Bad server certificate

[Fabsfabsfabs]

Description

Hi, Recently I have been unable to access the qgis website. I am using zscaler for Internet security. Zscaler is blocking the website as it says it has a bad certificate. I wonder if it has expired or needs to be updated. This is preventing me from downloading plugins into qgis.

The qgis plugins repo says its unavailable, but I think it's that the whole website is blocked.

I am asking zscaler to try and fix too.. But they said that qgis should update the certificate

Thanks!

Page URL: https://qgis.org/en/site/index.html

[rduivenvoorde]

Can you show the certificate that is been shown to you? With me it show a Google cert (probably because the sites are behind cloudflare)... Our own servers use 'letsencrypt' certificates.

Below is cert for plugins.qgis.org

[Fabsfabsfabs]

Thanks, Im not sure if this is what you need, but when I view the certificate it looks like this:

[jef-n]

That's obviously not the certificate of our site. What does zscaler actually complain about?

[morgenstern72]

I have the same problem with ESET, using Edge and Firefox latest versions. Also https://www.sslchecker.com/sslchecker reports the Certificate as untrusted:

[morgenstern72]

ESETs Error (tanslated from german): "This error was caused by an invalid OCSP response. This response must be valid because OCSP stapling is used."

In the ESET forum I find https://forum.eset.com/topic/29951-website-certificate-revoked/ "This will be due to the Let's Encrypt "DST Root CA X3 DST" certificate authority expiring on the 30th September. We have the same issue with 1 of our customers who use ESET Endpoint Security. None of our other customers have issues. Even though our certificate is valid ESET gives the same error and prevents access because one of the 2 paths has now expired. "

[morgenstern72]

Maybe thats the problem: https://www.ssllabs.com/ssltest/analyze.html?d=www.qgis.org&s=172.67.143.23

OCSP stapling: Yes OCSP Must Staple: No

Revocation information CRL, OCSPCRL: http://crls.pki.goog/gts2p2/veX2kUr15RQ.crl -> WORKS OCSP: http://ocsp.pki.goog/s/gts2p2/seHKaOqDXks -> DOES NOT WORK