Ha! Already informed them on Friday via other means. I'm told there is now an IT ticket open
On Sun, 5 Aug 2018, 11:18 Alexander Traud, <pabstr...@compuserve.com> wrote: > All asterisk.org (sub-) domains are secured by a SSL/TLS certificate from > RapidSSL which chains up to the trust anchor "GeoTrust Global CA". That > trust anchor belonged to Symantec. Since Chrome 70, Google removes all > trust in former Symantec trust anchors. When you re-issue your certificate, > the new owner DigiCert is going to give you a certificate chain to a new > and still trusted anchor, for free: < > http://products.geotrust.com/orders/orderinformation/authentication.do> > > Reasoning: > > Google Chrome 70 entered the Developer channel (aka "unstable") < > http://www.chromium.org/getting-involved/dev-channel> on Friday < > http://chromereleases.googleblog.com/2018/08/dev-channel-update-for-desktop_3.html> > and therefore is available to Linux users now. Because Asterisk is very > much developer centric, I expect that several Asterisk users and developers > are using Google Chrome in that channel. Therefore and because the re-issue > is free and because you could have gone for it since December already, > please, re-issue as soon as possible. > > Technical Notes: > > Enter CSR: If you enter the CSR used by our original order, you do not > have to change the private key on your server. Only the public certificates > must be changed. > > Hashing Algorithm = SHA-1 root: Your chain is going to resolve to > "DigiCert Global Root CA". Therefore, I recommend to add the intermediate > certificate to "Baltimore CyberTrust Root" < > http://ssl-tools.net/subjects/8051060132ad9ac27d5187a0e887fb01620155ee>. > This gives broader compatibility, even with legacy SSL/TLS clients, at no > additional costs. > > Hashing Algorithm = SHA-256 root: Your chain is going to resolve to > "DigiCert Global Root G2". Therefore, consider to add the intermediate to > "VeriSign Class 3 Public Primary Certification Authority - G5" < > http://ssl-tools.net/subjects/39d28b71fe1d19b65fb3f1288f23bc04595c4395> > and "VeriSign Class 3 Public Primary Certification Authority - G3" < > https://crt.sh/?caid=443> and "VeriSign Class 3 Public Primary > Certification Authority" (G1) < > http://ssl-tools.net/subjects/7a838e245f34e61aaa343e930d5a325a60c56d6c>. > Although those three anchors are not trusted either, up-to-date SSL/TLS > clients stop at the first trusted anchor in the chain and do not see those > older ones. This gives the broadest compatibility with legacy platforms. > However <https://bugzilla.mozilla.org/show_bug.cgi?id=1401384#c10>: > "[DigiCert is] strongly advising subscribers not to use [this particular] > cross-sign and, if used, remove [this] cross-sign prior to September 2018 > as [DigiCert is] not sure how the distrust will impact [this] cross-sign." > Therefore, I went for the Hashing Algorithm "SHA-1 root" on all my > installations. > > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-dev mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-dev
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
