SSL Problems

I don't seem to be able to log in on one of the computers (my main one sadly). I use Chrome and every time I click on login it takes me to the SSL problem page saying that it can't authenticate the certificate. I have tried on other browsers and it has the same problem.

I have tried clearing the cache, logging of my network and back on, synchronising the internet time and adding giantbomb.com to my my list of trusted sites, but nothing seems to work.

I can't remember exactly the last time I could login but it was very recently and I am wondering if it might have something to do with your server switch on Thurs.

Can you help,or is it some problem with my computer? (I can log into my email and other secure sites if this makes a difference)

Thanks guys, still love the site :)

@leebmx: Going to page @mrpibb

@leebmx: You can always try flushing your DNS.

@rorie: Thanks!

This is the message if it helps:

Cannot connect to the real auth.giantbomb.com

Something is currently interfering with your secure connection to auth.giantbomb.com.

Try to reload this page in a few minutes or after switching to a new network. If you have recently

connected to a new Wi-Fi network, finish logging in before reloading.

If you were to visit auth.giantbomb.com right now, you might share private information with an attacker. To protect your

privacy, Chrome will not load the page until it can establish a secure connection to the real auth.giantbomb.com.

Reload Less

What does this mean?

auth.giantbomb.com normally uses encryption (SSL) to protect your information. When Chrome tried to connect to

auth.giantbomb.com this time, auth.giantbomb.com returned unusual and incorrect credentials. Either an attacker is trying

to pretend to be auth.giantbomb.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still

secure because Chrome stopped the connection before any data was exchanged.

Network errors and attacks are usually temporary, so this page will probably work later. You can also try switching to

The certificate that Chrome received during this connection attempt is not formatted correctly, so Chrome cannot use it to

protect your information.

Error type: Malformed certificate

Subject: *.giantbomb.com

Issuer: DigiCert SHA2 High Assurance Server CA

Public key hashes: sha1/Ix5//S/S32QNo4AEOlGXK5cSXIk= sha256/

z+Z6sCPoH3Jdw734ILTLeEHmRuGV44G1fGDjfxvLuwc= sha1/3lKvjNsfmrn+WmfDhvr2iVh/yRs= sha256/

k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws= sha1/gzF+YoVCU9bXeDGQ7JGQVumRueM= sha256/

WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=

What is and how do I do that?

Go to chrome://net-internals/#dns then hit the "Clear Host Cache" button. Exit out of chrome and restart it and see if it doesn't work then. Might not but its something to try at least.

Digicert's SSL certificate checker says the intermediate certificate is not installed.

The server is not sending the required intermediate certificate.

This server needs to be configured to include DigiCert's intermediate certificates during SSL handshakes. You may not notice a problem when using Internet Explorer because it can follow the http link to the intermediate certificate embedded in the certificate's 'Authority Information Access' extension, but Firefox, Safari, and other browsers will likely complain until the intermediate certificates are installed and configured on the server. For instructions on how to achieve this, please check the installation guide for your platform in the SSL certificate installation section of our site. If you have any problems correcting this issue, please contact our helpful support team and we would be happy to assis

@leebmx: are you on Windows XP SP2? or Windows server 2003 SP2? If so, you'll need to update to SP3 to support the new certificates.

@mrpibb: Not sure, i'll check tomorrow and get back to you. I assume its pretty easy to find out which service pack I am on.

I think he's right.

here is the returned certificate chain.

openssl s_client -connect www.giantbomb.com:https </dev/null

---

Certifcate chain

0 s:/C=US/ST=California/L=San Francisco/O=CBS Interactive Inc./CN=*.giantbomb.com

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA

---

Now compare this to a site which is set up correctly:

---

Certificate chain

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

i:/C=US/O=Google Inc/CN=Google Internet Authority G2

1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2

i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---

Giantbomb (including www.giantbomb.com) is only sending the certificate for the host. Other sites send the entire chain up to the one signed by the trusted certificate.

The DigiCert SHA2 High Assurance Server CA is not a root (trusted) certificate, but is instead signed by DigiCert High Assurance EV Root CA, the first one at the link here:

https://www.digicert.com/digicert-root-certificates.htm

Indeed, GB needs to pass along every cert in the chain except for the root, and they are not doing so.

@flippyandnod: thanks I'll get that fixed. Moving to the new colo, we forgot about the intermediate SSL certs. That said, I think the error he has is actually due to Windows XP2 not support SHA 256 encryption.

SHA256 isn't an encryption. It's being used for an HMAC here. But you could be right, I didn't notice that your cert uses SHA256 for the signature. Does DigiCert recommend that now?

@flippyandnod: *smacks head* yeah I mispoke. Long day, longer weekend ;) . We ran into the same issue w/ some CV users which is why I knew to look for the malformed certificate error message.

@lordandrew: @flippyandnod: What are you both saying? That it is a problem with GB's authentication or my computer?

I'm getting this error on Chrome for Android. Here is a screenshot:

@lunnington: The problem with the truncated cert chain on the GB servers isn't fixed yet (I just checked).

I'm sure mrpibb will post here when that problem is fixed. Hopefully that'll fix your Android device. I expect it will since Android surely is up-to-date enough to support SHA256 signing.

@lunnington: That doesn't happen for me on my Android device. Running 4.4.2. Even without the certs in the GB site fixed.

So if you're seeing it you have another problem. Maybe you are using an old Android? Or you removed certs from your trusted list?

That's actually happening for me as well on a fully up-to-date Nexus 5 (4.4.2), so I'm pretty sure there's something on our end. Showed it to pibb; hopefully he can fix it.

Yeah I get this on chrome for my nexus 7. Works fine on my iphone and on all desktop browsers so seems to be limited to that. I'll have to check the version when I get home.

@rorie

@mrpibb

Sorry if this is piling on, but this checker is also very helpful in rooting out both major and minor issues (and doing sanity checks after moves like this).

https://www.ssllabs.com/ssltest/analyze.html?d=auth.giantbomb.com&hideResults=on

I only offer as Ive experienced the pain myself :(

@leebmx: the problem is your computer if it's XP SP2. Can you check your OS?

also, sorry the intermediate cert is taking some time, one consequence of now having an ops team is I can no longer do the dirty work myself and need to file tickets :)

@flippyandnod: @rorie: Yeah I'm on the same exact device and version of Android. I should have included that. Nexus 5, 4.4.2. Newest version of Chrome (not Beta).

It seems like you guys are on it though so no worries.

@mrpibb: It seems to be working now. Have up graded to SP3. Thanks for your help.