Open BenBE opened 9 years ago
AGWA
commented
9 years ago The error message is accurate: approximately zero clients support DANE or trust cacert.org, so virtually nobody can access that site, making it, for all intents and purposes, misconfigured.
BenBE
commented
9 years ago It's one question if the chain is configured correctly (including all necessary certificates) or if a client trusts it. As the chain is configured properly on the server (and includes all necessary certificates) the configuration is correct and thus the error message is misleading/wrong.
AGWA
commented
9 years ago I see your point. Unfortunately, it's not trivial to distinguish these two cases. If the server sends a chain that's not signed by a trusted root, whatsmychaincert doesn't immediately know whether some other chain exists that is signed by a trusted root.
What it could do is try to construct an alternative chain using AIA to see whether an alternative trusted chain exists or not. But if the cert lacks AIA (which is the case with most private PKIs) then there's no way to know.
I'll re-open this ticket and work on it at some point.
When testing the domain https://ssltest.security.fail/ the site wrongly issues a report that the chain is misconfigured. This indication is wrong: This can be verified by using DANE on the domain.
Three things to do:
BUT: The chain itself is correct.