TLS Observatory does not recognize Let's Encrypt Certs

[abuechler]

The report for let's encrypt own website shows an error "This site uses an untrusted or invalid certificate"

Checked on the 10th of May 2023:

[532910]

Can confirm!

[JulienPalard]

Maybe related to https://github.com/mozilla/http-observatory-website/issues/291

[gene1wood]

Ya, here's some more info on the cause of this issue : https://github.com/mozilla/http-observatory-website/issues/291#issuecomment-1854593336

[JulienPalard]

Just reproduced it today: https://observatory.mozilla.org/analyze/git.afpy.org#tls:

while https://www.ssllabs.com/ssltest/analyze.html?d=git.afpy.org gives A+:

[vagoston]

@JulienPalard, is there a chance to update the trust stores? I think ISRG Root X1 should be there on its own right by now. https://letsencrypt.org/2023/07/10/cross-sign-expiration I tried to figure out how to do that, I wanted to help with a PR, but https://github.com/kirei/catt is way outdated and not working anymore, at least I couldn't make that work. What would be the best way to collect the trusted certs?

[BenWilson-Mozilla]

FWIW - From a Mozilla CA Root Program perspective, as I understand it, we have been transitioning away from maintaining this TLS Observatory repository and focusing on this repository - https://github.com/mozilla/CCADB-Tools. We are also using the CCADB.

[vagoston]

@BenWilson-Mozilla Thanks for mentioning CCADB. Forgive me if I miss something, but it seems to me that CCADB is not going to replace tls-observatory. CCADB is not grading end certificates, but collecting root and intermediate certificates. @JulienPalard Would you welcome a PR for replacing catt? If you put together something for a technical design, I might be able to find some time to implement that. I'm thinking of downloading CCADB records at startup and use that as a single truststore. (Only adding records where Apple: Included; Google Chrome: Included; Microsoft: Included; Mozilla: Included in the csv)

[JulienPalard]

@JulienPalard Would you welcome a PR for replacing catt?

I'll obviously welcome any work forward on this, but I'm not from Mozilla and I'm not a Go developer. So I would not be able to review, nor to merge your work.

[janbrasna]

There was supposed to be a new version of Observatory on MDN now, that might have the dependency on TLS Observatory removed(?), but there's no news about the launch since the original post:

"…once the MDN Observatory launches on January 25th 31st 2024."

Maybe @gene1wood knows more, and probably even the location of the repo for the new MDN Observatory version to help introspect its dependence on tls-observatory.services.mozilla.com/api/v1/certificate API endpoint that returns the outdated roots info from its db… (refs #440)

[gene1wood]

@LeoMcA can speak to the HTTP Observatory launch on MDN and it's backing repo.

[vagoston]

@LeoMcA, it would help a lot to know the release date and the planned changes.

[janbrasna]

New MDN Observatory 2.0 launched last month: https://developer.mozilla.org/en-US/blog/mdn-http-observatory-launch/

The source is hosted now under MDN: https://github.com/mdn/mdn-http-observatory

There is no TLS scanning currently present, and no plans to include it as per the announcement post linked above.

A sunset is planned for current Obs v1 in the coming months, with uncertainty about TLS Obs fate (whether that is also being included in the sunset plans, and a future removal is planned; or it's gonna be kept around in its current state, with no further maintenance to be expected…)