Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Forums2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus)secure.2degreesbroadband.co.nz SSL cert
dfnt

1504 posts

Uber Geek

Lifetime subscriber

#240977 4-Oct-2018 20:56
Send private message

So the end is near for the distrust of Symantec, and its various subsidiary CA's, SSL certs via Chrome.

 

Just FYI, I'm running Chrome beta so on version70.0.3538.45 now, getting this when browsing to secure.2degreesbroadband.co.nz

 

Click to see full size

 

Probably best to get onto this asap, as the stable release of 70 is just around the corner, more info here

 

@2degreesCare

 

cc @NickMack

 

 

 

 

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
skewt
747 posts

Ultimate Geek


  #2101819 4-Oct-2018 21:30
Send private message

If i browse to that site, it shows it as no error and a RapidSSL Cert from 19/05/2017

 

Sure its not something on your side?

 

 

 
 
 
 

Send money globally for less with Wise - one free transfer up to NZ$900 (affiliate link).
hio77
'That VDSL Cat'
12999 posts

Uber Geek

ID Verified
Trusted
Lizard Networks
Subscriber

  #2101825 4-Oct-2018 21:39
Send private message

 

seems to be a valid cert imo...

 

 

 

seeing this though, 

 




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 

richms
27963 posts

Uber Geek

Trusted
Lifetime subscriber

  #2101826 4-Oct-2018 21:41
Send private message

Firefox gives me this:

 

 

 

Click to see full size




Richard rich.ms



dfnt

1504 posts

Uber Geek

Lifetime subscriber

  #2101829 4-Oct-2018 21:47
Send private message

I'm assuming you're both using Chrome 70, and that you're both aware GeoTrust and RapidSSL were owned by Symantec before being purchased by Digicert. And that you're both aware of the Google/Symantec spat.

 

Copy/paste from the Google blog:

 

We previously announced plans to deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL)

 

Chrome 70   Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error like the one shown above. To check if your certificate will be affected, visit your site in Chrome today and open up DevTools. You’ll see a message in the console telling you if you need to replace your certificate.

 

 

hio77
'That VDSL Cat'
12999 posts

Uber Geek

ID Verified
Trusted
Lizard Networks
Subscriber

  #2101832 4-Oct-2018 21:50
Send private message

dfnt:

 

I'm assuming you're both using Chrome 70, and that you're both aware GeoTrust and RapidSSL were owned by Symantec before being purchased by Digicert.

 

 

Right, that explains it...

 

 




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 

dfnt

1504 posts

Uber Geek

Lifetime subscriber

  #2101835 4-Oct-2018 21:52
Send private message

Chrome 70 stable isn't out till mid October, that's when the masses will start seeing the Symantec cert error on sites that haven't migrated to non Symantec issued certs

skewt
747 posts

Ultimate Geek


  #2101836 4-Oct-2018 21:52
Send private message

Ahh, I had saw the bit about certs before 2016 being blocked but didn't realize they were going to block ALL certs from those providers

 

 



dfnt

1504 posts

Uber Geek

Lifetime subscriber

  #2101837 4-Oct-2018 21:57
Send private message

skewt:

 

Ahh, I had saw the bit about certs before 2016 being blocked but didn't realize they were going to block ALL certs from those providers

 

 

 

 

Yeah that was for Chrome 66, the final nail in the coffin will be Chrome 70 distrusting all certs that were issued by the various Symantec brands.

 

I believe all new certs under those brands are issued by Digicert now, e.g.:

 

Click to see full sizea

michaelmurfy
meow
13182 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2101841 4-Oct-2018 22:17
Send private message

@dfnt As somebody who has had to replace a tonne of Symantec certificates over the last few months I can confirm you're correct here. The certs have to be redone with the new Digicert signer.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

dfnt

1504 posts

Uber Geek

Lifetime subscriber

  #2101857 4-Oct-2018 22:53
Send private message

michaelmurfy:

 

@dfnt As somebody who has had to replace a tonne of Symantec certificates over the last few months I can confirm you're correct here. The certs have to be redone with the new Digicert signer.

 

 

Working in banking I imagine there were a lot of certs to replace -_-

freitasm
BDFL - Memuneh
79000 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2101868 4-Oct-2018 23:06
Send private message

I can see so many sites going "Oh oh" when Chrome 70 comes out...




Please support Geekzone by subscribing, or using one of our referral links: Mighty ApeSamsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup

 

My technology disclosure

dfnt

1504 posts

Uber Geek

Lifetime subscriber

  #2101871 4-Oct-2018 23:07
Send private message

freitasm:

 

I can see so many sites going "Oh oh" when Chrome 70 comes out...

 

 

Yeah, it's quite amusing/sad how many are still using Symantec/and their brands SSL certs

Lias
5575 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2101872 4-Oct-2018 23:10
Send private message

michaelmurfy:

 

The certs have to be redone with the new Digicert signer.

 

 

Or better yet with free Let's Encrypt, Comodo or AWS ACM certificates.. It's high time people stopped paying money for SSL certs.




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

michaelmurfy
meow
13182 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2101873 4-Oct-2018 23:13
Send private message

freitasm:

 

I can see so many sites going "Oh oh" when Chrome 70 comes out...

 

A month ago I was stressing a bit when one of our major sites didn't have a replacement certificate. I was going around with Google Chrome Canary doing verification when I noticed it, had to wait for the cert guys to generate a new cert and load it on the servers.

 

That was a month ago... Glad all the certs I am responsible for are now replaced ahead of schedule. But yes, I still come across quite a few sites with Symantec certs.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

dfnt

1504 posts

Uber Geek

Lifetime subscriber

  #2101874 4-Oct-2018 23:16
Send private message

Lias:

 

michaelmurfy:

 

The certs have to be redone with the new Digicert signer.

 

 

Or better yet with free Let's Encrypt, Comodo or AWS ACM certificates.. It's high time people stopped paying money for SSL certs.

 

 

I'm even using Let's Encrypt (wildcard cert) for all my internal devices, like EdgeRouter, Synology NAS, pihole etc using nginx as a reverse proxy to them. That way I don't have to deal with self signed cert warnings when accessing them, and I just have a singular device that the cert resides on.

 

So easy when using the Cloudflare certbot plugin, so you don't have to expose your internal services for validation

 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

New Suunto Run Available in Australia and New Zealand
Posted 13-May-2025 21:00

Cricut Maker 4 Review
Posted 12-May-2025 15:18

Dynabook Launches Ultra-Light Portégé Z40L-N Copilot+PC with Self-Replaceable Battery
Posted 8-May-2025 14:08

Shopify Sidekick Gets a Major Reasoning Upgrade, Plus Free Image Generation
Posted 8-May-2025 14:03

Microsoft Introduces New Surface Copilot+ PCs
Posted 8-May-2025 13:56

D-Link A/NZ launches DWR-933M 4G+ LTE Cat6 Wi-Fi 6 Mobile Hotspot
Posted 8-May-2025 13:49

Synology Expands DiskStation Lineup with DS1825+ and DS1525+
Posted 8-May-2025 13:44

JBL Releases Next Generation Flip 7 and Charge 6
Posted 8-May-2025 13:41

Arlo Unveils All-New PoE Adapter With Enhanced Connectivity
Posted 8-May-2025 13:36

Fujifilm Instax Mini 41 Review
Posted 2-May-2025 10:12

Synology DS925+ Review
Posted 23-Apr-2025 15:00

Synology Announces DiskStation DS925+ and DX525 Expansion Unit
Posted 23-Apr-2025 10:34

JBL Tour Pro 3 Review
Posted 22-Apr-2025 16:56

Samsung 9100 Pro NVMe SSD Review
Posted 11-Apr-2025 13:11

Motorola Announces New Mid-tier Phones moto g05 and g15
Posted 4-Apr-2025 00:00








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup



RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
Hatch
GoodSync
Backblaze backup
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright