Skip to Content.
Sympa Menu

cacert-de - I currently can't trust using - it seems to use an invalid certificate to sign the content.

Subject: Deutschsprachige CAcert Support Liste

List archive

I currently can't trust using - it seems to use an invalid certificate to sign the content.

Chronological Thread 
  • From: tverrbjelke <tverrbjelke AT>
  • To: cacert-de AT, cacert-support AT
  • Subject: I currently can't trust using - it seems to use an invalid certificate to sign the content.
  • Date: Tue, 19 Nov 2013 11:06:18 +0100

Hash: SHA256


I already opened an issue


Since 16th of november 2013 I experience a problem with strange
certificate at

When I go and then "log in via password" the used certificate of that
page is unknown to me and my browser.

Bowser shows me "connection untrusted". I use Firefox V 25 ubuntu
canonical. Same on my lappy, but has same browser.

So why is the page itself signed by another - unknown - certificate?

Same problem applies to

I currently can't trust - it seems to use an invalid

Maybe I did miss something, but *maybe* the site has been subverted?
I would like to assert someone today, but I won't login until the
problem is solved / cleared.


Yes, I already (months ago) did import the cacert zertificates, class3
used to authentificate web pages.

I verified, if my versions of the certificates (inside firefox and
also the downoaded version on my backup-drive) are the same that are
presented online at the site:

I compare the sha1sums and md5sum and my result is:
All root class1 and class3 are OK:

$ sha1sum cacert-root-class3-2012.der.crt
ad7c3f64fc4439fef4e90be8f47c6cfa8aadfdce cacert-root-class3-2012.der.crt

So theoretically any correctly signed page should be accepted by my

Visiting the site and temporarily accepting the cert ("I know the
Then checking the actually used cert for
I see a unknown cert Serial number "0B:B3:C6". I exported that cert
and attached this as (so named by me) "fake-www.cacert..." so you can
check yourself what I mean...

The fake-cert has this checksum:

$ sha1sum

I am not sure, maybe it is related to this
/view.php?id=1217 - "0001217: Add the root certificates in CER-Format
on Index.php?id=3 " - but then why is my problem also existing at at ?

so... I am clueless... researching the net I didn't find more...
maybe I am having a blind spot, maybe I am dumb, but maybe this is a
*serious* issue...

I attached all mentioned certs: correct root-class1 and class3 and the
potentially fraud /fake class3 cert. And their fingerprints.

thankful for any assistance,

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


Attachment: cacert-issue.tar.gz
Description: application/gzip

Attachment: cacert-issue.tar.gz.sig
Description: Binary data

Archive powered by MHonArc 2.6.18.

Top of Page