFWKjiCM1KhsASbtBcA/+EcXE
IJ+2rqQoP6F8zG50WRsh05l5rp3vNqXhuzI8OFTI3jkK0EyG3XkgAET0W23K3zsH
fD1onv+09ixkrnYWFpSTLGp6kVT2yinNb7TlHGsEL4ZYAAdimBPnfke/GfFBpSF+
Fo0P9FaRT56G
-----END CERTIFICATE-----
[download]

...but with this strange issuer: Issuer: C = US, CN = "GTB Technologies, Inc (46115)" it does it means I'm under a transparent device masking my request? If so why not with Firefox? Just for your info and in the hope these are useful informations.

There are no rules, there are no thumbs..
Reinvent the wheel, then learn The Wheel; may be one day you reinvent one of THE WHEELS.

Comment on weird certificate behaviour browsing perlmonks.org with chrome Select or Download Code

Replies are listed 'Best First'.
Re: weird certificate behaviour browsing perlmonks.org with chrome by Corion (Patriarch) on May 30, 2024 at 14:44 UTC
Just for the record, the correct certificates for Perlmonks (all servers) are issued by Sectigo. I think somebody (your employer?) installed an SSL-decrypting endpoint like a transparent proxy and forgot to install the wildcard certificate of it into your Chrome browser. `openssl s_client -showcerts -servername 216.92.34.251 -connect css.per +lmonks.org:443 </dev/null` [download] `openssl s_client -showcerts -servername 66.39.54.27 -connect css.perlm +onks.org:443 </dev/null` [download] CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Ne +twork, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limi +ted, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 verify return:1 --- Certificate chain 0 s: i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited +, CN = Sectigo RSA Domain Validation Secure Server CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 19 00:00:00 2023 GMT; NotAfter: Oct 19 23:59:59 20 +24 GMT -----BEGIN CERTIFICATE----- MIIGojCCBYqgAwIBAgIRAI3eGezNGzIgxpyleHDjeDowDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0yMzA5MTkwMDAwMDBaFw0yNDEwMTkyMzU5NTlaMAAwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC4vD5jE15Avr3Z4H/GCAaMwHB+dgSfjhrVD6s5 HQR6R5G8R/Hn/sWk9oAQ0CkNEi3XzBfcucKiTrPZ/t3Umj/f13//45CLR7KYVyJ2 QnYPXPyysNMKLFpypvxJ1TerMCBnOE8uYPMxzdJEYOUxWLok//z8cwOqEDip40Pq wZBedPUV1bHuspQC/94+yBqSXFtx3VwNVtWYThT8fbwYibPK9580GA+vNtOJOrfW EsUDoZ7afI7NEr+hMU68TYBV0J9lpOsuf6UPHxK+ARkcoIJFV51yLPSW6AryTUEf ES6xY1ExMAddpC+OEcepbZLEk55JCf9FeRg0MTCLcW9B771dAgMBAAGjggOFMIID gTAfBgNVHSMEGDAWgBSNjF7EVK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQU5mXl /XVXpmzLMGy0i2UIymgHwHcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYB BAGyMQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMw CAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9j cnQuc2VjdGlnby5jb20vU2VjdGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVT ZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29t MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdQB2/4g/Crb7lVHCYcz1h7o0tKTN uyncaEIKn+ZnTFo6dAAAAYqu1AXEAAAEAwBGMEQCIA5AVGIJoNMKOq3hHYD0kfy+ emEEFktlQZy7ePR6EYO8AiA4iqbseDy04gM3tMqenAFGRyyYahyTrpXbAwP2ef9L egB2ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABiq7UBjEAAAQD AEcwRQIgJJ98z6RYLHTUEY+AqlW56oJUSMA8ZpCQ8wy0bV464OICIQDQBDVVYjWL G95uaGD5TXZDaYJXvJWe2m4kGIYChspgnAB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8 vOzew1FIWUZxH7WbAAABiq7UBfMAAAQDAEgwRgIhAMDG3YkwVDTgol0F6WOkiQ1H + + l3r8IgdDMLhZAXAvzecWAiEAkMYKgnrqr9GBC8O908b6SImEfu3kg06Du7ktvUWH + + rxswga0GA1UdEQEB/wSBojCBn4IRY3NzLnBlcmxtb25rcy5jb22CEWNzcy5wZXJs + + bW9ua3MubmV0ghFjc3MucGVybG1vbmtzLm9yZ4INcGVybG1vbmtzLmNvbYINcGVy + + bG1vbmtzLm5ldIINcGVybG1vbmtzLm9yZ4IRd3d3LnBlcmxtb25rcy5jb22CEXd3 + + dy5wZXJsbW9ua3MubmV0ghF3d3cucGVybG1vbmtzLm9yZzANBgkqhkiG9w0BAQsF + + AAOCAQEAO1PWPoEwyH9sPcps5rzX0qxfLjEb1eM3MyEwBh+RW42plZ1D7yZRhZgj + + VuczaExbAYs//8Rc8PUxfYd+MOA5HrIzFNzbT9Xjtf86LgDVCYUdnC4r3ar1Kpxv + + BycULlFBU2GZkiRtjKQ+aMLcX3bHi1RcCz7coAsR0wbriDip8sMoxW0BrcE/6NH5 + + ySGb/0MkTLdER6nFShjAnfJ/qzCE+l86anNbOm4mj3EsVQLJDjNiiBPJI2G+KSqH + + kYYWcvx4Nbciu+NWubmiTkUYUK8TUZN8JzhPXIhfsAsJBhNFYsh9Jt/exI58UzR1 + + j8vvSCvXXO283Ag4+N2a87PKLIgxPw== + + -----END CERTIFICATE----- + + 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited +, CN = Sectigo RSA Domain Validation Secure Server CA + i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Netwo +rk, CN = USERTrust RSA Certification Authority + a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 + + v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 20 +30 GMT + -----BEGIN CERTIFICATE----- + + MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB + + iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl + + cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb +ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0 LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH 7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38 sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5 yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K 00u/I5sUKUErmgQfky3xxzlIPK1aEn8= -----END CERTIFICATE----- --- Server certificate subject= issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limit +ed, CN = Sectigo RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3822 bytes and written 399 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE [download]	[reply] [d/l] [select]
Re: weird certificate behaviour browsing perlmonks.org with chrome by hippo (Archbishop) on May 30, 2024 at 13:59 UTC
The common name (CN) on the certificate is blank which is frankly very weird. SSLlabs gives it a pass but you can see from the report that the common name is blank. It would not be surprising if this resulted in some problems here and there. Update: in Corion's post the openssl trace inlcudes this: `Certificate chain 0 s: i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited +, CN = Sectigo RSA Domain Validation Secure Server CA` [download] which explicitly confirms that the Subject (the line containing "s:") of the server certificate is entirely blank. 🦛	[reply] [d/l]
Re: weird certificate behaviour browsing perlmonks.org with chrome by marto (Cardinal) on May 30, 2024 at 13:19 UTC
Have you or your employer engaged the services of https://gttb.com/?	[reply]