The website SSL certificate is broken, since yesterday, 9/28/2017

0 votes
asked Sep 29, 2017 in Bug by anonymous

https://www.sslshopper.com/ssl-checker.html#hostname=www.plantuml.com

The day before yesterday the renderer at https://www.plantuml.com/plantuml/uml/... worked perfectly inside a gitbook pdf creation procedure. Yesterday it said it can not verify the certificate. I still can use the non-SSL version, but that is not ideal :-/

We've set up our own server for our needs, but in my npm package gitbook-plugin-uml-online this is the "fallback" address for testing purposes.

I know this is not the place to talk about this but I could not find any other means of contacting you on this website.

Regards, Damijan

1 Answer

0 votes
answered Sep 29, 2017 by plantuml (295,760 points)

This is the right place. However, this is weird. Nothing has changed those days. The link https://www.sslshopper.com/ssl-checker.html#hostname=www.plantuml.com

says:

www.plantuml.com resolves to 52.42.203.68
 
The certificate was issued by GeoTrust.   Write review of GeoTrust
 
The certificate will expire in 1048 days.
 
The hostname (www.plantuml.com) is correctly listed in the certificate.
 
The certificate is not trusted in all web browsers.
You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error.
You can fix this by following GeoTrust's Certificate Installation Instructions for your server platform (use these instructions for RapidSSL).
Pay attention to the parts about Intermediate certificates.
Common name: plantuml.com
SANs: plantuml.com, www.plantuml.com
Valid from May 13, 2017 to August 12, 2020
Serial Number: 0878320c3b90e1a0a7e8066a860387a8
Signature Algorithm: sha256WithRSAEncryption
Issuer: RapidSSL SHA256 CA
 
So it looks fine to us. Could you check again ? Thanks!
 
 
commented Nov 7, 2018 by Denis Nelubin
GitHub doesn't allow to embed images from https://www.plantuml.com/plantuml/img/.

Curl says:
```
$ curl https://www.plantuml.com/plantuml/png/SyfFKj2rKt3CoKnELR1Io4ZDoSa70000 -o /dev/null
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
```
commented Nov 19, 2018 by anonymous
Chrome does not trust PlantUML's certificate anymore :  ERR_CERT_SYMANTEC_LEGACY
see https://knowledge.digicert.com/alerts/ALERT2566.html
commented Nov 19, 2018 by plantuml (295,760 points)
Thanks for the pointer. It looks possible for us to regenerate a SSL certificat that Chrome will accept.
We've just updated the SSL certificat, so it should be ok.
Tell us if it's not working for you.
Thanks again
commented Feb 16, 2019 by Denis Nelubin
Now the certificate is issued by C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018

Chrome trusts it.
However, curl (v.7.58.0 at Ubuntu Bionic) does not. And GitHub also doesn't trust.

```
$ curl https://www.plantuml.com/plantuml/png/SyfFKj2rKt3CoKnELR1Io4ZDoSa70000 -v
*   Trying 52.42.203.68...
* TCP_NODELAY set
* Connected to www.plantuml.com (52.42.203.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

$ curl https://www.plantuml.com/plantuml/png/SyfFKj2rKt3CoKnELR1Io4ZDoSa70000 -v --insecure
*   Trying 52.42.203.68...
* TCP_NODELAY set
* Connected to www.plantuml.com (52.42.203.68) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=plantuml.com
*  start date: Nov 19 00:00:00 2018 GMT
*  expire date: Aug 12 12:00:00 2020 GMT
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /plantuml/png/SyfFKj2rKt3CoKnELR1Io4ZDoSa70000 HTTP/1.1
> Host: www.plantuml.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: image/png
< Expires: Thu, 21 Feb 2019 06:02:39 GMT
< Date: Sat, 16 Feb 2019 06:02:39 GMT
< Last-Modified: Sat, 09 Feb 2019 15:32:00 GMT
< Cache-Control: public, max-age=432000
< ETag: "6f0ukyV6cC-2U2JqdaYHCSN7000"
< X-PlantUML-Diagram-Description: (2 participants)
< X-Powered-By: PlantUML Version 1.2019.01
< X-Patreon: Support us on http://plantuml.com/patreon
< X-Donate: http://plantuml.com/paypal
< X-Quote: You forgot to say please...
< X-PlantUML-Measure: 1/309/318
< X-PlantUML-Diagram-Width: 120
< X-PlantUML-Diagram-Height: 126
< Content-Length: 2190
< Server: PlantUML/0.6
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 2190)
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
```
commented Feb 17, 2019 by plantuml (295,760 points)
Ok, we've added some Intermediate CA certificate, and now it seems to work better
(according to https://www.sslshopper.com/ssl-checker.html#hostname=www.plantuml.com )
Tell us if you still have some issues!
Thanks
commented Feb 18, 2019 by Denis Nelubin
Now it works! Both from curl and from GitHub wiki (embedding PlantUML diagrams to wiki pages using https url).
Thanks!
...