CAcert System Admins discussion list

[Jan Dittberner <jandd AT cacert.org>]

On Sun, Sep 15, 2019 at 11:56:38PM +0200, Bernhard Fröhlich wrote:
> Hi infra admins,
> 
> concerning the error messages reported today, is it possible that the WiKi
> server still has a certificate chain including the old root cert?
> 
> If so, I guess that users who have not installed the CAcert roots at all
> will see this "algorithm disabled" error message instead of the expected
> "unknown issuer"...
> 
> Can someone please check the certificate chain on the WiKi server?

This is very probable. The Wiki system has NO really active admin. Dirk and
me are taking care of it occasionally if we find the time. I will
check/update the certificate chain later but the Wiki container needs more
love:

- System upgrade (it is still running on Debian GNU Linux 7 which is EOL)
- Move and update of documentation to infradocs (PRs for [1] via email or on
  Github [2] are highly appreciated)
- Update of the Wiki software itself (I would prefer to use the official
  Debian package if possible)
- Move the system configuration to Puppet [3]
- Improve monitoring [4] with some application specific checks [5]

[1] https://git.cacert.org/gitweb/?p=cacert-infradocs.git;a=summary
[2] https://github.com/CAcertOrg/cacert-infradocs/issues/1
[3] https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=summary
[4] 
https://monitor.cacert.org/monitoring/list/hosts?(host=%2Awiki%2A|host_display_name=%2Awiki%2A)#!/monitoring/list/services?host=wiki.infra.cacert.org
[5] https://git.cacert.org/gitweb/?p=cacert-icinga2-conf_d.git;a=summary

So a lot of help is needed and the certificate issue is just the tip of the
iceberg.


Kind regards
Jan

> -------- Weitergeleitete Nachricht --------
> Betreff:      Re: The cacert wiki is not secure
> Datum:        Sun, 15 Sep 2019 23:51:39 +0200
> Von:  Bernhard Fröhlich 
> <bernhard AT cacert.org>
> Antwort an:   Bernhard Fröhlich 
> <bernhard AT cacert.org>
> An:   Ryan Griggs 
> <rgriggs AT hilltop.net>,
>  CAcert-devel
> <cacert-devel AT lists.cacert.org>
> 
> 
> 
> Ahh, yes, that's more helpful, thank you.
> 
> *Short answer*: probably you have still the "old" CAcert root certificate(s)
> installed in your browser, or you have not installed the CAcert root
> certificate at all. The old root has the SHA1 fingerprint of
> 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33, while the
> current root certificate has the SHA1 fingerprint of
> DD:FC:DA:54:1E:75:77:AD:DC:A8:7E:88:27:A9:8A:50:60:32:52:A5. You should
> download the new root from the CAcert homepage, via
> https://www.cacert.org/index.php?id=3
> 
> *Long answer*: The old root is self signed using the MD5 algorithm, which
> was fine in 2003 when it was forst issued. In the meantime the MD5 algorithm
> has been proven to be easily breakable with current hardware, so MD5 was
> disabled in the browser and the error message below was invented.
> 
> We have updated the root certificate early this year, which has now a
> self-signature created with SHA256, which is expected to be secure for some
> time in the future by the security community. So if you have the current
> root certificate imported then this message should not show up.
> 
> Note that the algorithm of a self signature is absolutely irrelevant as far
> as "security" is concerned, since a self signature of a certificate in
> itself is absolutely irrelevant. But the browsers wanted to kick out the
> insecure algorithm, and did not want to implement an exception for
> self-signatures. This is perfectly understandable and sensible from a
> software development point of view. Even if it has not very much to so with
> security.
> 
> I hope this helps,
> Ted
> 
> Am 15.09.2019 um 23:15 schrieb Ryan Griggs:
> > 
> > To clarify, when accessing the Wiki, browsers display a certificate error.
> > Here is the message displayed by Firefox browser. It is saying the
> > certificate uses an insecure algorithm which has been disabled.
> > 
> > image.png
> > 
> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > Ryan Griggs
> > Hilltop Computing
> > www.hilltop.net <http://www.hilltop.net>
> > 859-328-3223
> > Toll Free: 1 (888) 5-HILLTOP (888-544-5586)
> > 
> > 
> > On Sun, Sep 15, 2019 at 5:12 PM Bernhard Fröhlich 
> > <bernhard AT cacert.org
> > <mailto:bernhard AT cacert.org>>
> >  wrote:
> > 
> >     Hmmm, nothing is secure. OK, maybe death is secure...
> > 
> >     If you could go into a bit more details about why (to your
> >     opinion) the CAcert WiKi is not secure enough for what it is
> >     intended to do then we could discuss the issue...
> > 
> >     Kind regards
> >     Ted
> > 
> > 
> >     Am 15.09.2019 um 23:06 schrieb Timothy Lyons:
> > >     I'm glad i wasn't the only one...
> > >     There are others too. Those needs to get bumped up the old
> > >     priority list.(IMHO)
> > > 
> > >     Kindest regards,
> > >     Tim
> > > 
> > >     
> > > ------------------------------------------------------------------------
> > >     *From:* 
> > > cacert-devel-request AT lists.cacert.org
> > >     
> > > <mailto:cacert-devel-request AT lists.cacert.org>
> > >     
> > > <cacert-devel-request AT lists.cacert.org>
> > >     
> > > <mailto:cacert-devel-request AT lists.cacert.org>
> > >  on behalf of
> > >     Carilda Thomas 
> > > <carilda.thomas AT gmail.com>
> > >     
> > > <mailto:carilda.thomas AT gmail.com>
> > >     *Sent:* Sunday, September 15, 2019 4:53:26 PM
> > >     *To:* 
> > > cacert-devel AT lists.cacert.org
> > >     
> > > <mailto:cacert-devel AT lists.cacert.org>
> > >     
> > > <cacert-devel AT lists.cacert.org>
> > >     
> > > <mailto:cacert-devel AT lists.cacert.org>
> > >     *Subject:* The cacert wiki is not secure
> > > 
> > >     **[EXTERNAL MAIL]
> > > 
> > >     I find this ironic.
> > > 
> > >     Regards,
> > >     Carilda
> > 



-- 
Jan Dittberner - CAcert Infrastructure Team Lead
Software Architect, Debian Developer
GPG-key: 4096R/0xA73E0055558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
https://jan.dittberner.info/

Attachment: smime.p7s
Description: S/MIME cryptographic signature