On 26-02-15 20:52, Marc Gemis wrote: > Somewhere last weekend a new certificate was installed on osm.org > <http://osm.org>. It's some kind of weird certificate (don't know the > details, but it was discussed on the josm-dev mailing list), since it is > signed by startssl.
StartSSL is a free certificate provider, and most probably firefox doesn't have the intermediate certificate chain on board which means it cannot verify. That is probably the reason, although I do not see startSSL as the certificate writer, I see rapidSSL instead. startSSL is not really a great one to use actually for a site like this. Apple products have the same problem with the latest GoDaddy certificates. https://www.sslshopper.com/cheapest-ssl-certificates.html You might want to try this in firefox: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.openstreetmap.org And see if it gives you a chain error or not. It will work in chrome, but it depends on the browser. If you don't get the all-green in firefox, you just need to assemble a chain file with the missing intermediate certificates so the browser can validate. Note, this heavily depends on firefox (/browser) version, I see in my FF that it loads the intermediates fine: Common name: RapidSSL CA Organization: GeoTrust, Inc. Location: US Valid from February 19, 2010 to February 18, 2020 Serial Number: 145105 (0x236d1) Signature Algorithm: sha1WithRSAEncryption Issuer: GeoTrust Global CA Common name: GeoTrust Global CA Organization: GeoTrust Inc. Location: US Valid from May 20, 2002 to August 20, 2018 Serial Number: 1227750 (0x12bbe6) Signature Algorithm: sha1WithRSAEncryption Issuer: Equifax Glenn _______________________________________________ Talk-be mailing list Talk-be@openstreetmap.org https://lists.openstreetmap.org/listinfo/talk-be