i too get the amsl cert in response to an opelssl cert query with a
bog standard starfield class 2 chain
% openssl s_client -connect secretariat.nanog.org:443
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.amsl.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.amsl.com
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies,
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure
Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies,
Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure
Certification Authority/serialNumber=10688435
i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2
Certification Authority
2 s:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2
Certification Authority
i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2
Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGRDCCBSygAwIBAgIJAInJ3xG7x0IgMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
with chrome, https://secretariat.nanog.org gets me a redirect to
the insecure http://www.nanog.org/ (note lack of 's') via the
tls-failing cert, see above
> let's take the conversation off of nanog to spare the list.
one of the purposes of this list is for us to learn from eachother. in
this case, techniques for diagnosing tls & cert issues are worth
sharing. [ sadly, folk with bugs love to redirect discussion off public
media ]
randy
