weather.gov invalid ssl cert
Grant Ridder
shortdudey123 at gmail.com
Sat Sep 5 21:38:02 UTC 2015
If someone that works with or knows someone who works with weather.gov
(National Weather Service) please take a look at this. I did a whois on
weather.gov and there is no contact info.
www.weather.gov is serving an akami cert
weather.gov is serving a NWS SAN cert that does not cover weather.gov
(includes www though)
username at hostname ~ $ echo quit | openssl s_client -connect weather.gov:443
| openssl x509 -text
depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:a2:c1:cb:fa:c1:18
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=
http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate
Authority - G2
Validity
Not Before: Nov 13 20:54:35 2014 GMT
Not After : Nov 17 17:33:22 2015 GMT
Subject: OU=Domain Control Validated, CN=ucc.weather.gov
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:9d:36:e8:eb:5d:00:1d:ce:ab:f2:6a:3f:83:5a:
39:29:dd:95:e9:bd:58:d7:2b:0f:67:5a:16:20:97:
2d:4c:96:e1:3c:cc:8f:2f:16:88:ae:fe:9c:15:d0:
67:f1:c9:0d:5c:c0:ae:3f:36:32:aa:90:1d:03:bb:
d2:91:73:86:74:5f:e3:41:f2:e2:77:b3:5e:1c:a9:
cc:9c:68:3a:99:3a:de:7a:19:bd:6a:70:a1:9f:3f:
1f:ec:c3:63:fd:e9:f5:e6:44:14:0d:db:ae:b4:46:
fe:a8:b0:d7:07:01:ea:68:10:7f:9f:c8:f7:5a:20:
05:1d:77:47:d7:13:d1:f0:b8:8f:d2:94:a0:36:29:
95:c2:fd:3e:bc:80:14:1f:22:a2:5a:d0:56:5b:e6:
51:e1:94:3c:4c:dd:63:ae:81:42:7c:5e:87:f5:0c:
b8:6f:37:f4:a6:53:f6:56:5e:c8:ec:57:f8:ec:0c:
7d:e0:11:7f:3d:07:8c:37:38:4e:05:8e:cd:46:b3:
21:a3:c1:2f:96:ee:e2:d7:5f:ed:8c:1c:6d:88:d7:
17:ba:90:d8:cb:49:2e:8d:4f:ca:bf:8c:53:da:f7:
38:9c:bc:e1:6c:ac:8a:62:27:d1:ec:dc:59:a9:3b:
62:07:68:3b:bd:d0:06:35:79:26:2d:83:4d:69:00:
f3:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.godaddy.com/gdig2s1-87.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:
http://certificates.godaddy.com/repository/gdig2.crt
X509v3 Authority Key Identifier:
keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
X509v3 Subject Alternative Name:
DNS:ucc.weather.gov, DNS:www.ucc.weather.gov, DNS:
alerts.weather.gov, DNS:nwschat.weather.gov, DNS:vpn.weather.gov, DNS:
www.weather.gov
X509v3 Subject Key Identifier:
01:7D:76:D9:61:68:EB:50:F7:C4:26:02:DC:94:56:62:45:0B:5B:58
Signature Algorithm: sha256WithRSAEncryption
96:4e:70:45:46:f8:69:80:48:b8:88:86:cd:06:2b:7b:d6:f1:
6b:0b:d8:89:ab:e8:9a:c0:f1:a8:99:0c:69:45:f8:a7:fb:ef:
af:b3:6b:0d:41:bd:4d:3c:76:11:10:89:fa:8f:12:a5:47:27:
50:44:e7:37:93:f3:6b:84:f2:66:34:0d:99:69:13:da:dd:08:
32:6c:30:be:2e:af:8b:25:aa:9a:40:bf:61:35:a9:d9:2d:da:
97:b0:0c:e6:98:72:54:fe:44:21:6d:ad:9a:0a:cd:0b:18:74:
be:f2:58:b0:d6:10:9b:dc:b7:fe:ae:81:b3:c0:21:f9:c8:eb:
d5:54:bc:9e:d6:d0:ca:12:5c:c0:0d:94:93:03:9b:54:46:b8:
af:86:46:e6:e0:4b:52:97:c2:8e:16:89:3c:8d:06:f8:f9:59:
d6:21:39:4c:25:82:58:49:59:07:43:db:63:8d:98:aa:04:c1:
42:f5:4f:8a:4d:35:5b:f7:79:e5:e1:31:13:72:50:87:bd:68:
3f:bd:23:e2:88:3e:cf:72:00:a7:c8:1d:40:b6:34:00:5b:7b:
73:9f:8f:17:05:53:13:a1:70:15:59:66:88:61:6a:d7:d0:bf:
df:89:1a:28:af:a8:cb:c7:95:e4:f9:01:7b:c2:99:51:93:33:
8f:94:fa:0b
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIHB6LBy/rBGDANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3Vy
ZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0xNDExMTMyMDU0MzVaFw0x
NTExMTcxNzMzMjJaMD0xITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRl
ZDEYMBYGA1UEAxMPdWNjLndlYXRoZXIuZ292MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnTbo610AHc6r8mo/g1o5Kd2V6b1Y1ysPZ1oWIJctTJbhPMyP
LxaIrv6cFdBn8ckNXMCuPzYyqpAdA7vSkXOGdF/jQfLid7NeHKnMnGg6mTreehm9
anChnz8f7MNj/en15kQUDduutEb+qLDXBwHqaBB/n8j3WiAFHXdH1xPR8LiP0pSg
NimVwv0+vIAUHyKiWtBWW+ZR4ZQ8TN1jroFCfF6H9Qy4bzf0plP2Vl7I7Ff47Ax9
4BF/PQeMNzhOBY7NRrMho8Evlu7i11/tjBxtiNcXupDYy0kujU/Kv4xT2vc4nLzh
bKyKYifR7NxZqTtiB2g7vdAGNXkmLYNNaQDz1wIDAQABo4ICAjCCAf4wDAYDVR0T
AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/
BAQDAgWgMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20v
Z2RpZzJzMS04Ny5jcmwwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcXATA5MDcGCCsG
AQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRv
cnkvMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29k
YWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFk
ZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSD
MKIz1/tss/C0LIDOMHoGA1UdEQRzMHGCD3VjYy53ZWF0aGVyLmdvdoITd3d3LnVj
Yy53ZWF0aGVyLmdvdoISYWxlcnRzLndlYXRoZXIuZ292ghNud3NjaGF0LndlYXRo
ZXIuZ292gg92cG4ud2VhdGhlci5nb3aCD3d3dy53ZWF0aGVyLmdvdjAdBgNVHQ4E
FgQUAX122WFo61D3xCYC3JRWYkULW1gwDQYJKoZIhvcNAQELBQADggEBAJZOcEVG
+GmASLiIhs0GK3vW8WsL2Imr6JrA8aiZDGlF+Kf776+zaw1BvU08dhEQifqPEqVH
J1BE5zeT82uE8mY0DZlpE9rdCDJsML4ur4slqppAv2E1qdkt2pewDOaYclT+RCFt
rZoKzQsYdL7yWLDWEJvct/6ugbPAIfnI69VUvJ7W0MoSXMANlJMDm1RGuK+GRubg
S1KXwo4WiTyNBvj5WdYhOUwlglhJWQdD22ONmKoEwUL1T4pNNVv3eeXhMRNyUIe9
aD+9I+KIPs9yAKfIHUC2NABbe3OfjxcFUxOhcBVZZohhatfQv9+JGiivqMvHleT5
AXvCmVGTM4+U+gs=
-----END CERTIFICATE-----
username at hostname ~ $ echo quit | openssl s_client -connect
www.weather.gov:443 | openssl x509 -text
depth=2 /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:bf:3a:ef:2f:a2:7c:96:b8:ca:8f:b9:59:cd:33:2c:9d:50:11:38
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=NL, L=Amsterdam, O=Verizon Enterprise Solutions,
OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1
Validity
Not Before: Jun 19 16:52:07 2015 GMT
Not After : Jun 19 16:52:05 2016 GMT
Subject: C=US, ST=MA, L=Cambridge, O=Akamai Technologies Inc., CN=
a248.e.akamai.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d9:a2:c4:90:e0:90:c6:41:34:9d:f3:d5:95:fa:
da:c3:81:bb:e4:ee:09:11:e4:a5:45:6d:73:2a:19:
f9:3a:20:9e:8d:14:4f:17:b8:5a:d3:82:3c:d0:d5:
f3:a4:b0:3f:b7:3a:6c:b5:7a:3a:ea:d3:14:89:b2:
ac:1c:b6:08:6d:5b:41:f2:84:88:a7:1f:3a:c4:a7:
aa:f0:1a:25:cb:13:78:07:7b:fb:04:2f:5f:73:5e:
ed:19:d2:54:ec:f7:9b:ec:e9:14:f3:ca:53:46:15:
54:88:e4:1f:bc:8f:18:c4:c5:35:c9:cc:b1:b6:7e:
8b:ef:21:75:ad:55:e9:52:08:8c:47:dc:48:a0:c7:
8f:b6:b9:87:c2:6c:45:3e:20:63:8f:51:62:e4:37:
9a:9b:8f:80:b9:ee:17:02:1d:39:16:c9:8a:6b:69:
fc:eb:2a:d5:99:17:ad:6d:3f:db:29:13:c1:7d:4b:
ab:39:56:8d:59:43:bb:7f:81:71:7e:28:8a:9a:88:
3b:08:ec:bc:f0:d8:5e:e8:4b:09:4d:27:66:07:b9:
20:de:2f:90:81:cc:de:a8:c8:bb:77:c6:26:c3:5e:
c8:38:35:e0:a2:b0:a5:a9:14:08:19:d4:c8:5e:73:
21:0b:ad:c2:84:a4:57:c9:c6:59:00:24:1b:54:61:
4f:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6334.1.50
CPS: https://secure.omniroot.com/repository
Authority Information Access:
OCSP - URI:http://vassg141.ocsp.omniroot.com
CA Issuers - URI:https://cacert.a.omniroot.com/vassg141.crt
CA Issuers - URI:https://cacert.a.omniroot.com/vassg141.der
X509v3 Subject Alternative Name:
DNS:a248.e.akamai.net, DNS:*.akamaihd.net, DNS:*.
akamaihd-staging.net, DNS:*.akamaized.net, DNS:*.akamaized-staging.net
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:DD:6C:80:7C:BA:B5:32:17:A5:84:41:40:F0:D2:04:66:13:2F:A9:90
X509v3 CRL Distribution Points:
URI:http://vassg141.crl.omniroot.com/vassg141.crl
X509v3 Subject Key Identifier:
03:B6:4A:9C:80:0C:60:18:88:0A:64:CD:AE:28:62:8A:7A:6C:C0:18
Signature Algorithm: sha1WithRSAEncryption
1c:64:ce:c3:76:4d:8c:29:fc:76:d1:3c:24:83:57:8e:3e:77:
21:0e:d6:83:f1:42:b9:2e:21:9d:14:96:c1:53:49:e8:16:20:
53:40:f2:e5:01:b7:df:01:07:77:49:6d:ea:53:10:c9:00:05:
0f:bb:c8:21:1d:38:9c:07:78:9c:0a:ad:e1:91:91:8b:95:f9:
a8:e4:02:64:e2:15:0b:a9:7f:13:b8:03:ae:95:c5:45:47:33:
fb:65:dd:30:bc:6c:cc:96:bb:c3:bc:52:77:74:03:86:ab:9d:
dc:16:6f:04:49:b9:9f:8f:3c:b6:1e:5b:97:e9:f1:8e:e9:ba:
59:da:76:d4:7c:a6:7a:ce:2f:5e:d8:66:62:06:ff:c1:18:60:
f8:ad:1e:31:d3:ba:ee:06:b2:75:1a:0f:05:6a:a9:61:7a:27:
eb:a6:bd:f7:7c:05:c7:2c:bb:fd:ff:2d:1e:b4:b5:b4:a9:cf:
91:5b:0e:9e:e3:de:94:fa:95:b6:99:26:be:e5:7c:27:03:e9:
b8:96:fa:17:6b:85:e9:1e:ed:d4:e3:41:9f:db:be:89:76:ed:
e8:86:85:c1:86:1d:29:2b:17:d1:2c:0b:cf:07:cd:8a:52:89:
93:e1:72:79:c5:31:7d:f1:fa:34:ce:d9:37:94:50:0b:71:c7:
49:c8:6a:cb
-----BEGIN CERTIFICATE-----
MIIFvDCCBKSgAwIBAgIUA7867y+ifJa4yo+5Wc0zLJ1QETgwDQYJKoZIhvcNAQEF
BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT
HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1
c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI
QTEwHhcNMTUwNjE5MTY1MjA3WhcNMTYwNjE5MTY1MjA1WjBtMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNhbWJyaWRnZTEhMB8GA1UEChMYQWth
bWFpIFRlY2hub2xvZ2llcyBJbmMuMRowGAYDVQQDExFhMjQ4LmUuYWthbWFpLm5l
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmixJDgkMZBNJ3z1ZX6
2sOBu+TuCRHkpUVtcyoZ+Togno0UTxe4WtOCPNDV86SwP7c6bLV6OurTFImyrBy2
CG1bQfKEiKcfOsSnqvAaJcsTeAd7+wQvX3Ne7RnSVOz3m+zpFPPKU0YVVIjkH7yP
GMTFNcnMsbZ+i+8hda1V6VIIjEfcSKDHj7a5h8JsRT4gY49RYuQ3mpuPgLnuFwId
ORbJimtp/Osq1ZkXrW0/2ykTwX1LqzlWjVlDu3+BcX4oipqIOwjsvPDYXuhLCU0n
Zge5IN4vkIHM3qjIu3fGJsNeyDg14KKwpakUCBnUyF5zIQutwoSkV8nGWQAkG1Rh
TysCAwEAAaOCAjEwggItMAwGA1UdEwEB/wQCMAAwTAYDVR0gBEUwQzBBBgkrBgEE
AbE+ATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly9zZWN1cmUub21uaXJvb3QuY29t
L3JlcG9zaXRvcnkwga8GCCsGAQUFBwEBBIGiMIGfMC0GCCsGAQUFBzABhiFodHRw
Oi8vdmFzc2cxNDEub2NzcC5vbW5pcm9vdC5jb20wNgYIKwYBBQUHMAKGKmh0dHBz
Oi8vY2FjZXJ0LmEub21uaXJvb3QuY29tL3Zhc3NnMTQxLmNydDA2BggrBgEFBQcw
AoYqaHR0cHM6Ly9jYWNlcnQuYS5vbW5pcm9vdC5jb20vdmFzc2cxNDEuZGVyMG4G
A1UdEQRnMGWCEWEyNDguZS5ha2FtYWkubmV0gg4qLmFrYW1haWhkLm5ldIIWKi5h
a2FtYWloZC1zdGFnaW5nLm5ldIIPKi5ha2FtYWl6ZWQubmV0ghcqLmFrYW1haXpl
ZC1zdGFnaW5nLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFN1sgHy6tTIXpYRBQPDSBGYTL6mQMD4G
A1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92YXNzZzE0MS5jcmwub21uaXJvb3QuY29t
L3Zhc3NnMTQxLmNybDAdBgNVHQ4EFgQUA7ZKnIAMYBiICmTNrihiinpswBgwDQYJ
KoZIhvcNAQEFBQADggEBABxkzsN2TYwp/HbRPCSDV44+dyEO1oPxQrkuIZ0UlsFT
SegWIFNA8uUBt98BB3dJbepTEMkABQ+7yCEdOJwHeJwKreGRkYuV+ajkAmTiFQup
fxO4A66VxUVHM/tl3TC8bMyWu8O8Und0A4arndwWbwRJuZ+PPLYeW5fp8Y7pulna
dtR8pnrOL17YZmIG/8EYYPitHjHTuu4GsnUaDwVqqWF6J+umvfd8Bccsu/3/LR60
tbSpz5FbDp7j3pT6lbaZJr7lfCcD6biW+hdrheke7dTjQZ/bvol27eiGhcGGHSkr
F9EsC88HzYpSiZPhcnnFMX3x+jTO2TeUUAtxx0nIass=
-----END CERTIFICATE-----
username at hostname ~ $
username at hostname ~ $ dig weather.gov @8.8.8.8
; <<>> DiG 9.8.3-P1 <<>> weather.gov @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34623
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;weather.gov. IN A
;; ANSWER SECTION:
weather.gov. 1 IN A 204.227.127.201
;; Query time: 1317 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Sep 5 14:36:38 2015
;; MSG SIZE rcvd: 45
username at hostname ~ $ dig www.weather.gov @8.8.8.8
; <<>> DiG 9.8.3-P1 <<>> www.weather.gov @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55243
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.weather.gov. IN A
;; ANSWER SECTION:
www.weather.gov. 32 IN CNAME www.weather.gov.edgesuite.net.
www.weather.gov.edgesuite.net. 1193 IN CNAME a895.g.akamai.net.
a895.g.akamai.net. 19 IN A 23.61.194.171
a895.g.akamai.net. 19 IN A 23.61.194.208
;; Query time: 808 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Sep 5 14:36:45 2015
;; MSG SIZE rcvd: 136
username at hostname ~ $
-Grant
More information about the NANOG
mailing list