Sept 24 when I logged in my computer I have 2 warnings about KDE SSL certificate R3 with a nasa.gov address expiring Nov 11 do I want to use this for this session only for both certificates. Today the warning is coming up every ten minutes or so and is blocking access to the desktop.
Well, people here are likely to know enough about certificates, but not likely to know about what you have running on your system, so I don't know if anyone here will be able to help you. Am I understanding correctly that you don't recognize and are unaffiliated with that nasa.gov address you're seeing? Can you post the complete screenshot and/or hostname that it's trying to connect to? Is it possible that it's related to some software you've installed that gets data from NASA? Other than the fact that (some) NASA sites use Let's Encrypt to get certificates for their system, there's not really an affiliation here with them that I'm aware of.
So, my computer Kubuntu 20.04 setup last monday.
I have installed Brave and Firefox but nothing else.
If it is an app - or something else - how would I know?
Here is a cropped screen shot. Each is of the specific tab:
Well, it does look like asd.gsfc.nasa.govantwrp.gsfc.nasa.gov is sending the R3-signed-by-DST-Root-CA-X3 intermediate (which expires really soon), rather than the R3-signed-by-ISRG-Root-X1 intermediate. (Meaning that their site is set up wrong and not getting its intermediates from its ACME client.) And it wouldn't shock me if the efforts to remove DST Root CA X3 from trust stores meant that your system doesn't trust that site anymore (until they fix their intermediate).
But I certainly can't tell you why something on your computer is trying to connect to that site. Maybe something trying to get some of NASA's pictures? When I try visiting that site I get redirected to NASA's Astronomy Picture of the Day site.
But antwrp.gsfc.nasa.gov does! (You were looking at the wrong address in the screenshots )Waaait a minute, I thought you said it wasn't sending the incorrect cert.. I think all the gsfc.nasa.gov sites are sending the wrong one.. Probably all the same server perhaps?
@wadesmartantwrp.gsfc.nasa.gov is misconfigured and uses an intermediate chain which has been discontinued since May this year. The system operator of antwrp.gsfc.nasa.gov is at fault here and should use the ACME protocol correctly. Due to the fact they didn't, clients are getting errors.
@nelsonph and/or @Nunio:
I'm guessing you're probably not the people to ask, but as you've asked for help here with securing names for nasa.gov I thought it couldn't hurt to ping you as you might know who to notify:
It looks like the server(s) hosting a bunch of nasa.gov names (including antwrp.gsfc.nasa.gov, apod.nasa.gov, and a bunch more) has the intermediate certificate hardcoded to the old expiring R3 instead of getting the intermediate through its ACME client.
Do you have any educated guesses as why this person's computer is trying to connect to one of these systems without the user knowing why?
I find it more likely to be something trying to get the NASA picture of the day (for wallpaper or the like), along with whomever implementing it never considering that their might be a certificate issue loading the data and how such an error would appear without the user knowing what it was for.
I do not have that (set up or use it here) but I have seen the
option some place.
So - as this is locking my desktop every few minutes - a) can this (cert) be removed or b) this is some service that is running by default that I need to turn off.
I found contact addresses for the editors of the APOD site and sent them an e-mail describing the problem and encouraging them to update the certificates on the web servers. (I fear that they'll start to get a bit of e-mail from other users about this tomorrow, too.)