in reply to weird certificate behaviour browsing perlmonks.org with chrome
Just for the record, the correct certificates for Perlmonks (all servers) are issued by Sectigo. I think somebody (your employer?) installed an SSL-decrypting endpoint like a transparent proxy and forgot to install the wildcard certificate of it into your Chrome browser.
openssl s_client -showcerts -servername 216.92.34.251 -connect css.per +lmonks.org:443 </dev/null
openssl s_client -showcerts -servername 66.39.54.27 -connect css.perlm +onks.org:443 </dev/null
CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Ne +twork, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limi +ted, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 verify return:1 --- Certificate chain 0 s: i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited +, CN = Sectigo RSA Domain Validation Secure Server CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 19 00:00:00 2023 GMT; NotAfter: Oct 19 23:59:59 20 +24 GMT -----BEGIN CERTIFICATE----- MIIGojCCBYqgAwIBAgIRAI3eGezNGzIgxpyleHDjeDowDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0yMzA5MTkwMDAwMDBaFw0yNDEwMTkyMzU5NTlaMAAwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC4vD5jE15Avr3Z4H/GCAaMwHB+dgSfjhrVD6s5 HQR6R5G8R/Hn/sWk9oAQ0CkNEi3XzBfcucKiTrPZ/t3Umj/f13//45CLR7KYVyJ2 QnYPXPyysNMKLFpypvxJ1TerMCBnOE8uYPMxzdJEYOUxWLok//z8cwOqEDip40Pq wZBedPUV1bHuspQC/94+yBqSXFtx3VwNVtWYThT8fbwYibPK9580GA+vNtOJOrfW EsUDoZ7afI7NEr+hMU68TYBV0J9lpOsuf6UPHxK+ARkcoIJFV51yLPSW6AryTUEf ES6xY1ExMAddpC+OEcepbZLEk55JCf9FeRg0MTCLcW9B771dAgMBAAGjggOFMIID gTAfBgNVHSMEGDAWgBSNjF7EVK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQU5mXl /XVXpmzLMGy0i2UIymgHwHcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYB BAGyMQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMw CAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9j cnQuc2VjdGlnby5jb20vU2VjdGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVT ZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29t MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdQB2/4g/Crb7lVHCYcz1h7o0tKTN uyncaEIKn+ZnTFo6dAAAAYqu1AXEAAAEAwBGMEQCIA5AVGIJoNMKOq3hHYD0kfy+ emEEFktlQZy7ePR6EYO8AiA4iqbseDy04gM3tMqenAFGRyyYahyTrpXbAwP2ef9L egB2ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABiq7UBjEAAAQD AEcwRQIgJJ98z6RYLHTUEY+AqlW56oJUSMA8ZpCQ8wy0bV464OICIQDQBDVVYjWL G95uaGD5TXZDaYJXvJWe2m4kGIYChspgnAB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8 vOzew1FIWUZxH7WbAAABiq7UBfMAAAQDAEgwRgIhAMDG3YkwVDTgol0F6WOkiQ1H + + l3r8IgdDMLhZAXAvzecWAiEAkMYKgnrqr9GBC8O908b6SImEfu3kg06Du7ktvUWH + + rxswga0GA1UdEQEB/wSBojCBn4IRY3NzLnBlcmxtb25rcy5jb22CEWNzcy5wZXJs + + bW9ua3MubmV0ghFjc3MucGVybG1vbmtzLm9yZ4INcGVybG1vbmtzLmNvbYINcGVy + + bG1vbmtzLm5ldIINcGVybG1vbmtzLm9yZ4IRd3d3LnBlcmxtb25rcy5jb22CEXd3 + + dy5wZXJsbW9ua3MubmV0ghF3d3cucGVybG1vbmtzLm9yZzANBgkqhkiG9w0BAQsF + + AAOCAQEAO1PWPoEwyH9sPcps5rzX0qxfLjEb1eM3MyEwBh+RW42plZ1D7yZRhZgj + + VuczaExbAYs//8Rc8PUxfYd+MOA5HrIzFNzbT9Xjtf86LgDVCYUdnC4r3ar1Kpxv + + BycULlFBU2GZkiRtjKQ+aMLcX3bHi1RcCz7coAsR0wbriDip8sMoxW0BrcE/6NH5 + + ySGb/0MkTLdER6nFShjAnfJ/qzCE+l86anNbOm4mj3EsVQLJDjNiiBPJI2G+KSqH + + kYYWcvx4Nbciu+NWubmiTkUYUK8TUZN8JzhPXIhfsAsJBhNFYsh9Jt/exI58UzR1 + + j8vvSCvXXO283Ag4+N2a87PKLIgxPw== + + -----END CERTIFICATE----- + + 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited +, CN = Sectigo RSA Domain Validation Secure Server CA + i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Netwo +rk, CN = USERTrust RSA Certification Authority + a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 + + v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 20 +30 GMT + -----BEGIN CERTIFICATE----- + + MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB + + iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl + + cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb +ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0 LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH 7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38 sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5 yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K 00u/I5sUKUErmgQfky3xxzlIPK1aEn8= -----END CERTIFICATE----- --- Server certificate subject= issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limit +ed, CN = Sectigo RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3822 bytes and written 399 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE
|
|---|