IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Internet Forum / Wade is likely right + couple of things to check
Post #434,258
by scoenye
6/1/20 8:14:46 AM
6/1/20 8:14:46 AM
Reply
New Wade is likely right + couple of things to check
The full chain is
www.kqed.org: from 03/21/2019 to 03/21/2021
Sectigo RSA Extended Validation Secure Server CA: 11/02/2018 - 12/31/2030
USERTrust RSA Certification Authority: 02/01/2010 - 01/18/2038

Check the Mac's keystore for those last two. It is possibly to locally mark certificates as untrusted, so check for that as well.

The few times I tried, I've found Safari upgrades to be tied to OS upgrades. Unless Apple recently changed it's mind, you may have to install missing certs manually.
Post #434,264
by Ashton
6/1/20 7:47:41 PM
6/1/20 7:47:41 PM
Reply
New Going there:
Keychain Access.app invoked; options:
All Items
Passwords
Secure Notes
My Certificates
Keys
Certificates ... [pity: no bloody Cut/Paste, just stone-knives. bearskins to re-write]

[All Items] 17 items (incl "CUPS Self-Signed Certificate", as 'private key': more below on That] no mention of 'Sectigo'
Also: https://talkingpointsmemo.com/edblog/surveying-the-whirlwind AS: c-73-158-167-161.hsd1.ca.comcast.net

Thence root-login and display of that last "c-73-i58 item ... gets new window:

Icon says: [Certificate; below that: Root] Its bolded header IS ""c-73-i58 item" and last line of Intro sez, This root certificate is not trusted [in Red]
It seems that I can delete this entry.. maybe should but await Instruction. Presumably the other 16 items will continue to operate unremarkably.

If I focus on mentioned CUPS line, Rt-click gets {Sigh} more options:
Copy, Paste, Delete
Export
Get info
Create a Cert w/Cups ditto
Request a Certificate From a Certificate Authority w/ditto-name
Create a Certificate Authority With w/ditto-name

{Particle accelerators are more complex but sans boring, endless drill-downs of arbitrary /opaque intent :-/

Sorry if this is too-much; sorrier if it's not-Enough, eh? n-Thanks for sharing the Excitement of RED-things appearing.
Is it likely that simply Deleting that reddish-LINE can undo the Evil black-listing of kqed?
I'm All Ears, (Ah feels the Power of ... Admin-for ..a couple hours) ;^>

Repeat: Sectigo appears nowhere atop/within any of these texts.
Checking 'Spotlite', for giggles: Nope, That doesn't find any iteration save the obvious refs re this Query,

Over /Out ... need some Southrun Comfort in the coffee, lest lapsing into a crazed .. ...rm -r hda0
Post #434,270
by scoenye
6/1/20 10:10:44 PM
6/1/20 10:48:51 PM
Reply
New Don't nuke the CUPS certificate
CUPS is Apple's print server setup. It is essentially a tangled set of web services and these days, encryption is enabled by default. Kill the cert and your printer may stop talking to you.

Self-signed means the cert isn't trusted beyond the local computer. That is fine for the use CUPS puts it to.

c-73-158-167-161.hsd1.ca.comcast.net is the Comcast hostname for a residential (dynamic) IP address (73.158.167.161). I can't say why Apple would have it in the keychain but if Comcast is your ISP, then it could be your cable modem.

TPM draws a "Connection not secure" error because the protected page contains unprotected links. That complaint is genuine, it is not due to a certificate problem.

If all else fails and the problem persists, you can manually download and install the cert chain from Sectigo (although, based on your adventures further down, you may have to override Safari's error dialogs.)
Expand Edited by scoenye June 1, 2020, 10:48:51 PM EDT
Expand All History
Post #434,274
by Ashton
6/1/20 11:10:37 PM
6/1/20 11:10:37 PM
Reply
New Gracias..
Discovered *CUPS back in the Knoppix days, should have recalled that (guess I imagined that, if nuked, it would re-create-self on a reboot). Part-2: but not if it calls the same cert from same place. Duh.
* even managed to make it er, Print {pats ego mildly}.

In any event -- I didn't. :)

As to Box's confirmation of similar conflagration, surely we'll hear soon (?) if this was Vlad-the-Impaler or similar.
Don't care lots about the silly-level inconvenience; next: is someone fabricating an App, should this fix need a bit of individual action by multitudes..

Apreciate the brain-work, again.
     I'm back; this time re "Sectigo" - (Ashton) - (21) - June 2, 2020, 02:20:04 AM EDT
         Sounds like an update is needed. - (static) - May 31, 2020, 11:52:10 PM EDT
         Also, thanks. - (static) - May 31, 2020, 11:54:07 PM EDT
         Wade is likely right + couple of things to check - (scoenye) - (3) - June 1, 2020, 08:14:46 AM EDT
             Going there: - (Ashton) - (2) - June 1, 2020, 07:47:41 PM EDT
                 Don't nuke the CUPS certificate - (scoenye) - (1) - June 1, 2020, 10:48:51 PM EDT
                     Gracias.. - (Ashton) - June 1, 2020, 11:10:37 PM EDT
         Here's a page that might help, if you can get there. - (Another Scott) - (1) - June 1, 2020, 09:00:07 AM EDT
             Hm: gives important also-too CLUE! (Can't Go-->There, either) - (Ashton) - June 1, 2020, 08:04:51 PM EDT
         Something happened with SSL certs yesterday - (malraux) - (11) - June 1, 2020, 09:53:03 AM EDT
             Thanks.. helps out, 'the Loneliness of the Long-distance tyro-Debugger .. a bit :-) -NT - (Ashton) - (10) - June 1, 2020, 07:50:15 PM EDT
                 major cert trust domain issue yesterday - (boxley) - (9) - June 1, 2020, 09:56:18 PM EDT
                     CRL lookup service blowout? The only thing I can think of that would cause widespread mayhem. -NT - (scoenye) - (3) - June 1, 2020, 10:49:53 PM EDT
                         Heh.. that moniker sent moi --> Belgium and a ∆ re (my) access to Sectigo. - (Ashton) - (2) - June 1, 2020, 11:33:25 PM EDT
                             That is what is going on - (scoenye) - (1) - June 2, 2020, 08:02:24 AM EDT
                                 Excellent--Lots of peripheral info there too; Bonus. -NT - (Ashton) - June 2, 2020, 06:45:09 PM EDT
                     Still going on. - (malraux) - (4) - June 1, 2020, 11:15:53 PM EDT
                         we use a gummint cert internal to ourselves - (boxley) - (3) - June 1, 2020, 11:27:42 PM EDT
                             We didn't have browser issues - (malraux) - (2) - June 2, 2020, 08:50:16 AM EDT
                                 Sectigo's SHA-1 root + intermediate certs expired. - (scoenye) - (1) - June 2, 2020, 10:40:27 AM EDT
                                     I don't think that's all that happened. - (malraux) - June 2, 2020, 10:44:11 AM EDT
         Teapot; Tempest-in: Thanks all! stuff works. The post-mortem amusement awaits.. -NT - (Ashton) - June 2, 2020, 04:26:24 AM EDT

We're gonna make this night... last fo-evah!
89 ms