Validation of certificates digital signature/hash

Hi, Is there a way to confirm the digital signature of a letsencrypt.org certificate? I was told that this has to be done with the CA that issued the website cert. I checked FAQs and also browsed the site for such a feature but could not locate one.

Thanks.

1 Like

The short answer is: sure.

The longer answer is: what exactly do you want to validate and why?

4 Likes

A site that I visit called www.dailyplaylist.com comes up in Bitdefender AV as possibly having an issue. "Untrusted pages exhibit suspicious behavior or particularities we deem risky" is the message that Bit Defender shows. This happens before the page fully loads, and the site usually loads the digital cert to ensure encrypted transport between client and server. So, I was wanting to know if I could verify the SHA finger print with the CA if possible.

Organization that issued the certificate is said to be LetsEncrypt.

There are few things here.

  1. The core issue with that website is the certificate name does not match the certificate served from it.
  2. There may be additional issues with that domain tracked by BitDefender. Many browsers and firewalls track and block domains with suspicious activity.
  3. Confirming the certificate's validity will not address any of the issues above.

The only thing validation will accomplish is certifying that LetsEncrypt issued the certificate.

This can be done with the openssl verify command on most unix-like systems. There are also programs and scripts that can handle this.

Some background on the command: Verify a certificate chain using openssl verify - Stack Overflow

The website will be serving 1-2 things: the Certificate will definitely be in the payload, but there will also be one or more "intermediates" in a "chain" leading up the "root" on your computer.

The chain of trust goes like this:

  • Your browser or operating system has "root" certificates in it's trust store.
  • The certificate served by the website is signed by an intermediate certificate
  • The intermediate certificate is signed by either another intermediate or the root certificate.

With the "verify" command, you simply validate the website certificate was signed by the intermediate, and the intermediate was signed by the root. If there are multiple intermediates, you verify each level upwards, until you hit the root.

5 Likes

Also, here is a link to a qualsys (third party) inspection of the site you mentioned:

https://www.ssllabs.com/ssltest/analyze.html?d=www.dailyplaylist.com&latest

There are two IPs configured to serve that domain in DNS. Both have the same problems.

There is a certificate name mismatch - they are running the certificate for dailyplaylist.com not www.dailyplaylist.com. That certificate is also issued by godaddy, not letsencrypt.

The site dailyplaylist.com does work, but is being served by a generic "for sale" landing page.

This site probably went out of business, or did not pay a bill and was taken offline by their host.

6 Likes

Thank you. I'll check with BitDefender to see why the site is being labeled as suspicious. :+1:

2 Likes

Thanks. Slight type-o, ones dailyplaylist.com (without an s at the end) and the other dailyplaylists.com which is the LetsEncrypt CA Organization. I'll send them an email to see if the can update the dailyplaylists.com. They can get with Bitdefender support to see what they can do to resolve. Thanks :grinning:

1 Like

I don't see any issue on that domain.

You can contact bitdefender here: https://www.bitdefender.com/consumer/support/answer/29358/

This 3rd party system says bitdefnder reports it as clean (with and without the www):

5 Likes

Might have found the issue, the CNAME entry for www.dailyplaylists.com points to 54.161.234.33 which is not replying. I sent an email to dailyplaylists.com support so they can check the entry and to get with Bitdefender to further resolve. Thanks for taking the time to reply, it was quick and very appreciated :+1: :grinning:

3 Likes

There may also be the issues of mixed content:

  • HTTP content embedded within an HTTPS page
  • HTTPS content [from some other site] embedded within an HTTPS page
3 Likes