• 11
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

I recently ran into this issue of the Sectigo Root certs expiring on May 30th of this year: https://gist.github.com/minaguib/c8db186af450bceaaa7c452ba6a9901b

I updated the certificate chain on our servers and the change was seamless for all employees and users except ONE USER.

The single user experiencing problems is loading an invalid chain for our website. There is screenshots below.

Server-Side Notes:

  • The server has been updated and confirmed the certificate & chain is good to go (screenshot attached).
  • I have one single client that is still loading an invalid cert chain.
  • The server terminating TLS is an Amazon ALB instance.
  • The server certificate chain has been validated using an online service for sanity. There is a screenshot below showing this.

Client-Side Notes:

  • Deleted any "expired" or "invalid" entries in the Mac Keychain.

  • Searched the Mac Keychain for any reference to "AddTrust"

  • Fully cleared all browser cache. Chrome is up to date Version 83.0.4103.97 (however Safari also fails, so it's not the browser I don't think)

  • Date/Time checked

Here is what the end user is seeing in the browser cert chain:

Bad Cert Chain

Here is what EVERYONE ELSE sees when browsing to our website:

Good Cert Chain

Here is the validation from a 3rd party online service to confirm the chain validity:

Server Cert Chain

Figured this out.

The user is on MacOS 10.11 (El Capitan) which doesn't have modern root CA's and Apple stopped updating the OS in 2019.

Because of this, the Mac Keychain didn't have the updated Root CA so my site certificate wasn't trusted.

Clients Most Notably Impacted:

  • Apple Mac OS X 10.11 (El Capitan) or earlier
  • Apple iOS 9 or earlier
  • Google Android 5.0 or earlier
  • Microsoft Windows Vista & 7 if the Update Root Certificates Feature has been disabled since before June 2010
  • Microsoft Windows XP if an Automatic Root Update has not been received since before June 2010
  • Mozilla Firefox 35 or earlier
  • Oracle Java 8u50 or earlier
  • Embedded devices (especially copy machines) that have not installed a firmware update since before mid-2015

More details:

  • 0
Reply Report

Trending Tags