Testing in a browser (Firefox) for https://juniper.net/ results in this: juniper.net uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) http://superuser.com/questions/452063/the-certificate-is-not-trusted-because... Usually this indicates that someone rolled out a SSL certificate without either a) including the full CA chain (how to do this varies per webserver), or b) did not include the full CA chain within the certificate itself. It often has to do with a missing root CA. However, in the below output, I see mention of "Juniper Networks Root CA", which implies Juniper is self-signing their certs rather than getting them signed by an actual CA? If so, that's pretty disgraceful. Not that I have a problem with self-signed certs, but it's extremely rude in this particular case, given Juniper's role. Any errors below that say "unable to get local issuer certificate" are issues on my side, not Juniper's. $ echo | openssl s_client -showcerts -connect juniper.net:443 -servername juniper.net CONNECTED(00000004) depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec@juniper.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec@juniper.net verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec@juniper.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec@juniper.net i:/emailAddress=ca-admin@juniper.net/C=US/ST=California/L=Sunnyvale/O=Juniper Networks, Inc./OU=Juniper Certificate Authority/CN=Juniper Networks Root CA -----BEGIN CERTIFICATE----- MIIGXzCCBcigAwIBAgIKJbNoLAADAABiuDANBgkqhkiG9w0BAQUFADCBxzEjMCEG CSqGSIb3DQEJARYUY2EtYWRtaW5AanVuaXBlci5uZXQxCzAJBgNVBAYTAlVTMRMw EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxHzAdBgNVBAoT Fkp1bmlwZXIgTmV0d29ya3MsIEluYy4xJjAkBgNVBAsTHUp1bmlwZXIgQ2VydGlm aWNhdGUgQXV0aG9yaXR5MSEwHwYDVQQDExhKdW5pcGVyIE5ldHdvcmtzIFJvb3Qg Q0EwHhcNMTMxMTE3MTgzODU0WhcNMTQxMjE1MjMwMTE4WjCBnTELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEeMBwG A1UEChMVSnVuaXBlck5ldHdvcmtzLEluYy4sMQswCQYDVQQLEwJJVDEUMBIGA1UE AxMLanVuaXBlci5uZXQxIjAgBgkqhkiG9w0BCQEWE2luZm9zZWNAanVuaXBlci5u ZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqrWoKPic/wxrgLOij s5ZsCLfjZTSckKJa4pYHK6Of3s/sat4xv5mn4s7zRiEdrBysxh8to3AS/95yooQw rIrSmdMj7SsBdL+LLneCRK3YjcPDl5wFrcDrDe3Lac3BrW7lf7pRXqbVQTkdRVqu XsN0dPsVMJMwsVN67pDFTgzdC6lsr0hUk9KHuE4xzq6QtIw+wGeRC1LurCPyNeK3 IYOZoGBzCcAWml7IewOcsJungImRhP2gA+fd8GyMq/XtlYk3qe6wRUpdLHtWqVo+ crT3fi75+6sXQgPasClANFeUY8/trp/uMnDHYYk97fIvuA3ifQa4uHNlmZQqoPW4 FV09AgMBAAGjggL0MIIC8DAdBgNVHQ4EFgQUNZrcnIfODAcQB42DZSvxGVdG06Uw HwYDVR0jBBgwFoAU4L0udxOaLltRmPqQUF3YFNFSLFkwggEsBgNVHR8EggEjMIIB HzCCARugggEXoIIBE4aBxWxkYXA6Ly8vQ049SnVuaXBlciUyME5ldHdvcmtzJTIw Um9vdCUyMENBKDMpLENOPWNhLWpucHIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUy MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9am5wcixE Qz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNz PWNSTERpc3RyaWJ1dGlvblBvaW50hklodHRwOi8vcGtpLWpucHIuam5wci5uZXQv Q2VydEVucm9sbC9KdW5pcGVyJTIwTmV0d29ya3MlMjBSb290JTIwQ0EoMykuY3Js MIIBNwYIKwYBBQUHAQEEggEpMIIBJTCBugYIKwYBBQUHMAKGga1sZGFwOi8vL0NO PUp1bmlwZXIlMjBOZXR3b3JrcyUyMFJvb3QlMjBDQSxDTj1BSUEsQ049UHVibGlj JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE Qz1qbnByLERDPW5ldD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2Vy dGlmaWNhdGlvbkF1dGhvcml0eTBmBggrBgEFBQcwAoZaaHR0cDovL3BraS1qbnBy LmpucHIubmV0L0NlcnRFbnJvbGwvY2Etam5wci5qbnByLm5ldF9KdW5pcGVyJTIw TmV0d29ya3MlMjBSb290JTIwQ0EoMykuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBl AGIAUwBlAHIAdgBlAHIwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMB MA0GCSqGSIb3DQEBBQUAA4GBAJgCkuAvazTRfAKkUzDam0qODNDq1OF8Umvssa3R eKO4eXaoH3JZK73WQKJ4HxaIFnqy4JR2ehGGDqZJ4TIjacTEtitgt2dQXzt2YWT2 V4m3MNdF5dst6Zvdq+cHkOdz9UXkbKdAruD5pt0wyCkDjzVaU7Ztx1rVmtJYcNQj oaKY -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec@juniper.net issuer=/emailAddress=ca-admin@juniper.net/C=US/ST=California/L=Sunnyvale/O=Juniper Networks, Inc./OU=Juniper Certificate Authority/CN=Juniper Networks Root CA --- No client certificate CA names sent --- SSL handshake has read 1796 bytes and written 440 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 47F350E104F506A8E205A90913D792131A7C755FF5C9E0082D87A6CF72983DAA Session-ID-ctx: Master-Key: AA29B55910F21512DE89949C17BFB7AE1C6B57A6A2A5D0398460B3503A5B4C9EEB0B69A02A0691EB16AF234D72DC6915 Key-Arg : None Start Time: 1388865376 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- $ openssl s_client -connect juniper.net:443 -servername juniper.net | openssl x509 -text depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec@juniper.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec@juniper.net verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Sunnyvale/O=JuniperNetworks,Inc.,/OU=IT/CN=juniper.net/emailAddress=infosec@juniper.net verify error:num=21:unable to verify the first certificate verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: 25:b3:68:2c:00:03:00:00:62:b8 Signature Algorithm: sha1WithRSAEncryption Issuer: emailAddress=ca-admin@juniper.net, C=US, ST=California, L=Sunnyvale, O=Juniper Networks, Inc., OU=Juniper Certificate Authority, CN=Juniper Networks Root CA Validity Not Before: Nov 17 18:38:54 2013 GMT Not After : Dec 15 23:01:18 2014 GMT Subject: C=US, ST=California, L=Sunnyvale, O=JuniperNetworks,Inc.,, OU=IT, CN=juniper.net/emailAddress=infosec@juniper.net Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:aa:ad:6a:0a:3e:27:3f:c3:1a:e0:2c:e8:a3:b3: 96:6c:08:b7:e3:65:34:9c:90:a2:5a:e2:96:07:2b: a3:9f:de:cf:ec:6a:de:31:bf:99:a7:e2:ce:f3:46: 21:1d:ac:1c:ac:c6:1f:2d:a3:70:12:ff:de:72:a2: 84:30:ac:8a:d2:99:d3:23:ed:2b:01:74:bf:8b:2e: 77:82:44:ad:d8:8d:c3:c3:97:9c:05:ad:c0:eb:0d: ed:cb:69:cd:c1:ad:6e:e5:7f:ba:51:5e:a6:d5:41: 39:1d:45:5a:ae:5e:c3:74:74:fb:15:30:93:30:b1: 53:7a:ee:90:c5:4e:0c:dd:0b:a9:6c:af:48:54:93: d2:87:b8:4e:31:ce:ae:90:b4:8c:3e:c0:67:91:0b: 52:ee:ac:23:f2:35:e2:b7:21:83:99:a0:60:73:09: c0:16:9a:5e:c8:7b:03:9c:b0:9b:a7:80:89:91:84: fd:a0:03:e7:dd:f0:6c:8c:ab:f5:ed:95:89:37:a9: ee:b0:45:4a:5d:2c:7b:56:a9:5a:3e:72:b4:f7:7e: 2e:f9:fb:ab:17:42:03:da:b0:29:40:34:57:94:63: cf:ed:ae:9f:ee:32:70:c7:61:89:3d:ed:f2:2f:b8: 0d:e2:7d:06:b8:b8:73:65:99:94:2a:a0:f5:b8:15: 5d:3d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 35:9A:DC:9C:87:CE:0C:07:10:07:8D:83:65:2B:F1:19:57:46:D3:A5 X509v3 Authority Key Identifier: keyid:E0:BD:2E:77:13:9A:2E:5B:51:98:FA:90:50:5D:D8:14:D1:52:2C:59 X509v3 CRL Distribution Points: URI:ldap:///CN=Juniper%20Networks%20Root%20CA(3),CN=ca-jnpr,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=jnpr,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://pki-jnpr.jnpr.net/CertEnroll/Juniper%20Networks%20Root%20CA(3).crl Authority Information Access: CA Issuers - URI:ldap:///CN=Juniper%20Networks%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=jnpr,DC=net?cACertificate?base?objectClass=certificationAuthority CA Issuers - URI:http://pki-jnpr.jnpr.net/CertEnroll/ca-jnpr.jnpr.net_Juniper%20Networks%20Ro... 1.3.6.1.4.1.311.20.2: ...W.e.b.S.e.r.v.e.r X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha1WithRSAEncryption 98:02:92:e0:2f:6b:34:d1:7c:02:a4:53:30:da:9b:4a:8e:0c: d0:ea:d4:e1:7c:52:6b:ec:b1:ad:d1:78:a3:b8:79:76:a8:1f: 72:59:2b:bd:d6:40:a2:78:1f:16:88:16:7a:b2:e0:94:76:7a: 11:86:0e:a6:49:e1:32:23:69:c4:c4:b6:2b:60:b7:67:50:5f: 3b:76:61:64:f6:57:89:b7:30:d7:45:e5:db:2d:e9:9b:dd:ab: e7:07:90:e7:73:f5:45:e4:6c:a7:40:ae:e0:f9:a6:dd:30:c8: 29:03:8f:35:5a:53:b6:6d:c7:5a:d5:9a:d2:58:70:d4:23:a1: a2:98 -----BEGIN CERTIFICATE----- MIIGXzCCBcigAwIBAgIKJbNoLAADAABiuDANBgkqhkiG9w0BAQUFADCBxzEjMCEG CSqGSIb3DQEJARYUY2EtYWRtaW5AanVuaXBlci5uZXQxCzAJBgNVBAYTAlVTMRMw EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxHzAdBgNVBAoT Fkp1bmlwZXIgTmV0d29ya3MsIEluYy4xJjAkBgNVBAsTHUp1bmlwZXIgQ2VydGlm aWNhdGUgQXV0aG9yaXR5MSEwHwYDVQQDExhKdW5pcGVyIE5ldHdvcmtzIFJvb3Qg Q0EwHhcNMTMxMTE3MTgzODU0WhcNMTQxMjE1MjMwMTE4WjCBnTELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEeMBwG A1UEChMVSnVuaXBlck5ldHdvcmtzLEluYy4sMQswCQYDVQQLEwJJVDEUMBIGA1UE AxMLanVuaXBlci5uZXQxIjAgBgkqhkiG9w0BCQEWE2luZm9zZWNAanVuaXBlci5u ZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqrWoKPic/wxrgLOij s5ZsCLfjZTSckKJa4pYHK6Of3s/sat4xv5mn4s7zRiEdrBysxh8to3AS/95yooQw rIrSmdMj7SsBdL+LLneCRK3YjcPDl5wFrcDrDe3Lac3BrW7lf7pRXqbVQTkdRVqu XsN0dPsVMJMwsVN67pDFTgzdC6lsr0hUk9KHuE4xzq6QtIw+wGeRC1LurCPyNeK3 IYOZoGBzCcAWml7IewOcsJungImRhP2gA+fd8GyMq/XtlYk3qe6wRUpdLHtWqVo+ crT3fi75+6sXQgPasClANFeUY8/trp/uMnDHYYk97fIvuA3ifQa4uHNlmZQqoPW4 FV09AgMBAAGjggL0MIIC8DAdBgNVHQ4EFgQUNZrcnIfODAcQB42DZSvxGVdG06Uw HwYDVR0jBBgwFoAU4L0udxOaLltRmPqQUF3YFNFSLFkwggEsBgNVHR8EggEjMIIB HzCCARugggEXoIIBE4aBxWxkYXA6Ly8vQ049SnVuaXBlciUyME5ldHdvcmtzJTIw Um9vdCUyMENBKDMpLENOPWNhLWpucHIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUy MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9am5wcixE Qz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNz PWNSTERpc3RyaWJ1dGlvblBvaW50hklodHRwOi8vcGtpLWpucHIuam5wci5uZXQv Q2VydEVucm9sbC9KdW5pcGVyJTIwTmV0d29ya3MlMjBSb290JTIwQ0EoMykuY3Js MIIBNwYIKwYBBQUHAQEEggEpMIIBJTCBugYIKwYBBQUHMAKGga1sZGFwOi8vL0NO PUp1bmlwZXIlMjBOZXR3b3JrcyUyMFJvb3QlMjBDQSxDTj1BSUEsQ049UHVibGlj JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE Qz1qbnByLERDPW5ldD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2Vy dGlmaWNhdGlvbkF1dGhvcml0eTBmBggrBgEFBQcwAoZaaHR0cDovL3BraS1qbnBy LmpucHIubmV0L0NlcnRFbnJvbGwvY2Etam5wci5qbnByLm5ldF9KdW5pcGVyJTIw TmV0d29ya3MlMjBSb290JTIwQ0EoMykuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBl AGIAUwBlAHIAdgBlAHIwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMB MA0GCSqGSIb3DQEBBQUAA4GBAJgCkuAvazTRfAKkUzDam0qODNDq1OF8Umvssa3R eKO4eXaoH3JZK73WQKJ4HxaIFnqy4JR2ehGGDqZJ4TIjacTEtitgt2dQXzt2YWT2 V4m3MNdF5dst6Zvdq+cHkOdz9UXkbKdAruD5pt0wyCkDjzVaU7Ztx1rVmtJYcNQj oaKY -----END CERTIFICATE----- read:errno=0 -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB | On Sat, Jan 04, 2014 at 02:41:22PM -0500, Chuck Anderson wrote:
For me it fails on both a WiFi hotspot and VZW 4G from the phone, but it works from both lynx and elinks on a remote server via ConnectBot SSH. I'm not at a desktop to try a regular desktop browser, but it does also fail with "request desktop site" on Chrome.
These all fail:
http://www.juniper.net https://www.juniper.net http://juniper.net https://juniper.net
The SSL ones return a "this cert is not signed by a trusted CA"
This works:
which redirects to the mobile site on m.juniper.net.
On Sat, Jan 04, 2014 at 11:32:32AM -0800, Scott Howard wrote:
Working fine on Comcast in the SF Bay Area.
Strangely, juniper.net redirects to https://www.juniper.net (note the https), however www.juniper.net does NOT redirect to https...
Scott
On Sat, Jan 4, 2014 at 11:23 AM, Chuck Anderson <cra@wpi.edu> wrote:
Using both Chrome and Firefox on my Android phone, I'm getting 404 for all of http://juniper.net. Is anyone else seeing this?
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages