ERR_CERT_AUTHORITY_INVALID

[VladimirHumeniuk]

CDN does not work from Leeds UK.

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIEdLdRGzANBgkqhkiG9w0BAQsFADBAMQ4wDAYDVQQKDAVD
aXNjbzEuMCwGA1UEAwwlQ2lzY28gVW1icmVsbGEgU2Vjb25kYXJ5IFN1YkNBIGxv
bi1TRzAeFw0xOTA5MjkwMDE5NDFaFw0xOTEwMDQwMDE5NDFaMG0xCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
MRYwFAYDVQQKDA1PcGVuRE5TLCBJbmMuMRkwFwYDVQQDDBBjZG4uanNkZWxpdnIu
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtTklN60mLIta8wYU
EKnj8l5qicXgKp2HOtEf1LWoo+2dSF5j9WNeuRuCeEywArelSCeCTnfP8zySSep5
HuZBQ/fR1aUjTGMcfPEW8vXPatskidhycInpEHdIJs5szIztIyORSZkh+DqtL4zI
ii18O2OwV93NRJgDS6zOCeDp5HQEDB11m/CbR0oIRWVHaG5VaEKvcprJMQDvfAAq
22YGMZ6FN68XDCrToGEY6bd7KoCE0NjqFYUIm9wiwpkKle4TBiz8JyO24MdyULfO
KbwaxCG9WxkktRcgQZ/Vnnx6ZmzL5KeQfNrZLfCgnJPSaoMqlsxyJX2hUgmbQ2KK
8JlHlQIDAQABox8wHTAbBgNVHREEFDASghBjZG4uanNkZWxpdnIubmV0MA0GCSqG
SIb3DQEBCwUAA4IBAQAUpdTU1t/FG7/WPGKgCdaUwJmS0GOX3ll95wpHoa3jeV2b
8G8mMzxBXn8LNhVaNICKjE9qJKvXr2ovyP+HBcPDRj9U6yxoxKWtONvLZmDcZYVx
r+BmMZ3tWSWY891tGq5t/oFQawMthWyAg10eS97+8wDwIzW1j33lPTEOlraAMTmM
+bhhVhqw0TZU5m2Mlh8cu3LPwelV4TFA/zglakub0FAbhr5h9l2vEKqeHweVFF78
Uunq1/UhWk9PtSDyfkf/ZqiQhwLu4NuxcYIa5Ot322CncD1LTjRypT6OWi3oSTbH
yiEt+fnjusukguJUenH2iCiIg31CgKoTykjwVwWU
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEJjCCAw6gAwIBAgIQOFDZxeLQTUGticBCjWSBJDANBgkqhkiG9w0BAQsFADBx
MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu
IEZyYW5jaXNjbzEOMAwGA1UECgwFQ2lzY28xJTAjBgNVBAMMHENpc2NvIFVtYnJl
bGxhIFByaW1hcnkgU3ViQ0EwHhcNMTkwOTI5MDExNzM1WhcNMTkxMDEwMDExNzM1
WjBAMQ4wDAYDVQQKDAVDaXNjbzEuMCwGA1UEAwwlQ2lzY28gVW1icmVsbGEgU2Vj
b25kYXJ5IFN1YkNBIGxvbi1TRzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALU5JTetJiyLWvMGFBCp4/JeaonF4CqdhzrRH9S1qKPtnUheY/VjXrkbgnhM
sAK3pUgngk53z/M8kknqeR7mQUP30dWlI0xjHHzxFvL1z2rbJInYcnCJ6RB3SCbO
bMyM7SMjkUmZIfg6rS+MyIotfDtjsFfdzUSYA0uszgng6eR0BAwddZvwm0dKCEVl
R2huVWhCr3KayTEA73wAKttmBjGehTevFwwq06BhGOm3eyqAhNDY6hWFCJvcIsKZ
CpXuEwYs/CcjtuDHclC3zim8GsQhvVsZJLUXIEGf1Z58emZsy+SnkHza2S3woJyT
0mqDKpbMciV9oVIJm0NiivCZR5UCAwEAAaOB6jCB5zASBgNVHRMBAf8ECDAGAQH/
AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU+AWHZ/aln65QfBywgcwyiUm4
XSwwHwYDVR0jBBgwFoAURV/1m3EzJanATjwCRM886EYGFsQwgYAGCCsGAQUFBwEB
BHQwcjAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Aub3BlbmRucy5jb20wSwYIKwYB
BQUHMAKGP2h0dHA6Ly9jYWNlcnRzLm9wZW5kbnMuY29tLzM4NTBEOUM1RTJEMDRE
NDFBRDg5QzA0MjhENjQ4MTI0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAYsemTTyF
p+n22+0XgAmWsikmuB3IVkkZP0DChEkC47jfwSrkczwl6ZCGxKkaQSxi1kl+rfx/
zs8r+TCZd8dbt8UlSEz4EHlwGZthGms6KUZspOeytZicurqK9enSo84FanP8QHMU
WoaQrgvF1Gn7TU5NZmk8mWTIkXzd9nI3mrnLVUpKFT1/t8dB/qDbGupXv2/Z8ZLC
G2mpiz5nlPBxuP/yI2PcELrt0PYlyHszBaTG7toQXTtqo9oLUCgRDR9KoM96lhmX
7J6XF08erIjSZDaQ02I8a6gwQ3CytF/I2/8rXdMlzEMqcJx5tFED7WZ0Obm5S531
ofFcSUY4xYrNAw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEuzCCA6OgAwIBAgIJAcQ3zFeNvKYVMA0GCSqGSIb3DQEBCwUAMDExDjAMBgNV
BAoTBUNpc2NvMR8wHQYDVQQDExZDaXNjbyBVbWJyZWxsYSBSb290IENBMB4XDTE5
MDUyMTE5NTMxOFoXDTI0MDUyMTE5NTMxOFowcTELMAkGA1UEBhMCVVMxEzARBgNV
BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDjAMBgNVBAoM
BUNpc2NvMSUwIwYDVQQDDBxDaXNjbyBVbWJyZWxsYSBQcmltYXJ5IFN1YkNBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuFEhA5TkN8CiGmW7XjaUbuve
U274v0kt6hRW8UUakmbyLnkI4d/BBQrGW71LYiT2QH4UaoYuihTXjuyAlzDxJ9OQ
Vje2NB9RdE3FcUCISeW5GrQs7vF2xFrjs2TGgG4ZXjE/8WymgFZP50nsTJYf7VqL
1r6Brs59DAbbQ1rVvsz/DFxoE3ruFagSFcOF07/watUxFrAPV+S/kK6Nb5TqrI1j
32hK6i49ujavDcbbb12aozwdoyPSyhs4cB0sCXFHK/yEdaE4CNXEAH8EjKUuj6O2
QUvRtBGM480688BId0T0ws3q+hSzRiVJ+dYCr3iufmTrAMhVwc+EzGjlEfLyXwID
AQABo4IBlDCCAZAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEw
UgYDVR0gBEswSTBHBgorBgEEAQkVAR0AMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93
d3cuY2lzY28uY29tL3NlY3VyaXR5L3BraS9wb2xpY2llcy8wHQYDVR0OBBYEFEVf
9ZtxMyWpwE48AkTPPOhGBhbEMEwGA1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly93d3cu
Y2lzY28uY29tL3NlY3VyaXR5L3BraS9jcmwvY2lzY291bWJyZWxsYXJvb3QuY3Js
MIGHBggrBgEFBQcBAQR7MHkwSQYIKwYBBQUHMAKGPWh0dHA6Ly93d3cuY2lzY28u
Y29tL3NlY3VyaXR5L3BraS9jZXJ0cy9jaXNjb3VtYnJlbGxhcm9vdC5jZXIwLAYI
KwYBBQUHMAGGIGh0dHA6Ly9wa2ljdnMuY2lzY28uY29tL3BraS9vY3NwMB8GA1Ud
IwQYMBaAFENzAN4kukAaQFQsfXzVAEiJDHCkMA0GCSqGSIb3DQEBCwUAA4IBAQC6
P7ugvpQSkNxrzY1ZM0Nd9Q3LaoTERS4ItcxMsswFPl7ID/3Vk3v3ZT6KgtCZ+Nh0
MUgZztLATHf42ZppdSkdMf1HfCmLSWORz/eK+fZxztE63M1EGiZJoe8qFKT9z6qx
iDD989jyjY74sYfiSo5nbhcb5meUrUO6MQvOO5pUnlhWsDiBUg+yBzyfVoLnGRlY
2t7UZVTUz5kbBNFieTIt86yaYAumgOqriz/dCgQltFySbOkrgg/PN7cRv3IWm84C
uKQ9prsXbXLLbl8U+bGRH119prl3zJyRnQ0D+ursCqUnIfziBdKv7yLsupGDGt+Q
oqLzmkMPYE+WZmEi+3j5
-----END CERTIFICATE-----

[jimaek]

Can you please run the below commands and give me the output?

ping cdn.jsdelivr.net
dig cdn.jsdelivr.net
dig jsdelivr.net NS

[VladimirHumeniuk]

@jimaek

PING cdn.jsdelivr.net (146.112.252.221): 56 data bytes
64 bytes from 146.112.252.221: icmp_seq=0 ttl=49 time=48.675 ms
64 bytes from 146.112.252.221: icmp_seq=1 ttl=49 time=52.641 ms
64 bytes from 146.112.252.221: icmp_seq=2 ttl=49 time=48.490 ms
64 bytes from 146.112.252.221: icmp_seq=3 ttl=49 time=50.028 ms
64 bytes from 146.112.252.221: icmp_seq=4 ttl=49 time=50.530 ms
64 bytes from 146.112.252.221: icmp_seq=5 ttl=49 time=48.738 ms
64 bytes from 146.112.252.221: icmp_seq=6 ttl=49 time=49.823 ms
64 bytes from 146.112.252.221: icmp_seq=7 ttl=49 time=49.496 ms
64 bytes from 146.112.252.221: icmp_seq=8 ttl=49 time=49.379 ms
64 bytes from 146.112.252.221: icmp_seq=9 ttl=49 time=48.614 ms
64 bytes from 146.112.252.221: icmp_seq=10 ttl=49 time=48.587 ms
64 bytes from 146.112.252.221: icmp_seq=11 ttl=49 time=51.283 ms
64 bytes from 146.112.252.221: icmp_seq=12 ttl=49 time=50.947 ms
64 bytes from 146.112.252.221: icmp_seq=13 ttl=49 time=54.363 ms
64 bytes from 146.112.252.221: icmp_seq=14 ttl=49 time=48.563 ms
64 bytes from 146.112.252.221: icmp_seq=15 ttl=49 time=49.057 ms
64 bytes from 146.112.252.221: icmp_seq=16 ttl=49 time=49.987 ms
64 bytes from 146.112.252.221: icmp_seq=17 ttl=49 time=55.160 ms
64 bytes from 146.112.252.221: icmp_seq=18 ttl=49 time=51.831 ms
64 bytes from 146.112.252.221: icmp_seq=19 ttl=49 time=48.582 ms
64 bytes from 146.112.252.221: icmp_seq=20 ttl=49 time=49.062 ms
64 bytes from 146.112.252.221: icmp_seq=21 ttl=49 time=48.933 ms
64 bytes from 146.112.252.221: icmp_seq=22 ttl=49 time=54.249 ms
64 bytes from 146.112.252.221: icmp_seq=23 ttl=49 time=49.969 ms
64 bytes from 146.112.252.221: icmp_seq=24 ttl=49 time=50.091 ms
^C
--- cdn.jsdelivr.net ping statistics ---
25 packets transmitted, 25 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 48.490/50.283/55.160/1.919 ms

; <<>> DiG 9.10.6 <<>> cdn.jsdelivr.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6183
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cdn.jsdelivr.net.              IN      A

;; ANSWER SECTION:
cdn.jsdelivr.net.       4       IN      A       146.112.252.232
cdn.jsdelivr.net.       4       IN      A       146.112.252.198
cdn.jsdelivr.net.       4       IN      A       146.112.56.219
cdn.jsdelivr.net.       4       IN      A       146.112.56.156
cdn.jsdelivr.net.       4       IN      A       146.112.56.225
cdn.jsdelivr.net.       4       IN      A       146.112.56.170
cdn.jsdelivr.net.       4       IN      A       146.112.252.193
cdn.jsdelivr.net.       4       IN      A       146.112.252.221

;; Query time: 104 msec
;; SERVER: 10.120.193.238#53(10.120.193.238)
;; WHEN: Tue Oct 01 16:56:56 CEST 2019
;; MSG SIZE  rcvd: 173


; <<>> DiG 9.10.6 <<>> jsdelivr.net NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54673
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;jsdelivr.net.                  IN      NS

;; ANSWER SECTION:
jsdelivr.net.           3600    IN      NS      dns31.cloudns.net.
jsdelivr.net.           3600    IN      NS      dns32.cloudns.net.
jsdelivr.net.           3600    IN      NS      dns33.cloudns.net.
jsdelivr.net.           3600    IN      NS      dns34.cloudns.net.
jsdelivr.net.           3600    IN      NS      dns1.p03.nsone.net.
jsdelivr.net.           3600    IN      NS      dns2.p03.nsone.net.
jsdelivr.net.           3600    IN      NS      dns3.p03.nsone.net.
jsdelivr.net.           3600    IN      NS      dns4.p03.nsone.net.

;; Query time: 86 msec
;; SERVER: 10.120.193.238#53(10.120.193.238)
;; WHEN: Tue Oct 01 16:56:56 CEST 2019
;; MSG SIZE  rcvd: 215

[jimaek]

Any chance you are working with Lawrence in the same company? jsdelivr/jsdelivr#18178

he seems to have the same problem and confirmed it was his local network's issue.

[VladimirHumeniuk]

@jimaek no, but, probably, it's related to local network settings. Sorry for this, will close issues.

[lawrencecraft]

FYI it looks like JSDelivr may have been graylisted by Cisco Umbrella. It turns out that the root certificate that was being served is Umbrella's. I'm going off the article here:

https://support.umbrella.com/hc/en-us/articles/115004564126-SSL-Decryption-in-the-Intelligent-Proxy

I think MITM'ing SSL is pretty messed up in the first place, but in a Linux VM (within our network) I installed the Cisco root cert into Chrome's cert store (using the instructions here: https://docs.umbrella.com/deployment-umbrella/docs/rebrand-cisco-certificate-import-information) and that sorted out the issue. It leaves me feeling deeply uncomfortable, though, as I'm not a fan of installing random root certs to my cert store.

[jimaek]

Thanks for the information. I will try to contact Cisco to get this solved once and for all

[jimaek]

CISCO confirmed the issue and fixed it. Thanks for reporting this!

I just got an update from my research team. The referenced domain: cdn.jsdelivr.net has been investigated and necessary actions have been taken to remove the block on this domain. Please allow 12 hours for the change to update accordingly.

[lawrencecraft]

I've tested this on my CentOS VM and works. curl https://cdn.jsdelivr.net/npm/vue/dist/vue.js spits out the actual javascript file. Also, this is the result of digging the domain:

[lawrencecraft@ccs1 ~]$ dig cdn.jsdelivr.net

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> cdn.jsdelivr.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25788
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;cdn.jsdelivr.net.              IN      A

;; ANSWER SECTION:
cdn.jsdelivr.net.       29      IN      CNAME   jsdelivr.a7e454.flexbalancer.net.
jsdelivr.a7e454.flexbalancer.net. 8 IN  CNAME   dualstack.f3.shared.global.fastly.net.
dualstack.f3.shared.global.fastly.net. 30 IN A  151.101.2.109
dualstack.f3.shared.global.fastly.net. 30 IN A  151.101.66.109
dualstack.f3.shared.global.fastly.net. 30 IN A  151.101.130.109
dualstack.f3.shared.global.fastly.net. 30 IN A  151.101.194.109

;; Query time: 31 msec
;; SERVER: 10.49.2.132#53(10.49.2.132)
;; WHEN: Fri Oct 04 10:33:41 BST 2019
;; MSG SIZE  rcvd: 200 

I assume this is all correct...

[jimaek]

Yep, looks good!

[VladimirHumeniuk]

Working for me, thanks!