(Migrated) Expired cert on https://zato.io and missing OpenPGP key

(This message has been automatically imported from the retired mailing list)

Hi Zato team,

Wanted to make you aware that the certificate has seemed to expire on
https://zato.io

Also, following the documentation at
https://zato.io/docs/2.0/admin/guide/install-debian.html

The step:

$ curl -s http://zato.io/repo/zato-0CBD7F72.pgp.asc | sudo apt-key add -

…currently shows a missing Public key

$ curl -s http://zato.io/repo/zato-0CBD7F72.pgp.asc | sudo apt-key add -

gpg: no valid OpenPGP data found.

Sam

Dariusz,Brian,

Thanks for the quick response. Whatever problem I had before seems to
be resolved now.

Totally understood on certificate update. I just happened to be
working late last night. :slight_smile:

On Wed, Apr 22, 2015 at 9:03 AM, Dariusz Suchojad dsuch@zato.io wrote:

On 22/04/15 14:45, Samuel Rose wrote:

Wanted to make you aware that the certificate has seemed to expire on
https://zato.io

Also, following the documentation
at https://zato.io/docs/2.0/admin/guide/install-debian.html

Hi Sam,

a new certificate was installed today and there was a short moment when
the old one was still in use - sorry you had to witness it :-/

As for the PGP key, I think it must have been a typo in copy’n’paste
because we never served the main site through clear HTTP except for the
endpoints from the tutorial, that’s the reason they are on a sub-domain,
e.g. http://tutorial.zato.io/get-customer.

The key is under:

https://zato.io/repo/zato-0CBD7F72.pgp.asc

On 22/04/2015 13:45, Samuel Rose wrote:

The step:

$ curl -s http://zato.io/repo/zato-0CBD7F72.pgp.asc | sudo apt-key add -

…currently shows a missing Public key

Just doing the curl -s by itself, you’ll see you get back a redirect to
the https:// URL.

So either do curl -sL, or (better) use
curl -s https://zato.io/repo/zato-0CBD7F72.pgp.asc
(it looks like the documentation has already been updated to use https)

I cannot reproduce the certificate expiry problem you see.

$ openssl s_client -connect zato.io:443
(copy-paste certificate to zato.pem)
$ openssl x509 -noout -text zato.pem

Not Before: Apr 8 00:45:34 2014 GMT
Not After : Nov 3 01:28:42 2015 GMT

Can you give more details of what you see? What client are you using?

Regards,

Brian.

On 22/04/2015 13:51, Brian Candler wrote:

$ openssl x509 -noout -text zato.pem
That should read:
$ openssl x509 -noout -text -in zato.pem

OK, now I get it.

The certificate I was looking at is actually for *.webfaction.com.
However, this webserver supports certificate selection via Server Name
Indication (SNI), and you need to enable this explicitly with a
-servername flag to openssl s_client.

When I do this, I get the cert for zato.io, which has just been renewed:

         Not Before: Apr 22 00:00:00 2015 GMT
         Not After : Apr 22 23:59:59 2018 GMT

Strangely, openssl s_client still gives a verify=0 (OK) result even when
connecting to zato.io without SNI, and hence being presented with the
wrong certificate. This is under Debian Wheezy.

Regards,

Brian.

$ openssl s_client -servername zato.io -CApath /etc/ssl/certs -connect
zato.io:443
CONNECTED(00000003)
depth=4 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network,
OU = http://www.usertrust.com, CN = UTN - DATACorp SGC
verify return:1
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard
SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = zato.io
verify return:1

Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=zato.io
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
4 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC

Server certificate
-----BEGIN CERTIFICATE-----
MIIE5DCCA8ygAwIBAgIQSRvkcjwhI7lF4tZ3RH0N1TANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w
DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw
HhcNMTUwNDIyMDAwMDAwWhcNMTgwNDIyMjM1OTU5WjBSMSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsTEkdhbmRpIFN0YW5kYXJkIFNT
TDEQMA4GA1UEAxMHemF0by5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJ05nAkpHMW+CW0zC8WiPWdhEqiWaKAF7a5uiUDc/gjyiGZWmJMQZUwpLrjT
Al/m8uvyHjFyFHUzy/XqHvp0+zFFedHsc8p4naUq4aHw9KQiUpeXhbC/tJEol5LL
HoHwzilX7e15DWKgJHDcM1NkaqXr4O7Ppd+eFPvFmc5/kJKX+N92u9KCsv66AdG4
N34lk8x9XPUek4eGWwFABKE8wgB705tIzVQm9WJrecvu3DOSR7brdoRvRDqqaFmR
ACZNj8E7QEQ7J11tfKphPupXgIUsLcJuf3B5e9ruTxW51/ocAgkP7kCc4q0u/OrD
ZSm1vdRmT2rCt5thMy65xTAnjQsCAwEAAaOCAacwggGjMB8GA1UdIwQYMBaAFLOQ
p9jJr07NYTyffK1df0H9aTDqMB0GA1UdDgQWBBRqKtzCCnUC6O+EAjZdbWrisTIj
ljAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwSwYDVR0gBEQwQjA2BgsrBgEEAbIxAQICGjAnMCUGCCsG
AQUFBwIBFhlodHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATBBBgNV
HR8EOjA4MDagNKAyhjBodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFu
ZGFyZFNTTENBMi5jcmwwcwYIKwYBBQUHAQEEZzBlMDwGCCsGAQUFBzAChjBodHRw
Oi8vY3J0LnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNTTENBMi5jcnQwJQYI
KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHwYDVR0RBBgwFoIH
emF0by5pb4ILd3d3LnphdG8uaW8wDQYJKoZIhvcNAQELBQADggEBAFe0n32M3Ayh
HDoBOTOs6+vle6kXiWpSw0/xTjOo1EG3fRNnCEsz3IUgtepy6C4JxBFaq8yAIQT9
kRDU8Bm6gNwI3UHRcvTa93cBqx/r+jzPxkydwe4Uz1iJS8whz7t05jUyGVc7FkNB
tc1LggGrmryP1oTFtwWCBuzlFuheB5dGGm/ViAeGXGVESEd8MT0byXm/7AHfK5Gr
umKze4lxECEQXpt1T9GQ1VoD4VTArtn5uYLR40aYueiJTtKIiftUMTifyu2nJDtr
XExKwK4vrsqjdghgvqUvZTOKIKgDPXclU2shRRgaHT8QIkUcQkuKp9KVjPo5B1RM
Xpc48GjuAUs=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=zato.io
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2

No client certificate CA names sent

SSL handshake has read 7119 bytes and written 440 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
… snip …
Start Time: 1429707658
Timeout : 300 (sec)
Verify return code: 0 (ok)

On 22/04/15 14:45, Samuel Rose wrote:

Wanted to make you aware that the certificate has seemed to expire on
https://zato.io

Also, following the documentation
at https://zato.io/docs/2.0/admin/guide/install-debian.html

Hi Sam,

a new certificate was installed today and there was a short moment when
the old one was still in use - sorry you had to witness it :-/

As for the PGP key, I think it must have been a typo in copy’n’paste
because we never served the main site through clear HTTP except for the
endpoints from the tutorial, that’s the reason they are on a sub-domain,
e.g. http://tutorial.zato.io/get-customer.

The key is under:

https://zato.io/repo/zato-0CBD7F72.pgp.asc