I work with the Certificate Provider DigiCert and confirm that the expired intermediate is a deprecated certificate no longer used in installs. Some sites still have it installed on their server or users might have it installed on their local machine.<p>If you are on Chrome, follow @huntaub's suggestion and remove the expired certificate from keychain and restart.<p>We've been notifying customers of the expiration and have Technical Support in the office 24 hours to help the sites who need help updating the certificate.<p>We're also reaching out to the sites we see having issues online.
For a full explanation on the legacy intermediate explanation and affected users see DigiCert's post:<p><a href="https://blog.digicert.com/expired-intermediate-certificate/" rel="nofollow">https://blog.digicert.com/expired-intermediate-certificate/</a>
I just got hit with this issue. There doesn't seem to be any information on DigiCert's site or Github's.<p>edit: For some reason, deleting the expired DigiCert certificate from Keychain (and restarting Chrome) allowed it to find a valid chain to the Github certificate. I would recommend doing this if you want to get to Github without turning off SSL.<p>edit2: (Or they just fixed it and I restarted Chrome.) Can anyone confirm that it works now (without deleting the Intermediate Cert)?
A side-project I'm working on will alert you when SSL certificates are about to expire, preventing these things from happening. It'll also show you a overview of all the expiration dates of your certificates and domains, updated automatically.<p>It's not live yet, but if you're interested you can sign up for the launch mail here:<p><a href="http://www.domainsquire.com" rel="nofollow">http://www.domainsquire.com</a>
If this is anything like the issues we've seen at Stripe, the problem is probably an obsolete cross-signed root in your <i>login</i> keychain. It's caused by a certificate with CN="DigiCert High Assurance EV Root CA" but signed by some other authority rather than being self-signed. It's not clear to us how these are getting into people's login keychains, as they're not present on a fresh install.<p>Typically servers will present their certificate and intermediates but not the root, under the assumption that browsers must already have the root in their CA store. So for DigiCert that would probably be all the certs up to but not including "DigiCert High Assurance EV Root CA".<p>You can see the presented cert chain using `openssl s_client -showcerts ...` or the Certification Paths section of the Qualys SSL Labs Test: <a href="https://www.ssllabs.com/ssltest/analyze.html?d=github.com" rel="nofollow">https://www.ssllabs.com/ssltest/analyze.html?d=github.com</a><p>Do you see an expired "DigiCert High Assurance EV Root CA" certificate in your login keychain? If so, delete it. If not, something weirder may be going on.
Looks like digicert itself screwed up - getting an invalid certificate error on digicert.com. Their twitter feed says they are in contact with GitHub, DigitalOcean, Namecheap, Stripe, Pingdom, and so on. This was a big error, and even they made the mistake on their own root domain.
I'm having this issue as well. I deleted all digicert certificates from my keychain just in case. Still couldn't get to Github. I can get to the DigiCert Root Certificates download page, but it gives me an invalid certificate warning. It looks like the same issue as Github.<p>I really, really don't feel comfortable downloading a ROOT CERTIFICATE with an SSL warning on the page. Who knows what could be compromised in this case?<p>I'm going to try a couple other things first; I'd like to hear from a security expert, should we find this scary or just a small hiccup?
Download your required certificate from here and it should work like charm<p><a href="https://www.digicert.com/digicert-root-certificates.htm" rel="nofollow">https://www.digicert.com/digicert-root-certificates.htm</a>
Hah! I'm working on a side project to solve this problem: <a href="http://www.renewalmonitor.com/" rel="nofollow">http://www.renewalmonitor.com/</a><p>The idea is that the service will monitor things like domains and ssl expiry dates and then alert you in an increasingly obnoxious manner as the expiration date gets closer.<p>My MVP has just needs a few more finishing touches and then I'll send it live. In the meantime, you can signup on the waiting list.<p>Cheers.
A fix to remove the expired cert right now:<p><a href="https://twitter.com/aarongraves/status/493116549599739905" rel="nofollow">https://twitter.com/aarongraves/status/493116549599739905</a><p>Pretty sure this is on Digicert's side, but we (at GitHub) are investigating to make sure of that.
I'm seeing the same issue on both GitHub and Heroku today as well. "Cannot connect to the real www.heroku.com<p>Something is currently interfering with your secure connection to www.heroku.com.<p>Try to reload this page in a few minutes or after switching to a new network. "
not sure why, but i had to remove all the certificates and download its from here <a href="https://www.digicert.com/digicert-root-certificates.htm" rel="nofollow">https://www.digicert.com/digicert-root-certificates.htm</a>