Checkhost.unboundtest.com doesn't support incomplete chains

@lestaff

It seems the checkhost service can’t check domains with incomplete certificate chains. See e.g.:

Evidently it just returns “unknown: x509: certificate signed by unknown authority”.

Is it feasible/possible/worth it to preload it with the X3 intermediate or enable AIA fetching or something?

For numbers, IIRC there’s one other post where someone ran into this.

3 Likes

As the “incomplete chain” is another problem that must be resolve, maybe just updating the error message is enough?

4 Likes

Thanks for the reports. I’ll take a look and see if I can make a suitable change to the service.

4 Likes

Only the binary exists on the servers as far find / -type f -name '*.go' can tell. @jsha when you are in for the day, would you mind taking a look please?

3 Likes

I’ve taken a stab at fixing this, and the immediately obvious fix doesn’t appear to be working. I’m going to attend to some other tasks and come back to this in a bit. Thanks so much for reporting!

4 Likes

Okay, I’ve deployed a fix. Please test it out and let me know if it works / doesn’t work!

4 Likes

I figured this was worth fixing because many people’s sites may “mostly work” for a lot of users despite a missing intermediate, due to intermediate caching and AIA fetching. Since our goal is to let people know if their visitors will suddenly start seeing errors they didn’t see before, I think handling this case is useful.

4 Likes

The site in the OP works now, but I can’t think of any other misconfigured sites right now! :grimacing: badssl.com uses another CA, and the only other site I could remember got fixed!

1 Like

I’m optimistically marking this as “solved”, but I hope someone knows another site to check…

1 Like

I’ve also checked it against my personal site, which I temporarily set up with a broken chain. So I think we can consider it solved. Thanks!

4 Likes

Thank you for taking care of it!

2 Likes