Page MenuHomeMiraheze

Investigate why the AAA Certificate Services root is mandatory
Closed, ResolvedPublic

Description

Outage https://meta.miraheze.org/wiki/Special:IncidentReports/31 was caused by an old, expired root certificate. However, the modern fix was relying on the UserTrust RSA Certification Authority root for our services. For some reason, that doesn't work and instead we have to rely on the AAA Certificate Services root. AAA Certificate Services is considered a legacy implementation, thus I have the feeling something is incorrectly configured when it comes to root certificates.

Event Timeline

Paladox triaged this task as Normal priority.Jun 14 2020, 19:51
Southparkfan lowered the priority of this task from Normal to Low.

Setting to priority to low, since it seems like this is expected behavior.

John claimed this task.
John subscribed.

We're now using the ca-certificates and capath approach with web configuration. Chains are now created and regularly updated by the CA themselves, rather than us manually adding and maintaining them. CAs also maintain their own trust chains.