If you are on Chrome, follow @huntaub's suggestion and remove the expired certificate from keychain and restart.
We've been notifying customers of the expiration and have Technical Support in the office 24 hours to help the sites who need help updating the certificate.
We're also reaching out to the sites we see having issues online.
edit: For some reason, deleting the expired DigiCert certificate from Keychain (and restarting Chrome) allowed it to find a valid chain to the Github certificate. I would recommend doing this if you want to get to Github without turning off SSL.
edit2: (Or they just fixed it and I restarted Chrome.) Can anyone confirm that it works now (without deleting the Intermediate Cert)?
It's not live yet, but if you're interested you can sign up for the launch mail here:
For three weeks I was showing a great big THIS CONNECTION IS UNTRUSTED screen to Firefox users and didn't know it.
Typically servers will present their certificate and intermediates but not the root, under the assumption that browsers must already have the root in their CA store. So for DigiCert that would probably be all the certs up to but not including "DigiCert High Assurance EV Root CA".
You can see the presented cert chain using `openssl s_client -showcerts ...` or the Certification Paths section of the Qualys SSL Labs Test: https://www.ssllabs.com/ssltest/analyze.html?d=github.com
Do you see an expired "DigiCert High Assurance EV Root CA" certificate in your login keychain? If so, delete it. If not, something weirder may be going on.
My understanding from DigiCert is the cross-signing with Entrust had been done awhile back to improve mobile browser compatibility. Perhaps this is some strange combination of developer tools installed and the platform they are developing for...
The most obvious answer would be that it's being installed by some widely-used piece of software, but I don't know what.
Pity the "Date Modified" column is empty, and I don't think there's really a log of what added things to the keychain.
We've worked around the issue for now by not using EV certificates, which isn't a great solution.
I really, really don't feel comfortable downloading a ROOT CERTIFICATE with an SSL warning on the page. Who knows what could be compromised in this case?
I'm going to try a couple other things first; I'd like to hear from a security expert, should we find this scary or just a small hiccup?
"DigiCert High Assurance EV Root CA" (Try test link before downloading). Add to KeyChain, restart browser.
The idea is that the service will monitor things like domains and ssl expiry dates and then alert you in an increasingly obnoxious manner as the expiration date gets closer.
My MVP has just needs a few more finishing touches and then I'll send it live. In the meantime, you can signup on the waiting list.
Cheers.
https://twitter.com/aarongraves/status/493116549599739905
Pretty sure this is on Digicert's side, but we (at GitHub) are investigating to make sure of that.
Something is currently interfering with your secure connection to www.heroku.com.
Try to reload this page in a few minutes or after switching to a new network. "
Maxims-MacBook-Air:walk maximveksler$ git up
Fetching origin
fatal: unable to access ‘https://github.com/maximveksler/walk.git/': SSL certificate problem: Invalid certificate chain
error: Could not fetch origin
`git fetch` failedThe issue is with a weird Mac OS X chain issue that causes a chain to be downloaded to the login keystore in Keychain. Mac forces it to be used when validating the certificate chain. Most users have removed the cert and everything is working as it should.
Tracking down how and why that happens on Mac OS X is tough. Reaching Apple engineers has not been extremely successful. Not Apple's fault. Usually SSL Root Chain groups are distributed with organizations so it's not always clear who to go to.