SSL certs broken?

[jbenet]

• see https://github.com/ipfs/ipfs-blog/issues/685
• Adin says: "blog.ipfs.io loads fine for me locally though, will ask around to see if others are reproducing it"
• it's broken from me (in SF)

[aschmahmann]

@jbenet I'm not seeing that locally on any websites at the moment.

• Do you see those issues with curl locally, and if so could you post your response from curl -v?
• Could you post the certificate information for blog.ipfs.tech along with blog.ipfs.io and see if they're the same/different?

I get the output below. In particular I noticed your certificates in the other issue have OpenDNS as the provider rather than R3

``` adin@AdinPC:/mnt/c/Users/adin$ openssl s_client -connect blog.ipfs.io:443 /dev/null | openssl x509 -inform pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 03:e2:a6:2b:c9:64:f8:b3:82:7a:8a:20:64:91:05:13:49:fa Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Apr 3 19:08:54 2024 GMT Not After : Jul 2 19:08:53 2024 GMT Subject: CN = blog.ipfs.io Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:92:46:1a:8e:64:83:91:e8:80:88:bd:df:d6:b1: 18:40:3b:b0:85:28:90:bf:6f:15:50:c4:93:ac:bf: dc:0e:2b:5a:74:43:1e:ae:d7:79:fc:de:cc:95:ae: 6e:e9:b1:0f:9b:9d:bd:7a:2d:6e:49:4e:1a:29:9d: a5:86:cf:bf:fe:1e:7f:b5:78:51:4e:b1:a0:10:32: 1d:88:f3:40:01:74:22:cb:91:b3:d1:88:9c:93:a1: 54:d5:58:18:cb:f7:ff:43:65:72:6c:84:70:76:d8: 5d:5c:e7:19:d9:59:4c:c0:98:11:05:b7:a8:26:d7: 85:63:00:aa:04:56:0c:30:ab:0b:01:bd:b5:93:76: bb:a0:e5:26:f3:95:ec:45:7c:c2:36:9d:49:35:8f: 69:8a:9b:e9:1e:04:c7:48:4d:da:30:78:cd:f7:34: a6:8e:c4:ec:a3:5c:db:46:f5:af:a0:7f:0d:c1:fb: 70:c8:ed:b9:f5:68:54:4d:c7:a0:04:4e:db:47:63: 77:a7:9c:13:1a:6d:1b:39:9e:62:1c:27:18:e8:f3: b4:4a:6e:1a:ff:f4:41:f6:72:18:12:13:84:5e:72: 59:16:d3:f4:c7:a0:be:98:86:68:b9:5c:c4:7f:55: 14:a1:6f:3d:39:10:60:44:86:b4:90:5d:5f:e6:21: f4:e7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 4C:47:1A:9A:CE:2D:A3:FF:0F:DF:3B:02:1C:FD:7F:FB:CC:1E:A2:1A X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:blog.ipfs.io X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB: 1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73 Timestamp : Apr 3 20:08:54.135 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:6B:87:D3:3B:7B:05:5C:31:7D:39:4D:A2: 46:D1:B5:66:68:15:51:D0:8E:BC:22:A4:63:C3:99:97: 7D:83:F6:B2:02:21:00:97:82:D0:A5:01:9C:A0:B8:A8: C5:B2:DF:3C:ED:FD:29:58:81:C1:E7:61:D7:3B:C4:2A: E0:FB:9B:68:B8:1E:89 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B: 67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17 Timestamp : Apr 3 20:08:54.146 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:3F:55:92:B0:69:58:05:1F:37:05:56:B4: 7A:94:87:20:80:9B:13:6D:E3:EB:6F:BF:14:FA:6D:54: C8:C3:7A:33:02:21:00:A5:BC:D9:84:4E:99:1F:68:58: 7C:31:BF:54:CD:C3:C3:98:27:5E:A6:19:5B:03:EF:CB: F6:47:34:94:BA:17:39 Signature Algorithm: sha256WithRSAEncryption 23:4c:19:f5:23:f6:28:97:29:36:35:7a:49:3f:db:ee:5b:a6: 0d:5f:f5:c3:15:69:e1:ec:d2:fd:a1:87:24:f8:c7:5d:b7:b4: 3c:a3:b0:84:43:3f:f6:4b:ce:16:ec:74:bb:5d:61:41:6d:07: 1d:a6:58:bf:87:7e:6e:74:87:83:f0:f8:89:0f:5e:08:5d:c8: ca:dd:88:07:b2:6c:39:7a:b8:4c:4d:14:f6:43:a9:e0:4b:3f: d0:da:e7:4b:69:d7:37:04:12:99:59:be:83:9a:1f:8f:82:83: de:02:fe:d3:62:2d:5a:7a:77:b5:47:7a:dc:95:26:18:e7:9c: bc:da:51:1d:8a:0b:53:e5:3e:7f:9f:87:a0:e1:1d:ec:92:a3: 39:91:c7:7d:b5:fd:f7:de:3a:7d:57:b9:0b:4c:c5:82:c4:ee: 52:16:18:7b:4d:50:c7:26:ea:1e:4d:9c:2f:93:36:98:48:a5: f6:86:a9:53:87:2b:30:cf:26:a3:c6:6f:b4:dd:91:3f:f9:3e: c7:5a:10:2c:ea:bf:52:29:03:8a:09:3e:b3:47:d1:51:8c:12: 76:03:10:3c:09:67:01:a2:fd:81:84:a7:22:ab:2a:6f:00:4e: a5:c8:f7:f4:42:d7:6a:e2:e0:5f:bf:c7:7b:cd:85:8e:28:0c: 1b:bd:24:ea -----BEGIN CERTIFICATE----- MIIE5TCCA82gAwIBAgISA+KmK8lk+LOCeoogZJEFE0n6MA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yNDA0MDMxOTA4NTRaFw0yNDA3MDIxOTA4NTNaMBcxFTATBgNVBAMT DGJsb2cuaXBmcy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJG Go5kg5HogIi939axGEA7sIUokL9vFVDEk6y/3A4rWnRDHq7XefzezJWubumxD5ud vXotbklOGimdpYbPv/4ef7V4UU6xoBAyHYjzQAF0IsuRs9GInJOhVNVYGMv3/0Nl cmyEcHbYXVznGdlZTMCYEQW3qCbXhWMAqgRWDDCrCwG9tZN2u6DlJvOV7EV8wjad STWPaYqb6R4Ex0hN2jB4zfc0po7E7KNc20b1r6B/DcH7cMjtufVoVE3HoARO20dj d6ecExptGzmeYhwnGOjztEpuGv/0QfZyGBIThF5yWRbT9MegvpiGaLlcxH9VFKFv PTkQYESGtJBdX+Yh9OcCAwEAAaOCAg4wggIKMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E FgQUTEcams4to/8P3zsCHP1/+8weohowHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA 5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w FwYDVR0RBBAwDoIMYmxvZy5pcGZzLmlvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIB BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYASLDja9qmRzQP5WoC+p0w6xxSActW3SyB 2bu/qznYhHMAAAGOpZQodwAABAMARzBFAiBrh9M7ewVcMX05TaJG0bVmaBVR0I68 IqRjw5mXfYP2sgIhAJeC0KUBnKC4qMWy3zzt/SlYgcHnYdc7xCrg+5touB6JAHYA O1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGOpZQoggAABAMARzBF AiA/VZKwaVgFHzcFVrR6lIcggJsTbePrb78U+m1UyMN6MwIhAKW82YROmR9oWHwx v1TNw8OYJ16mGVsD78v2RzSUuhc5MA0GCSqGSIb3DQEBCwUAA4IBAQAjTBn1I/Yo lyk2NXpJP9vuW6YNX/XDFWnh7NL9oYck+Mddt7Q8o7CEQz/2S84W7HS7XWFBbQcd pli/h35udIeD8PiJD14IXcjK3YgHsmw5erhMTRT2Q6ngSz/Q2udLadc3BBKZWb6D mh+PgoPeAv7TYi1aene1R3rclSYY55y82lEdigtT5T5/n4eg4R3skqM5kcd9tf33 3jp9V7kLTMWCxO5SFhh7TVDHJuoeTZwvkzaYSKX2hqlThyswzyajxm+03ZE/+T7H WhAs6r9SKQOKCT6zR9FRjBJ2AxA8CWcBov2BhKciqypvAE6lyPf0Qtdq4uBfv8d7 zYWOKAwbvSTq -----END CERTIFICATE----- ```

[aschmahmann]

From that issue @lidel commented that this looks like some DNS-based filtering / man-in-the-middle on the ipfs.io domain name https://github.com/ipfs/ipfs-blog/issues/685#issuecomment-2059878817.

[jbenet]

Resolved, thank you!