Torben,
the DigiCert SSL certificate checker confirms that repo.boundlessgeo.com
is misconfigured: it is not sending their intermediate certificate:
https://www.digicert.com/help/
******
The server is not sending the required intermediate certificate.
This server needs to be configured to include DigiCert's intermediate
certificate to avoid trust errors in web browsers.
******
Firefox (54.0) is happy, likely because the DigiCert SHA2 Secure Server
intermediate certificate is bundled with Firefox:
https://repo.boundlessgeo.com/snapshot/
OpenSSL is not, because of the missing intermediate certificate:
$ openssl s_client -connect repo.boundlessgeo.com:443
CONNECTED(00000003)
depth=0 C = US, ST = New York, L = New York, O = "Boundless Spatial,
Inc.", OU = NA, CN = repo.boundlessgeo.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = New York, L = New York, O = "Boundless Spatial,
Inc.", OU = NA, CN = repo.boundlessgeo.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=New York/L=New York/O=Boundless Spatial,
Inc./OU=NA/CN=repo.boundlessgeo.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQC60lc9oAFL8SDvLcwjJ9LjANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTcwNzE3MDAwMDAwWhcN
MjAwOTIzMTIwMDAwWjCBgjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3Jr
MREwDwYDVQQHEwhOZXcgWW9yazEgMB4GA1UEChMXQm91bmRsZXNzIFNwYXRpYWws
IEluYy4xCzAJBgNVBAsTAk5BMR4wHAYDVQQDExVyZXBvLmJvdW5kbGVzc2dlby5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDir6JzTCujxCVGIwp1
ub8+M1t3eMflhXF8E2SAJBoi/hRkWjaKtFAXuhNR+QblpYG7c8C9bBwwnNAlYdi4
f9vKEQvCuJaPShvRAN238+Qknc/htyDaofvuVbg1eA4oJsgiTovfGZSx0pQR4CHS
FN0pwA/IgoT8gZoHlu0oSagU86ndgrVLOfdCTHXMOncQWKnWvWhoWF8DMDghv/ac
iDiv4YFpgWtruLLmmiIwfvsyfC9Z1mysP88J9p5AtP45aWA0KoEpi39+g6JPhcbd
t92oVeDR448lhtqGumeWX+yIHNR4FRjRTnhtZ/XLuO7QRiZMjZfDLB6Txtoq2LjJ
FpAjAgMBAAGjggHcMIIB2DAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ
4jAdBgNVHQ4EFgQUEhkqKlUOcez2fsJSHyW6Kq0CVI4wIAYDVR0RBBkwF4IVcmVw
by5ib3VuZGxlc3NnZW8uY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMu
ZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nMS5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0
LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZI
AYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9D
UFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5k
aWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAEe72B/XuhDIYIGA0vVl6jIS4iHP
Uh+CZocfsgAwJ23K1mNVCzJ1vZVhMwN5v0fczuy2O5SZ/lt+HrB86ItGY45citZH
RAkuZCfBX6ZdgYahJvczMW+S1yI7UgfCixu0EjE7e5aucqd5s7wznRRJKLCERYHq
TtXmKZ3t9YlzPBiXxLgOlrkn3K/8KoTfjccnusfujkiKrx2CTdV+RV0+QhPeG9aD
dDtQPcOhoT32RUCJtpIERNh27KwIYIHrBzxSemU24lOEKmOulqWmA5/Y22zg3A54
IK2jq7k4+rz8HYUTX3aOoFWgXaoMvYx9VI7hErJ+Als/SS0JTF/9CvnAIr4=
-----END CERTIFICATE-----
subject=/C=US/ST=New York/L=New York/O=Boundless Spatial,
Inc./OU=NA/CN=repo.boundlessgeo.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2010 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
7663F86026BB65FC8D86D401C154638338D6FFFBDA18E0760310DFF200CF7D51
Session-ID-ctx:
Master-Key:
1E98B5D40AB4798A1D9587D360D0E333E23EBFF0E661D952704919E70FD747A377469C762AB3E50CB50C9A7F192C837D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e8 4c 36 38 7b a0 04 31-4e ad 88 9a 1a d3 8a 37
.L68{..1N......7
0010 - fc 9b 34 a4 e7 70 43 14-b5 06 6a f3 3d 44 4d 59
..4..pC...j.=DMY
0020 - 68 00 f6 eb b5 c6 78 b3-d4 c6 87 f5 99 ee 73 31
h.....x.......s1
0030 - 7f 52 96 c1 57 b2 c7 80-5f cf 8e 3c 5f 21 87 4b
.R..W..._..<_!.K
0040 - b6 bb 8b 1a cc 57 ca b7-16 1b a4 e7 bb c2 c3 8b
.....W..........
0050 - 29 84 72 b4 16 d5 43 be-6a f2 ef 50 7f 0b 82 92
).r...C.j..P....
0060 - 63 b8 8f 30 1b dc 66 fc-8b 0b 6d 14 c9 b6 31 05
c..0..f...m...1.
0070 - 06 55 96 6e 6f 8b 17 3a-1e 7f d3 68 b9 bb 54 ee
.U.no..:...h..T.
0080 - 99 9f 5f ad db e4 01 51-06 56 97 0b a8 d8 ce 3f
.._....Q.V.....?
0090 - 4f 3b 9e aa 86 a2 f0 ac-bb 48 dd 18 61 9e fb a1
O;.......H..a...
00a0 - 00 1f 67 49 8c ae af 12-7d cc 2b ce 6d ba 07 8c
..gI....}.+.m...
Start Time: 1500420480
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE
Kind regards,
--
Ben Caradoc-Davies <[email protected]>
Director
Transient Software Limited <http://transient.nz/>
New Zealand
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
GeoTools-Devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geotools-devel
