Misconfigured web server behind grigoriefflab.umassmed.edu

2 posts / 0 new
Last post
karelmad
Misconfigured web server behind grigoriefflab.umassmed.edu

The webserver behind grigoriefflab.umassmed.edu used to download CISTEM at https://grigoriefflab.umassmed.edu/sites/default/files/cistem-1.0.0-beta... , is misconfigured.

It does not send the whole certificate chain, instead sending only the certificate for *.umassmed.edu. This works for web browsers, as they cache intermeddiate certificates, but when used with wget or other tools, it fails with:

ERROR: The certificate of ‘grigoriefflab.umassmed.edu’ is not trusted.
ERROR: The certificate of ‘grigoriefflab.umassmed.edu’ doesn't have a known issuer.
 

This prevents anyone from installing CISTEM and other tools distributed from this server using commandline tools.

 

Output of `openssl s_client -connect grigoriefflab.umassmed.edu:443`:

CONNECTED(00000003)
depth=0 C = US, ST = MA, L = Worcester, OU = Information Technology, O = UMass Medical School, CN = *.umassmed.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = MA, L = Worcester, OU = Information Technology, O = UMass Medical School, CN = *.umassmed.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:C = US, ST = MA, L = Worcester, OU = Information Technology, O = UMass Medical School, CN = *.umassmed.edu
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
---
Server certificate
...

 

Compare with https://nginx.org/en/docs/http/configuring_https_servers.html section SSL certificate chains. As you can see, your certificate is signed by an intermediate certificate which is then not sent by your server. Because the C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018 certificate is not a root certificate, commandline tools and some browsers will refuse to connect.

Please forward this to whoever is responsible for the server.

Thanks in advance

Karel

 

niko
Please use

Please use

wget --no-check-certificate https://grigoriefflab.umassmed.edu/sites/default/files/cistem-1.0.0-beta-intel-linux.tar.gz

Log in or register to post comments