Secruity issue with downloading modules - blocked

magwr · December 13, 2021, 12:22am

Hi,
When ntrying to download a module today i get the following:

Your connection is not private

Attackers might be trying to steal your information from obj.vassalengine.org (for example, passwords, messages, or credit cards).

NET::ERR_CERT_DATE_INVALID

Help me understand

obj.vassalengine.org normally uses encryption to protect your information. When Opera tried to connect to obj.vassalengine.org this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be obj.vassalengine.org, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Opera stopped the connection before any data was exchanged.

You cannot visit obj.vassalengine.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

I am unable to download any modules at all now I can’t even make an exception for the webpage as it wont allow me to as it’s a high secruity risk!.
I was able to download modules all okay yesterday 12th.

Can this issue be resolved so i can download modules?

I have tried this on opera, Firefox, and google chrome all with the same result?

Nigel

uckelman · December 13, 2021, 12:25am

Thank you for pointing this out promptly. The SSL certificate for our data storage bucket is the one certificate we have that doesn’t automatically get installed when it renews, and it just expired. I’m taking care of installing the renewed certificate now.

Update: Try now. You might need to hard-refresh whatever page you were trying to reload, but it should now be served with a certificate good until the end of February.

uckelman · December 13, 2021, 11:06am

3 posts were merged into an existing topic: Issue with Combat Commander

kenleesmith · December 16, 2021, 2:28am

I have the same issue today. I did a “hard refresh” I think (according to google).

It lets me download vassal 362, but none of the modules.

Any help appreciated.

thanks
Ken

uckelman · December 16, 2021, 11:33am

It’s working fine for me when I try it presently. What URL are you having a problem with specifically? What is the error message?

kenleesmith · December 16, 2021, 12:04pm

It’s the same message as the one above (attached)

I tried several modules, none of which worked. Though it did let me download the vassal app.

The specific module I was looking for is this one
https://vassalengine.org/wiki/Module:World_At_War_85:_Storming_the_Gap

I gather from another thread that it’s a comcast/xfinity issue. So I’m off to try to figure out how to fix that.

uckelman · December 16, 2021, 12:27pm

The app and the modules are stored in different places. The app is at GitHub, while the modules are in an S3 bucket with our hosting provider. A problem with one won’t be predictive of a problem with the other.

I suspect that’s not the issue you’re having, as the error type is different (ERR_CERT_DATE_INVALID vs. ERR_SSL_PROTOCOL_ERROR). We renewed the certificate when it expired on Monday—the error your getting makes me think you’re browser is seeing the old, expired certificate from a cache somewhere.

Do you have a way of seeing the certificate your browser is getting?

kenleesmith · December 16, 2021, 1:01pm

I think so. But when I look at all the certificates, there’s nothing vassal-related by name. Is that what I’m looking for?

I’m on a Mac by the way. I’ve tried Chrome and Safari

uckelman · December 16, 2021, 1:06pm

Can you show me what you’re seeing?

kenleesmith · December 16, 2021, 1:11pm

I just now got it to download with Firefox (which I never use). Does that explain anything?

uckelman · December 16, 2021, 1:13pm

It makes me think Chrome has the expired certificate cached. But I would like to confirm that by seeing the certificate Chrome has. Please show me that.

kenleesmith · December 16, 2021, 1:21pm

sorry, but do you know where I would find that exactly?

Safari didn’t work either (same-ish message)

JoelCFC25 · December 16, 2021, 1:27pm

In your URL bar directly to the left of the URL text.

kenleesmith · December 16, 2021, 1:31pm

here they are from the overall module list; the specific module, and the module download (where there is not lock; and where the problem is)

kenleesmith · December 16, 2021, 1:32pm

kenleesmith · December 16, 2021, 1:33pm

JoelCFC25 · December 16, 2021, 1:43pm

You have to click again where it says “Certificate is valid” to bring up the detailed certificate information. That’s what he needs to see.

uckelman · December 16, 2021, 1:49pm

Except that the “Certificate is valid” one won’t help—that one is fine. It’s the invalid one I need to see.

JoelCFC25 · December 16, 2021, 1:51pm

True–I’m unable to reproduce the “connection is not private” error. I can successfully download that exact module in Chrome on MacOS. Chrome build reports as:

Chrome is up to date
Version 96.0.4664.110 (Official Build) (arm64)

kenleesmith · December 16, 2021, 1:51pm

sorry for the duplicate, but the forum won’t let a new user post more then 3 replies.