drwetter
commented
3 years ago Thanks! You happen to have a host name?
Which version 3.0 or 3.1dev?
Open ItsNotTom opened 3 years ago
drwetter
commented
3 years ago Thanks! You happen to have a host name?
Which version 3.0 or 3.1dev?
ItsNotTom
commented
3 years ago Hi, sorry, I completely missed all the useful information. This was tested on 3.1dev and an example hostname developer.lloydsbanking.com
drwetter
commented
3 years ago yeah, thanks. That seems to be related to the case with LE, see #1682
That was revoked a week ago (https://crt.sh/?id=6006154&opt=ocsp).
The chain is fine (except the additional root certificate) How did you check the revoked status with openssl?
ItsNotTom
commented
3 years ago I followed the steps provided here: https://www.redpill-linpro.com/techblog/2017/01/11/understanding_ocsp.html
drwetter
commented
3 years ago Ok, I understood just by a simple openssl s_client -status -connect .. and I thought I missed something.
Digicert recently expired some of their ICAs
https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html
https://www.auscert.org.au/blog/2021-01-15-quovadis-issue-impacting-multiple-customers
Lots of sites are still providing the old ICA certificates in their chain but when you run testssl against them it reports back the status of them is fine. Manually checking what's being served using openssl or other services such as ssllabs show that there are issues with the chain.