#1 Posted by leebmx (2238 posts) -

I don't seem to be able to log in on one of the computers (my main one sadly). I use Chrome and every time I click on login it takes me to the SSL problem page saying that it can't authenticate the certificate. I have tried on other browsers and it has the same problem.

I have tried clearing the cache, logging of my network and back on, synchronising the internet time and adding giantbomb.com to my my list of trusted sites, but nothing seems to work.

I can't remember exactly the last time I could login but it was very recently and I am wondering if it might have something to do with your server switch on Thurs.

Can you help,or is it some problem with my computer? (I can log into my email and other secure sites if this makes a difference)

Thanks guys, still love the site :)

#2 Posted by Rorie (2853 posts) -
Staff
#3 Posted by Demoskinos (14733 posts) -

@leebmx: You can always try flushing your DNS.

#4 Posted by leebmx (2238 posts) -

@rorie: Thanks!

This is the message if it helps:

Cannot connect to the real auth.giantbomb.com

Something is currently interfering with your secure connection to auth.giantbomb.com.

Try to reload this page in a few minutes or after switching to a new network. If you have recently

connected to a new Wi-Fi network, finish logging in before reloading.

If you were to visit auth.giantbomb.com right now, you might share private information with an attacker. To protect your

privacy, Chrome will not load the page until it can establish a secure connection to the real auth.giantbomb.com.

Reload Less

What does this mean?

auth.giantbomb.com normally uses encryption (SSL) to protect your information. When Chrome tried to connect to

auth.giantbomb.com this time, auth.giantbomb.com returned unusual and incorrect credentials. Either an attacker is trying

to pretend to be auth.giantbomb.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still

secure because Chrome stopped the connection before any data was exchanged.

Network errors and attacks are usually temporary, so this page will probably work later. You can also try switching to

The certificate that Chrome received during this connection attempt is not formatted correctly, so Chrome cannot use it to

protect your information.

Error type: Malformed certificate

Subject: *.giantbomb.com

Issuer: DigiCert SHA2 High Assurance Server CA

Public key hashes: sha1/Ix5//S/S32QNo4AEOlGXK5cSXIk= sha256/

z+Z6sCPoH3Jdw734ILTLeEHmRuGV44G1fGDjfxvLuwc= sha1/3lKvjNsfmrn+WmfDhvr2iVh/yRs= sha256/

k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws= sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM= sha256/

WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=

#5 Posted by leebmx (2238 posts) -

@leebmx: You can always try flushing your DNS.

What is and how do I do that?

#6 Posted by Demoskinos (14733 posts) -

Go to chrome://net-internals/#dns then hit the "Clear Host Cache" button. Exit out of chrome and restart it and see if it doesn't work then. Might not but its something to try at least.

#7 Posted by LordAndrew (14426 posts) -

Digicert's SSL certificate checker says the intermediate certificate is not installed.

The server is not sending the required intermediate certificate.

This server needs to be configured to include DigiCert's intermediate certificates during SSL handshakes. You may not notice a problem when using Internet Explorer because it can follow the http link to the intermediate certificate embedded in the certificate's 'Authority Information Access' extension, but Firefox, Safari, and other browsers will likely complain until the intermediate certificates are installed and configured on the server. For instructions on how to achieve this, please check the installation guide for your platform in the SSL certificate installation section of our site. If you have any problems correcting this issue, please contact our helpful support team and we would be happy to assis

#8 Posted by mrpibb (469 posts) -

@leebmx: are you on Windows XP SP2? or Windows server 2003 SP2? If so, you'll need to update to SP3 to support the new certificates.

Staff
#9 Posted by leebmx (2238 posts) -

@mrpibb: Not sure, i'll check tomorrow and get back to you. I assume its pretty easy to find out which service pack I am on.

#10 Edited by flippyandnod (373 posts) -

I think he's right.

here is the returned certificate chain.

openssl s_client -connect www.giantbomb.com:https </dev/null

---

Certifcate chain

0 s:/C=US/ST=California/L=San Francisco/O=CBS Interactive Inc./CN=*.giantbomb.com

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA

---

Now compare this to a site which is set up correctly:

---

Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

i:/C=US/O=Google Inc/CN=Google Internet Authority G2

1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---

Giantbomb (including www.giantbomb.com) is only sending the certificate for the host. Other sites send the entire chain up to the one signed by the trusted certificate.

The DigiCert SHA2 High Assurance Server CA is not a root (trusted) certificate, but is instead signed by DigiCert High Assurance EV Root CA, the first one at the link here:

https://www.digicert.com/digicert-root-certificates.htm

Indeed, GB needs to pass along every cert in the chain except for the root, and they are not doing so.

Digicert's SSL certificate checker says the intermediate certificate is not installed.

The server is not sending the required intermediate certificate.

This server needs to be configured to include DigiCert's intermediate certificates during SSL handshakes. You may not notice a problem when using Internet Explorer because it can follow the http link to the intermediate certificate embedded in the certificate's 'Authority Information Access' extension, but Firefox, Safari, and other browsers will likely complain until the intermediate certificates are installed and configured on the server. For instructions on how to achieve this, please check the installation guide for your platform in the SSL certificate installation section of our site. If you have any problems correcting this issue, please contact our helpful support team and we would be happy to assis

#11 Posted by mrpibb (469 posts) -

@flippyandnod: thanks I'll get that fixed. Moving to the new colo, we forgot about the intermediate SSL certs. That said, I think the error he has is actually due to Windows XP2 not support SHA 256 encryption.

Staff
#12 Posted by flippyandnod (373 posts) -
@mrpibb said:

@flippyandnod: thanks I'll get that fixed. Moving to the new colo, we forgot about the intermediate SSL certs. That said, I think the error he has is actually due to Windows XP2 not support SHA 256 encryption.

SHA256 isn't an encryption. It's being used for an HMAC here. But you could be right, I didn't notice that your cert uses SHA256 for the signature. Does DigiCert recommend that now?

#13 Posted by mrpibb (469 posts) -

@flippyandnod: *smacks head* yeah I mispoke. Long day, longer weekend ;) . We ran into the same issue w/ some CV users which is why I knew to look for the malformed certificate error message.

Staff
#14 Posted by leebmx (2238 posts) -
#15 Edited by Lunnington (173 posts) -

I'm getting this error on Chrome for Android. Here is a screenshot:

#16 Edited by flippyandnod (373 posts) -

@lunnington: The problem with the truncated cert chain on the GB servers isn't fixed yet (I just checked).

I'm sure mrpibb will post here when that problem is fixed. Hopefully that'll fix your Android device. I expect it will since Android surely is up-to-date enough to support SHA256 signing.

#17 Posted by flippyandnod (373 posts) -

@lunnington: That doesn't happen for me on my Android device. Running 4.4.2. Even without the certs in the GB site fixed.

So if you're seeing it you have another problem. Maybe you are using an old Android? Or you removed certs from your trusted list?

#18 Posted by Rorie (2853 posts) -

@lunnington: That doesn't happen for me on my Android device. Running 4.4.2. Even without the certs in the GB site fixed.

So if you're seeing it you have another problem. Maybe you are using an old Android? Or you removed certs from your trusted list?

That's actually happening for me as well on a fully up-to-date Nexus 5 (4.4.2), so I'm pretty sure there's something on our end. Showed it to pibb; hopefully he can fix it.

Staff
#19 Posted by coaxmetal (1603 posts) -

Yeah I get this on chrome for my nexus 7. Works fine on my iphone and on all desktop browsers so seems to be limited to that. I'll have to check the version when I get home.

#20 Edited by bluesun (232 posts) -
#21 Edited by mrpibb (469 posts) -

@leebmx: the problem is your computer if it's XP SP2. Can you check your OS?

Staff
#22 Posted by mrpibb (469 posts) -

also, sorry the intermediate cert is taking some time, one consequence of now having an ops team is I can no longer do the dirty work myself and need to file tickets :)

Staff
#23 Edited by Lunnington (173 posts) -

@flippyandnod: @rorie: Yeah I'm on the same exact device and version of Android. I should have included that. Nexus 5, 4.4.2. Newest version of Chrome (not Beta).

It seems like you guys are on it though so no worries.

#24 Posted by leebmx (2238 posts) -

@mrpibb: It seems to be working now. Have up graded to SP3. Thanks for your help.