Linux – SSL https (http secure) sites won’t display is client or server side

arch linuxfirefoxsecurity-warningssl

Oddly, python.org has suddenly become unreachable for me through the Archlinux repo version of Firefox (v27 and v28.0 update):

Secure Connection Failed

An error occurred during a connection to www.python.org. The OCSP
response is not yet valid (contains a date in the future).

(Error code: sec_error_ocsp_future_response)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this
broken site.

I've read Mozilla site recommends:

Clear cache (or reload not from cache) (ok)
Check your computer's time settings (ok)
Check about:config settings:
- security.OCSP.enabled = 1 (ok)
- security.enable_ssl & security.enable_tls
  (I think this last one is outdated, because my version reads security.[some protocol].enable)
Check proxy settings (don't have one)
If you're having trouble with one site, use this checker (passed)

With 65 settings in about:config with the term 'security', I don't even know where to begin turning things on and off. Like what is security.OSCP.GET.enabled=false setting? Sounds like it should be on, but its off. Although I don't have any trouble with logging into my bank's web site.

All points point to python.org having the trouble, but can I be sure? And why the heck is python.org a secure site anyway?

Best Answer

Before anyone blindly turns off that warning by disabling OCSP, double-check that it's really not a client issue. Turning off warning messages is something you only do if you have a VERY GOOD reason and you know what you're doing - or if you are the White House, where "the alarm system had been switched off due to complaints from staff that it was too noisy". However, if you take this issue seriously, you don't do that.

It might simply be that the system clock is slow, because the error message says "contains a date in the future". And it is much more likely that your computer's date/time is incorrect rather than that of the server (that could affect hundreds of clients).

Open a terminal and check your time:

$ date

Restart your NTP service to correct it:

$ sudo systemctl restart ntpd && echo OK

If you don't have the NTP service installed ("not-found" error), install it:

$ sudo pacman -S ntp

Also, make sure it's enabled

$ sudo systemctl is-enabled ntpd || sudo systemctl enable ntpd

With NTP installed and enabled, restart it, give it a couple of seconds to fetch the time and then check the time:

$ sudo systemctl restart ntpd && sleep 30 && date

Then try accessing the website again.

Depending on what desktop environment you use, you may be able to use graphical tools instead of those commands.

And for those who have "fixed" this issue by disabling every security feature until it worked: Please re-enable whatever you have disabled. If you've disabled OCSP, enable it again. Those features are there for a reason.

Related Solutions

Firefox – “sec_error_ocsp_server_error” when trying to open a HTTPS page

Issue #1: sec_error_ocsp_server_error can occur for other reasons than OCSP server internal error.

From Bugzilla bug 495380:

SEC_ERROR_OCSP_SERVER_ERROR is used 5 times in ocsp.c for everything from an internal OCSP server error to failing create the request session and any number of different problems writing the request to the remote server.`

Issue #2: I believe that Firefox is caching this error but should not do so, so I created Bugzilla bug report 1014979.

Workarounds (from a post that I wrote at another forum):

Method #1: Restart Firefox.

Method #2: Go to Options->Advanced->Certificates-> Validation. Set checkbox "When an OCSP server connection fails, treat the certificate as invalid" to the opposite of what it is now, and then press OK button twice. That is sufficient to clear the OCSP cache. However, since you probably want the original setting that you just changed, go to Options->Advanced->Certificates-> Validation and set checkbox "When an OCSP server connection fails, treat the certificate as invalid" back to the value that was there before you read this post, then press OK button twice.

Ubuntu – How to troubleshoot “Secure Connection Failed” in Firefox appearing since the version 38

How to troubleshoot “Secure Connection Failed” in Firefox appearing since the version 38?

Use openssl s_client. Its a swiss army knife for things like this. And use openssl x509 to dump certificates.

You are usually interested in the {Issuer, Subject} pairs in the chain like this:

Certificate chain
 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

Notice how the issuer at the server becomes the subject for the next higher certificate. Gutmann provides the following diagram to describe it in his book Engineering Security:

enter image description here

At the top, the CA root is self signed, and the issue and the subject are the same. If there was a level 3, it would be:

 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

But you usually don't see it in a chain because you must trust it. And part of the requirements for the trust anchor is you already have it to ensure its not tampered with.

Using Subject and Issuer names is utilizing what is called Distinguished Names. The other way to form a chain is with KEYIDs. You will sometimes see it via Subject Key Identifier (SKI) and Authority Key Identifier (AKI). The key identifiers are just thumbprints of a digested public key.

You can find reading on Distinguished Names in standards like RFC 4514; and using KEYIDs in standards like RFC 4518, which concerns itself with path building.

It appears the problem is with the browser (but see below). It looks like it is missing the Class 3 Public Primary Certification Authority with thumbprint a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b.

When I visit Symantec Root Certifcates and download Class 3 Public Primary Certification Authority, I can build a path for validation (notice the Verify return code: 0 (ok) below).

You should download and install Class 3 Public Primary Certification Authority in your browser's trusted root store. Or determine why its not being used by the browser to build the path (see next).

Mozilla and Firefox talk about Class 3 Public Primary Certification Authority in a blog post: Phasing out Certificates with 1024-bit RSA Keys. According to the post, they have deprecated that CA certificate since Firefox 32. I don't really fault them since these keys are used long term for CA signing operations, and they need "stronger" parameters because they have to live 10 to 30 years (literally).

Checkpoint needs to get a new server certificate issued under a certificate (chain) with contemporary parameters, like a CA with a 4096-bit RSA moduli and SHA-256. Or a Subordinate CA with a 2048-bit RSA moduli and SHA-256...

(Also see what did not work for me below).

Here's an example of validating the server certificate with Class 3 Public Primary Certification Authority using OpenSSL's s_client:

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
    -servername usercenter.checkpoint.com -CAfile Class-3-Public-Primary-Certification-Authority.pem 
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = California, L = San Carlos, O = Check Point Software Technologies Inc., OU = MIS-US, CN = usercenter.checkpoint.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4310 bytes and written 600 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 141BB5DD85FA61CC85E5C8368DED9EB9C7C6427D7F655F8DD778EEB003F9EBE7
    Session-ID-ctx: 
    Master-Key: 84261799D242992FE44D48F39F1A10CFCE5BE60E1A900CC3E6BFFD368DAB68A439287C81DC9510871963EF8E3366FFE3
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1432323605
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Earlier I said "At the top, the CA root is self signed, and the issue and the subject are the same". Here's a dump of that self signed CA root, where the Subject and Issuer are the same. It also shows the 1024-bit moduli and sha1WithRSAEncryption.

$ openssl x509 -in Class-3-Public-Primary-Certification-Authority.pem -inform PEM -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Validity
            Not Before: Jan 29 00:00:00 1996 GMT
            Not After : Aug  2 23:59:59 2028 GMT
        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40:
                    db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9:
                    11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03:
                    1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2:
                    63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f:
                    42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23:
                    5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85:
                    e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2:
                    71:64:4c:65:2e:81:68:45:a7
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         10:72:52:a9:05:14:19:32:08:41:f0:c5:6b:0a:cc:7e:0f:21:
         19:cd:e4:67:dc:5f:a9:1b:e6:ca:e8:73:9d:22:d8:98:6e:73:
         03:61:91:c5:7c:b0:45:40:6e:44:9d:8d:b0:b1:96:74:61:2d:
         0d:a9:45:d2:a4:92:2a:d6:9a:75:97:6e:3f:53:fd:45:99:60:
         1d:a8:2b:4c:f9:5e:a7:09:d8:75:30:d7:d2:65:60:3d:67:d6:
         48:55:75:69:3f:91:f5:48:0b:47:69:22:69:82:96:be:c9:c8:
         38:86:4a:7a:2c:73:19:48:69:4e:6b:7c:65:bf:0f:fc:70:ce:
         88:90

Earlier I said "Checkpoint needs to get a new server certificate issued under a certificate (chain) with contemporary parameters, like a CA with a 4096-bit RSA moduli and SHA-256. Or a Subordinate CA with a 2048-bit RSA moduli and SHA-256...".

Here's what did not work for me: rooting or anchoring trust in the stronger Subordinate CA VeriSign Class 3 Public Primary Certification Authority - G5, and not the weaker 1024-bit Root CA.

EDIT: this is due to a bug in OpenSSL 1.0.2a and below. It was fixed in OpenSSL 1.0.2b. See Expected behavior for verification when a subordinate in a chain is promoted to a self signed root?

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
    -servername usercenter.checkpoint.com -CAfile VeriSign-Class-3-Public-Primary-Certification-Authority-G5.pem 
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4310 bytes and written 600 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 736B3105DB22F2AB0F5D42C8161A8A132BF1E7C37464BB2F0D00058B867332EB
    Session-ID-ctx: 
    Master-Key: BDD5D4951E3FD01C3C456D475EAE6D0D5CE53FBF75B4F6F3D4D186A27B566D75056057D5395F35AE3BA8D20A669212C2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1432324811
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

The practical problem is Symantec re-issuing a certificate with the same name and same public key, so the Distinguished Name, Subject Key Identifier and Authority Key Identifier did not change; but only changing the Serial Number.

I was able to spot it below due to the different serial numbers between the certificate sent in the chain versus the one downloaded from the Symantec site. Then it became apparent the re-issued certificate was changed from a Subordinate CA to a Root CA.

You can use -showcerts with OpenSSL's s_client to see the certs in the chain:

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
    -servername usercenter.checkpoint.com -showcerts
CONNECTED(00000003)
...
---
Certificate chain
 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
-----END CERTIFICATE-----
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
...

What I normally do next is copy a PEM encoded certificate in the chain to a clipboard, and then use pbpaste to paste in into a terminal and pipe it to OpenSSL's x509. For example, here is Level 2's VeriSign Class 3 Public Primary Certification Authority - G5 sent as part of the chain:

$ pbpaste | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
    ...

Best Answer

Related Solutions

Firefox – “sec_error_ocsp_server_error” when trying to open a HTTPS page

Ubuntu – How to troubleshoot “Secure Connection Failed” in Firefox appearing since the version 38

Related Question