R3 certificate warnings on Kubuntu 20.04 blocking access to the desktop

wadesmart · September 28, 2021, 3:28pm

Sept 24 when I logged in my computer I have 2 warnings about KDE SSL certificate R3 with a nasa.gov address expiring Nov 11 do I want to use this for this session only for both certificates. Today the warning is coming up every ten minutes or so and is blocking access to the desktop.

Im running Kubuntu 20.04.
My browser is Version 1.29.81 Chromium: 93.0.4577.82 and Im on Firefox 92.

I do not know enough about certificates to know if this is from a website, from KDE, or what.

petercooperjr · September 28, 2021, 4:28pm

Well, people here are likely to know enough about certificates, but not likely to know about what you have running on your system, so I don't know if anyone here will be able to help you. Am I understanding correctly that you don't recognize and are unaffiliated with that nasa.gov address you're seeing? Can you post the complete screenshot and/or hostname that it's trying to connect to? Is it possible that it's related to some software you've installed that gets data from NASA? Other than the fact that (some) NASA sites use Let's Encrypt to get certificates for their system, there's not really an affiliation here with them that I'm aware of.

Osiris · September 28, 2021, 5:56pm

How is that related to Let's Encrypt? NASA.gov does not have a Let's Encrypt certificate.

rg305 · September 28, 2021, 6:27pm

It seems that NASA.gov is not sending the chain.
[but this has nothing to do with this site]
See:
SSL Server Test: nasa.gov (Powered by Qualys SSL Labs)

And the topic label mentions R3 cert, but you've failed to show anything related to an LE cert.

wadesmart · September 28, 2021, 7:12pm

So, my computer Kubuntu 20.04 setup last monday.
I have installed Brave and Firefox but nothing else.
If it is an app - or something else - how would I know?

Here is a cropped screen shot. Each is of the specific tab:

petercooperjr · September 28, 2021, 7:32pm

Well, it does look like ~~asd.gsfc.nasa.gov~~ antwrp.gsfc.nasa.gov is sending the R3-signed-by-DST-Root-CA-X3 intermediate (which expires really soon), rather than the R3-signed-by-ISRG-Root-X1 intermediate. (Meaning that their site is set up wrong and not getting its intermediates from its ACME client.) And it wouldn't shock me if the efforts to remove DST Root CA X3 from trust stores meant that your system doesn't trust that site anymore (until they fix their intermediate).

But I certainly can't tell you why something on your computer is trying to connect to that site. Maybe something trying to get some of NASA's pictures? When I try visiting that site I get redirected to NASA's Astronomy Picture of the Day site.

Osiris · September 28, 2021, 7:37pm

~~But antwrp.gsfc.nasa.gov does! (You were looking at the wrong address in the screenshots )~~Waaait a minute, I thought you said it wasn't sending the incorrect cert.. I think all the gsfc.nasa.gov sites are sending the wrong one.. Probably all the same server perhaps?

@wadesmart antwrp.gsfc.nasa.gov is misconfigured and uses an intermediate chain which has been discontinued since May this year. The system operator of antwrp.gsfc.nasa.gov is at fault here and should use the ACME protocol correctly. Due to the fact they didn't, clients are getting errors.

petercooperjr · September 28, 2021, 7:43pm

I think I was copying the wrong name when composing my message, but I think I checked the right one when looking at the chain.

petercooperjr · September 28, 2021, 7:55pm

@nelsonph and/or @Nunio:
I'm guessing you're probably not the people to ask, but as you've asked for help here with securing names for nasa.gov I thought it couldn't hurt to ping you as you might know who to notify:

It looks like the server(s) hosting a bunch of nasa.gov names (including antwrp.gsfc.nasa.gov, apod.nasa.gov, and a bunch more) has the intermediate certificate hardcoded to the old expiring R3 instead of getting the intermediate through its ACME client.
Do you have any educated guesses as why this person's computer is trying to connect to one of these systems without the user knowing why?

rg305 · September 28, 2021, 8:30pm

They might of signed up for / installed some alerting system ?
[. . . We've found life on mars! . . .]

petercooperjr · September 28, 2021, 8:32pm

I find it more likely to be something trying to get the NASA picture of the day (for wallpaper or the like), along with whomever implementing it never considering that their might be a certificate issue loading the data and how such an error would appear without the user knowing what it was for.

But we can blame Martians if you want.

wadesmart · September 28, 2021, 9:13pm

Is that a rotating desktop wall paper?

I do not have that (set up or use it here) but I have seen the
option some place.

So - as this is locking my desktop every few minutes - a) can this (cert) be removed or b) this is some service that is running by default that I need to turn off.

wadesmart · September 28, 2021, 9:14pm

Never mind. It is a desktop Picture of the Day service. Though it is not check to be running. I will see about uninstalling it.

wadesmart · September 28, 2021, 9:30pm

OK.. that is what it was. No further lockouts of the desktop.
Thanks for the help. Much appreciated

schoen · September 29, 2021, 6:30am

I found contact addresses for the editors of the APOD site and sent them an e-mail describing the problem and encouraging them to update the certificates on the web servers. (I fear that they'll start to get a bit of e-mail from other users about this tomorrow, too.)

system · October 29, 2021, 6:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.