Skip to content
GitLab
Closed
Issue created by Patrick L Archibald (PLA)@pla💬

`Bad Certificate` error messages when talking with mastodon.org.uk - Their cert is from COMODO

Having trouble communicating with mastodon.org.uk. I see the following errors when trying to fetch user @pla@mastodon.org.uk from pla.social using the Pleroma FE. Their cert is from COMODO RSA Domain Validation Secure Server CA. Is COMODO not an approved certificate authority for Pleroma?

Aug 22 20:18:47 pla-social mix[25452]: 20:18:47.766 [info] ['TLS', 32, 'client', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'certify', 32, 'at ssl_handshake.erl:1316 generated CLIENT ALERT: Fatal - Bad Certificate', 10] Aug 22 20:18:47 pla-social mix[25452]: 20:18:47.986 [info] ['TLS', 32, 'client', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'certify', 32, 'at ssl_handshake.erl:1316 generated CLIENT ALERT: Fatal - Bad Certificate', 10] Aug 22 20:18:48 pla-social mix[25452]: 20:18:48.209 [info] ['TLS', 32, 'client', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'certify', 32, 'at ssl_handshake.erl:1316 generated CLIENT ALERT: Fatal - Bad Certificate', 10] Aug 22 20:18:48 pla-social mix[25452]: 20:18:48.527 [info] ['TLS', 32, 'client', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'certify', 32, 'at ssl_handshake.erl:1316 generated CLIENT ALERT: Fatal - Bad Certificate', 10] Aug 22 20:18:48 pla-social mix[25452]: 20:18:48.746 [info] ['TLS', 32, 'client', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'certify', 32, 'at ssl_handshake.erl:1316 generated CLIENT ALERT: Fatal - Bad Certificate', 10] Aug 22 20:18:48 pla-social mix[25452]: 20:18:48.963 [info] ['TLS', 32, 'client', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'certify', 32, 'at ssl_handshake.erl:1316 generated CLIENT ALERT: Fatal - Bad Certificate', 10]

Curl output looks OK from pla.social.

pla-social:~$ curl -v https://mastodon.org.uk

  • Rebuilt URL to: https://mastodon.org.uk/
  • Trying 89.41.169.53...
  • TCP_NODELAY set
  • Connected to mastodon.org.uk (89.41.169.53) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: OU=Domain Control Validated; OU=PositiveSSL; CN=mastodon.org.uk
  • start date: Jun 8 00:00:00 2018 GMT
  • expire date: Jun 8 23:59:59 2019 GMT
  • subjectAltName: host "mastodon.org.uk" matched cert's "mastodon.org.uk"
  • issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
  • SSL certificate verify ok.

GET / HTTP/1.1 Host: mastodon.org.uk User-Agent: curl/7.58.0 Accept: /

< HTTP/1.1 302 Found < Date: Thu, 23 Aug 2018 00:35:51 GMT < Content-Type: text/html; charset=utf-8 < Transfer-Encoding: chunked < Server: Mastodon < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=block < Location: https://mastodon.org.uk/about < Vary: Accept-Encoding < Cache-Control: no-cache < Set-Cookie: _mastodon_session=%2Fi9oraOBSQ5ljzdzEqZbkB3SEKwonLAhMtBXII4w2m7xoQr%2Fq%2BkNnif4%2BMzx6oPAfZz4ibZdK8KIRU4T4PRV8SeFNH5elg%3D%3D--gFK4IbxECRaT%2Fwrh--AXRuxWfNjmDSJL6Q67ceNQ%3D%3D; path=/; secure; HttpOnly < X-Request-Id: c68e68c1-fd41-44b9-bde2-31a297d51df4 < X-Runtime: 0.006176 < X-Cached: MISS <

  • Connection #0 to host mastodon.org.uk left intact