Workers preview has broken TLS stack

Uh oh…

Error communicating with origin server www.telcodata.us

Details

TLS peer's certificate is not trusted; reason = certificate has expired

I recently tried changing a circa 2020 worker with preview tool, first code revision in a year. The CFW on CF, live, connects to my origin fine, the CFW in preview (Google Cloud infrastructure), says certificate expired on origin (above). But all my browsers say the site is TLS safe, and CFW on CF has no error. Did a root certificate expire in the CFW preview tool? :thinking:

C:\Users\Administrator\Desktop>openssl x509 -in t.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:b1:6a:69:1a:cc:b4:b7:f7:a6:85:e8:0e:b6:14:01:b2:83
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let’s Encrypt, CN = R3
Validity
Not Before: Sep 27 03:07:44 2021 GMT
Not After : Dec 26 03:07:43 2021 GMT
Subject: CN = telcodata.us
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9c:31:e8:57:fa:f3:51:f9:f1:ba:10:51:b7:64:
a3:3d:4b:27:99:21:18:bc:cd:56:29:09:d1:03:5b:
98:87:57:ec:71:04:25:d2:fb:c2:08:3b:63:59:00:
ad:f2:7d:f8:26:28:92:d2:fc:63:8f:5c:cd:d6:c2:
a8:ff:38:56:76:47:d8:da:9e:df:23:6d:d4:14:b7:
5e:9d:01:5d:c3:69:e0:08:b7:7b:0d:76:9c:15:72:
e4:89:75:8b:9c:31:43:ef:60:72:3c:06:08:e7:4c:
74:ec:cb:b5:31:04:ac:71:dd:84:96:d0:3a:1a:c8:
68:78:d2:23:3e:d7:e6:dd:4b:07:b8:6a:4b:25:bf:
7d:3b:0c:22:53:d2:13:e6:2e:41:86:18:a2:b4:ef:
a1:c7:8b:8e:0c:19:2d:1a:52:c7:3e:f9:7b:fd:8c:
c6:bc:7b:85:c9:e0:a1:4f:58:22:9e:49:56:a0:2e:
a6:85:1f:2f:52:29:2a:58:96:34:74:a4:dd:dd:b9:
e4:7e:4d:9f:4e:17:e2:24:10:8c:66:79:eb:7a:21:
5f:da:63:22:ea:90:22:3f:83:3c:fa:29:78:c6:df:
0e:ea:20:36:21:4c:bf:78:6a:45:a9:c0:62:6c:40:
f3:5e:ff:22:ee:5a:ac:82:e6:8e:5d:ef:ab:ad:2a:
32:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
9C:05:8A:96:02:02:12:28:06:97:76:57:8D:60:B4:35:F8:2D:09:C3
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C
6

        Authority Information Access:
            OCSP - URI:http://r3.o.lencr.org
            CA Issuers - URI:http://r3.i.lencr.org/

        X509v3 Subject Alternative Name:
            DNS:telcodata.us, DNS:www.telcodata.us, DNS:zorak.telcodata.us
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org

        CT Precertificate SCTs:
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D:

                            D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2
                Timestamp : Sep 27 04:07:44.395 2021 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:44:02:20:10:CE:CC:D7:06:1E:0F:B9:EC:BF:73:E9:

                            EE:1D:4F:D4:AD:6C:41:EF:0E:0A:7C:FE:6E:3A:50:5B:

                            8F:80:1D:00:02:20:27:BB:4E:33:33:7F:A5:23:F3:8E:

                            CA:CB:E5:33:25:6C:EF:AA:CD:8E:4E:99:22:5D:12:F9:

                            F7:EC:5C:11:68:35
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 7D:3E:F2:F8:8F:FF:88:55:68:24:C2:C0:CA:9E:52:89:

                            79:2B:C5:0E:78:09:7F:2E:6A:97:68:99:7E:22:F0:D7
                Timestamp : Sep 27 04:07:44.460 2021 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:44:02:20:27:00:B1:95:E3:77:C8:77:B2:BB:3C:F1:

                            92:E3:0E:F4:2C:C7:54:51:7B:61:7B:13:49:30:28:8F:

                            5F:04:50:2B:02:20:46:0A:F3:6E:F0:E5:FB:48:F0:59:

                            D8:C2:56:97:D2:B5:59:42:59:48:40:C6:BA:F7:E5:1B:

                            DD:C3:59:36:DF:6F
Signature Algorithm: sha256WithRSAEncryption
     46:2f:26:89:35:1a:a7:be:0c:29:e7:ff:cc:f0:4d:6a:30:c4:
     e8:74:64:19:ed:bf:91:2f:ec:ec:ab:0f:92:68:1c:b7:69:e4:
     99:75:f1:10:64:60:6d:30:80:13:2c:42:0c:34:8e:bb:be:27:
     f0:d6:ec:20:6d:45:ab:e9:4c:73:32:4a:47:64:b9:2a:63:38:
     9d:d6:26:9c:cc:2f:59:2e:dd:26:77:4e:2b:e0:fe:79:5e:09:
     ea:d3:7f:27:93:b7:60:32:80:b8:8d:4e:c6:bd:4a:76:ec:36:
     85:72:bb:9b:36:ca:26:d9:51:54:35:7f:aa:22:43:d2:98:2f:
     77:60:95:c9:c8:f7:5b:cf:42:84:58:d1:bd:ea:d7:7d:1b:ae:
     20:80:f2:bc:5b:65:6b:76:ff:20:c9:e5:17:32:03:9e:8e:62:
     fc:d7:24:7d:bf:dd:a0:8b:f9:84:82:f1:4d:b2:e1:c8:ef:c0:
     bc:c8:94:fe:da:76:2e:9b:3e:53:43:18:27:fb:8a:73:40:6c:
     68:88:50:dd:2c:45:51:0d:54:c1:c6:a7:98:3a:86:a8:88:86:
     6b:4f:41:71:6f:60:c7:8f:50:02:c6:97:60:b8:17:b2:25:7f:
     fb:3a:71:7f:3b:91:13:5d:9e:15:8f:c8:bb:a6:47:f2:de:57:
     35:24:3c:b3

Hey, I have confirmed and sent to the team. Thanks for the report!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.