OpenCloning icon indicating copy to clipboard operation
OpenCloning copied to clipboard
verified publisher icon manulera

Certificate issue connecting to https://shareyourcloning.api.genestorian.org/

Open JamesBagley opened this issue 1 year ago • 4 comments

Hi Manuel, you saw this previously in the call but wanted to document it here, so when connecting to shareyourcloning.org I get greeted by a "Backend server is down" message. If I run my connection via a VPN then it works however if there's some root issue here I think it would be good to address, I can't really share the site at the moment with other people at the university as we all have this problem, maybe people at other institutions will have something similar also.

When navigating to shareyourcloning.api.genestorian.org I get an error with the header "Your connection isn't private", expanding the error to get all details shows the message below. I imagine this is something related to the hosting service, but its really not something I am familiar with

NET::ERR_CERT_AUTHORITY_INVALID
Subject: shareyourcloning.api.genestorian.org

Issuer: FG3K4ETB19900473

Expires on: Aug 31, 2024

Current date: Jul 24, 2024

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIGFzCCBP+gAwIBAgIUev9kHLd2hEVNcXrIzVMn35+JiMQwDQYJKoZIhvcNAQEL
BQAwgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH
DAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHkxGTAXBgNVBAMMEEZHM0s0RVRCMTk5MDA0NzMxIzAhBgkq
hkiG9w0BCQEWFHN1cHBvcnRAZm9ydGluZXQuY29tMB4XDTI0MDYwMjE5MDczOVoX
DTI0MDgzMTE5MDczOFowLzEtMCsGA1UEAxMkc2hhcmV5b3VyY2xvbmluZy5hcGku
Z2VuZXN0b3JpYW4ub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
l4I5XWz5XZQo9u14KrW4NOzfjy2bSiNKffO41m1tYSOeT3wPjr8Q/a4jkbl7Si1W
Qiijel7DB/ONsQiiin+35WyGBS7ZdGV9iVJOAFeem5iDV7NZcIL6Yv3Gf96onMev
0q9+VGt/SSzbwpqlc2fBmPQoQnvDnG5H9H0Hi0v7nLYbhNQK0PZikDZCKFdw8F70
zX7gKXNFwnollhtCYsDU0s3fFCNvEPF9u4i850P0o+dwvnIQwFRhvjvgErPg6C1S
vcCFRqSklCk2cC4VXhY/hT7xocxVZPaF4u36RPPxnrL5o2mAXN5VFkg4/6e/B/X8
56tc8ct3weoptyG+iZQVQHW51anBq898dB92vedD+9MNGuroGFYyfF5/em3cGYsL
kLp0qv6x8vohIsJgWyXEqdrJHkSZCXRdl7pA9+fI76/WlrPJ94x9GbKethyIMuEM
1SqmzHWUphlFqL+VRtmozawP9MLb9ugwRGU3A4dIGZOltYWrL/4LvU0nyUAbxXVx
QpGvjv31E/6FlYJhuQw398PfenycCGLHU+tsHmWB02epqDlsnYHKRRGr2zlM+FVB
PlrTIGVVVxBrq1Xl6OKevb2fDjvQ5iE0fYMiRXPeFODDRwm0Yqnn465P6e88SgRf
CZ0lVLahsaTy16gjLFn8dCCvywJvl/1N7WOTFG6jbW0CAwEAAaOCAa4wggGqMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUThGW0fi9fxXgP8krd5EljXOr0mIwLwYDVR0R
BCgwJoIkc2hhcmV5b3VyY2xvbmluZy5hcGkuZ2VuZXN0b3JpYW4ub3JnMBMGA1Ud
IAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAPxdLT9ci
R1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGP2pCWDAAABAMARjBEAiAUX7ds
9hUqmCodXWzgUlgFVU1J2A4ShtXd3K7/JUJtcAIgebVFZOWbbvTTZDhTnj2DA+Np
rR+NnGTdSWJBJ0FJFIwAdwDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1
mwAAAY/akJYIAAAEAwBIMEYCIQDKK19mXjiLRC1ZuhYvyeeIJf8g3WuXsCklk0GD
NjOPewIhANPYXo0P/gZpq7BXMXudJMev/bwkROHgFnxJAzIMeWvjMA0GCSqGSIb3
DQEBCwUAA4IBAQBO9GYScBQjccGj3/y71QvuzKd31iyVeXjDBgYqBtnIJifCdZ4/
k2dweX1V2/qCxjgim8iuT5m42lDayT7CWuMvE1Mt8DBkQYnQYIlb3C76S9zcvxGK
4CrEcO2IwR/Sxjw9F8+3EQu+mY5PkvE5/yb6xqyTyE0STJNKVynwb5xLjoe2kAwd
Y6h2NZuSOnlURvp7CnJOOsbpMD4L5xzwRvm1L/+kLSU4CgeYVJW6nEN9Hv6j2u63
KsaZI3coH8RC+sz8IWIQzQo0HEcZ1X26exRYKy1fiY2oZQrRFh+BonFJw9ODC0La
QODvPVzCROeGn99ZccZ3WeIjJKL80X+Rv7Of
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID5jCCAs6gAwIBAgIIbvRp+0NP1nwwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUx
ETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkxGTAXBgNVBAMMEEZHM0s0RVRCMTk5MDA0NzMxIzAhBgkqhkiG9w0BCQEWFHN1
cHBvcnRAZm9ydGluZXQuY29tMB4XDTIwMDgwNjIxMjE1MloXDTMwMDgwNzIxMjE1
MlowgakxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH
DAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MR4wHAYDVQQLDBVDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHkxGTAXBgNVBAMMEEZHM0s0RVRCMTk5MDA0NzMxIzAhBgkq
hkiG9w0BCQEWFHN1cHBvcnRAZm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEArbSL7GEbWBApgxcImac2AT7zrqUrUnXJ7ofeWHa7stoP
bW/7oqNFWllOBH5EzdkP7RUj1IN1D0FbfJYu3YRKmoiffb7glFjQLHcaw3du1/s6
wa0LgZP1U0ealyKL3ucaCpmjWbNXCb8VuQmoVYp1RDuR7tZjMTDkb3QpK4r0pL+2
v0xHF4rkseV29BF+WYjKjKfpThmd9FEex2DxokvVwKu36CBNUZeqeXD5DrCb4ur7
t9dWAaBVA4yt746DLb1TF9AQ3UnInw7liEN1Vl/kBVjsITcWXXySTBpHgQhd6Rp2
LbgH6Bch61DRI+rqe7sKEvqjXRwQbqHeuAcJVWCxBwIDAQABoxAwDjAMBgNVHRME
BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB94uSCJKEiZjlEqEMk1YAo+gHJMPxj
2KFvTKtjtdPoXBZYPNfhS59HJlkZpJmdOwshuWyRKLlhSsoKqcOUh+StVWOkPJFf
z3NrTRBmoZLOw5VicraCbjGPbee7tJr/umOoagABPnVRZJFia8bQsmHc4DREbabU
nMB0YRtD+Rv81NB81uJk2rvg14wNs71VnTyGQvSWcx65kgS8hRZtSMoCfkR8WYvE
NoXwjoOxBC7LirLLRmGd7NcbMw7LK8u1UJDCJpB9DKIia/VVbqWesbSA2eYhZXLX
lIsn6MtO0JlUI8bpwyLuzZOAzGCpuoeJGFrWoMR2w06CC0+dsxmjjlu6
-----END CERTIFICATE-----

Certificate Transparency:

SCT Let's Encrypt 'Oak2024H2' log (Embedded in certificate, Invalid signature)

SCT Google 'Argon2024' log (Embedded in certificate, Invalid signature)

JamesBagley avatar Jul 24 '24 18:07 JamesBagley

@JamesBagley The certificate of this URL is a Let'sEncrypt certificate, perfectly valid.

If it works with a VPN, it means your computer accepts the certificate authority, so that's not the issue here. You can see the cert here https://crt.sh/?id=13265553699, it's perfectly valid. I'm not sure how you can get a CERT_AUTHORITY_INVALID error, unless your institution is doing something nasty, such as decrypting all your traffic. Do you know if there is a mandatory proxy + mandatory Certificate Authority to install on all computers? Even then, it shouldn't choke on a LE cert...

Just to make sure, can you share a bit what's your setup? Operating system + version, browser + version.

NicolasCARPi avatar Jul 24 '24 20:07 NicolasCARPi

Hi Nicolas thanks for the response, I'm on windows 10 22H2 with Chrome 126.0.6478.128. I don't really know much about the set up of the networking here to be honest. I get the same block when I try and access the site from my phone via the institution's wifi (no issue when on data), so I wouldn't expect it to be something installed locally on the PC as the phone is my own.

JamesBagley avatar Jul 24 '24 20:07 JamesBagley

But clearly, only when using the institution network you get an issue. I'd open a ticket with your IT, because the issue is not on genestorian's side.

NicolasCARPi avatar Jul 24 '24 20:07 NicolasCARPi

Hi @NicolasCARPi thanks for responding, I would have tagged you otherwise!

@JamesBagley I can't say much on my side either, I barely know how the whole signature thing works. Just to double-check, can you access this site that is served by the same server? https://prototype.genestorian.org/

The reason why you may be able to access the frontend and not the backend is that the frontend is hosted by netlify and has different certificates. As Nico said, perhaps asking IT would be good. Maybe they have to whitelist the site or something like that?

manulera avatar Jul 25 '24 05:07 manulera