Open tulir opened 5 years ago
richvdh
commented
5 years ago I don't quite follow what you're asking for. Are you looking for different wording to replace "certificate signed by unknown authority", or for the tester to somehow distinguish a certificate which is not signed by a known authority from one which is signed by an authority which is known, but not known to us?
tulir
commented
5 years ago The latter. Cases such as using cert.pem instead of fullchain.pem from letsencrypt are not that rare in #synapse:matrix.org
richvdh
commented
5 years ago Indeed they aren't (which is why that case is specifically called out in https://github.com/matrix-org/synapse/blob/master/INSTALL.md#tls-certificates), but given the problem is that we don't know about the intermediate CA certs, that doesn't answer the question of how we can tell if the problem is a missing intermediate cert, or a cert signed by an unrecognised CA.
But apparently there is an X.509 extension which allows certs to specify the URL that the CA cert can be downloaded from, so in theory we could download the CA certs and see if we can form a complete chain.
A "certificate signed by unknown authority" error isn't very useful when the cert is valid, but the chain is incomplete. It would be nice if the tester tested the cert for such cases and provided exact errors (maybe even including instructions and a cert file for fixing it like https://whatsmychaincert.com/)