https://publicsuffix.org uses wrong cert

[dkg]

It looks to me like there's a cert mismatch on https://publicsuffix.org

0 dkg@alice:~$ gnutls-cli publicsuffix.org
Processed 151 CA certificate(s).
Resolving 'publicsuffix.org:443'...
Connecting to '63.245.213.24:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,L=Mountain View,O=Mozilla Foundation,CN=generic-san.mozilla.org', issuer `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', serial 0x089aa9d33b20dcf91654488f87af40fe, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-10-16 00:00:00 UTC', expires `2016-10-20 12:00:00 UTC', SHA-1 fingerprint `0ca5fba64d2dea36120e906db4f24a366b0aafc6'
    Public Key ID:
        0803136629504256d7c02e266030aee2b255c195
    Public key's random art:
        +--[ RSA 2048]----+
        |O+O+.o+.         |
        |=*.+.oE.         |
        |oo  *            |
        |.. o = .         |
        |o o o . S        |
        |o  .             |
        |...              |
        |.o               |
        |.                |
        +-----------------+

- Certificate[1] info:
 - subject `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', SHA-1 fingerprint `1fb86b1168ec743154062e8c9cc5b171a4b7ccb4'
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
1 dkg@alice:~$ 

Looking at the offered cer, i see it has the following SANs:

                        DNSname: generic-san.mozilla.org
                        DNSname: inform.mozilla.org
                        DNSname: air.mozilla.org
                        DNSname: basket.mozilla.org
                        DNSname: blog.mozilla.com
                        DNSname: boardwiki.mozilla.org
                        DNSname: creative.mozilla.org
                        DNSname: foundationwiki.mozilla.org
                        DNSname: join.mozilla.org
                        DNSname: mpl.mozilla.org
                        DNSname: outgoing.mozilla.org
                        DNSname: securitywiki.mozilla.org
                        DNSname: wiki.mozilla.org
                        DNSname: tbpl.mozilla.org
                        DNSname: basket.mozilla.com
                        DNSname: air.mozilla.com
                        DNSname: dragnet.mozilla.org
                        DNSname: www.itisatrap.org
                        DNSname: itisatrap.org
                        DNSname: calendar.mozilla.org
                        DNSname: allizom.org
                        DNSname: www.allizom.org
                        DNSname: moztrap.mozilla.org
                        DNSname: careers.mozilla.com
                        DNSname: openstandard.mozilla.org
                        DNSname: pto.mozilla.org
                        DNSname: dnt-dashboard.mozilla.org
                        DNSname: mx.thunderbird.net
                        DNSname: broker.thunderbird.net
                        DNSname: intranet.mozilla.org
                        DNSname: iplimit.irc.mozilla.org
                        DNSname: m.wiki.mozilla.org
                        DNSname: affiliates.mozilla.org
                        DNSname: fb-affiliates.mozilla.org
                        DNSname: getfirebug.com
                        DNSname: www.getfirebug.com
                        DNSname: phonebook.mozilla.org
                        DNSname: passwordreset.mozilla.org
                        DNSname: mozillians.org

[weppos]

@dkg this is strange, it works perfectly for me.

➜  ~ gnutls-cli publicsuffix.org
Processed 193 CA certificate(s).
Resolving 'publicsuffix.org'...
Connecting to '63.245.213.24:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `C=US,ST=California,L=Mountain View,O=Mozilla Foundation,CN=static-san.mozilla.org', issuer `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-02-06 00:00:00 UTC', expires `2016-11-22 12:00:00 UTC', SHA-1 fingerprint `fd1ca36f891030e35132f769b2d922c087722ee3'
    Public Key ID:
        614c1be77c78318a333a8c9a8172eb4bf217751e
    Public key's random art:
        +--[ RSA 2048]----+
        |        o . o    |
        |       o B o o   |
        |        O = o    |
        | .   o.oE+ o     |
        |o o ..+oS.       |
        |.. =.  ..        |
        |. =  .           |
        | =  .            |
        |  +o             |
        +-----------------+

- Certificate[1] info:
 - subject `C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', SHA-1 fingerprint `1fb86b1168ec743154062e8c9cc5b171a4b7ccb4'
- Certificate[2] info:
 - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-10 00:00:00 UTC', expires `2031-11-10 00:00:00 UTC', SHA-1 fingerprint `a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436'
- Status: The certificate is trusted.

This is the certificate I get, and it contains publicsuffix.org in the SAN. https://censys.io/certificates/fc44201ab280c080aacccd8b4a1374020da8587cdff56dae397bea08415c0ad4

Can you try with a different machine?

[weppos]

Can't reproduce.