News

Canadian government site canada.gc.ca SSL certificate expires, breaks links

If you head to https://canada.gc.ca right now, ideally it should redirect automatically to the newer canada.ca government domain.

However, on the latest versions of Firefox, Safari, and Chrome with HSTS (HTTP Strict Transport Security) enabled, the redirect would fail due to an SSL error — about half the time for reasons outlined below.

As observed by Security Report, this is because the SSL/TLS certificate used by the Canadian government’s former website canada.gc.ca has expired as of November 5th, 2020.

Image: Redirect to Canada.ca would fail due to expired SSL certificate
Source: Security Report

While the newer canada.ca domain, with a valid certificate, has been adopted by the Canadian government for providing access to public services, numerous Canadian government websites, like this one, continue to have multiple links present to the older www.canada.gc.ca and canada.gc.ca domains, which are now failing, as observed by Security Report.

The older links, under ideal circumstances, would have redirected seamlessly to canada.ca.

Although the expired SSL certificate covers multiple domains, as shown in the screenshot below, the problem seems to be uniquely impacting the canada.gc.ca and www.canada.gc.ca domains when accessed over HTTPS.

The problem may also appear to occur on and off because both canada.gc.ca and www.canada.gc.ca domains use multiple servers (DNS A records).

It is only the https://205.193.117.94/ server with an expired certificate.

Therefore, you are likely to see SSL errors a few times when your web browser resolves the canada.gc.ca domain to 205.193.117.94.

To reproduce this issue successfully, try copying-and-pasting https://www.canada.gc.ca or https://canada.gc.ca in different web browsers a few times. It may be better to use fresh incognito sessions on each try to have the issue reveal itself.

Expiring and revoked SSL certificates have become a recurring nuisance.

Earlier this month, GitHub’s layout broke due to an expired CDN SSL certificate.

Last month, Mac users with HP printers were left unable to print after HP had worked with Apple to revoke SSL certificates of select printer models, without a heads up.

Copies of the expired SSL certificate and Entrust’s CA chain certificate issued to www.canada.gc.ca are provided below:

https://www.canada.gc.ca/home.html

Peer’s Certificate has expired.

HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIHkzCCBnugAwIBAgIRAMr5PmGH1MDHAAAAAFDrRkowDQYJKoZIhvcNAQELBQAw
gboxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL
Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg
MjAxMiBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxLjAs
BgNVBAMTJUVudHJ1c3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMUswHhcN
MTgxMjE0MTgwNzQxWhcNMjAxMTA1MTgzNzQwWjBrMQswCQYDVQQGEwJDQTEPMA0G
A1UECBMGUXVlYmVjMREwDwYDVQQHEwhHYXRpbmVhdTEfMB0GA1UEChMWU2hhcmVk
IFNlcnZpY2VzIENhbmFkYTEXMBUGA1UEAxMOd3d3MS5jYW5hZGEuY2EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpKiCtNWtG/0niHbH0/VVhLTjDpN2P
HMxdJXMBrlWOAdx4IvgqGC4pho1cV/3OkFW4odl/k/2DTkyQRij5/PBPvpPp58Pq
CWsGvjFhP/nvzDFp/PUgFnYTmrY+vF+yCwE2SZzQxSc3NIGAOcIBoQAQMge9PUD9
1PeEQ5fYROh/xc8nS4eniqYihz8yVUkITSDshquaCglF4mKPpZd0DLEN4Nyo9VpM
ukpA31+rtgo3YlROPd08o82CtiLE3StqKxCHoDnpYYxUPlUEWb4GIcoEKm+iIANa
symY08boTdVBpS0zPqnZHtDbkFzc0IefBL4m8tsee+OLSLp1jhD5+d91AgMBAAGj
ggPgMIID3DB6BgNVHREEczBxgg53d3cxLmNhbmFkYS5jYYISd3d3LmJldGEuY2Fu
YWRhLmNhggl3d3cuZ2MuY2GCEHd3dy5jYW5hZGEuZ2MuY2GCCWNhbmFkYS5jYYIO
YmV0YS5jYW5hZGEuY2GCBWdjLmNhggxjYW5hZGEuZ2MuY2EwggH2BgorBgEEAdZ5
AgQCBIIB5gSCAeIB4AB3AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MM
AAABZ64CjsUAAAQDAEgwRgIhAL279qKvMhG502fInX0eY4q6rs8eOTwg5CVlCfEr
QSzPAiEA5skJqX/D1COwmlPuAYVpwkgRjURTZRCYu0+6rYgw8osAdQCHdb/nWXz4
jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWeuAo7hAAAEAwBGMEQCIDgZYTG5
JCSyRl1GWXHDOQdmVYG7v4SWOVQZ9h2NwAcZAiBcfYR1S7YLGdqp2kUEm155BM3u
LNvz3Ux2Dk96m16+tgB1AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDd
AAABZ64CjvEAAAQDAEYwRAIgNvoGfgxIwchvua3yqj6BoHwD+Q8ptxL+4bB26Dl0
zs0CIHFUUQzsn2ROLQkxVwAgZRd/nMTWhsqqVwSPv4Lr3aj9AHcAu9nfvB+KcbWT
lCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFnrgKOpgAABAMASDBGAiEAnfcv0dVI
TbrPGgRrWw88tNl9LEYl2hwJ/Nr+U7p8ncMCIQCu3DGQG2EmvgDzEbgU3UlQjaQI
03+677uchfmSHRfScDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVz
dC5uZXQvbGV2ZWwxay5jcmwwSwYDVR0gBEQwQjA2BgpghkgBhvpsCgEFMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjBo
BggrBgEFBQcBAQRcMFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3Qu
bmV0MDMGCCsGAQUFBzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxay1jaGFp
bjI1Ni5jZXIwHwYDVR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHQYDVR0O
BBYEFG1eleXm0JidTyUxF16Y7N+C5R/JMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEL
BQADggEBACa6aJOXIogVgGcmHZZVHExZvSWKkK8lsvqXlbX3DBaRfwx6HmQYUTJh
FYcmrgvKFqlndVX7cf2MA3EVxFOIOICD/8pJ4MYw4a9xJ+PRA6fn8EGko5/I2NEG
ks7Im1Jk3sT2FkW15NfrFSGByAV/lGizR7kaTNWh/HQ3WlcfUy1riyngZey5zpWo
SMLZXADBUmLxDLQaK4LE6F/YNq2ERoFD5mrzqFlcjRJqiwgLwvTuArEFJZ2hhDPO
2nBZjOzfUn+HGyUKKGVWqt09AAH0S6j0G5jEoiQEvj44hDcHqR743t3/jfxDDCHW
slnlUuBgiwlQ1esyeQ3sIyjUVN6hNiU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw
CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl
IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg
RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD
EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x
NTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG
A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l
dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt
IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ
jUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK
m95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT
JbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt
LOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F
ASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/
BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah
hh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE
VR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd
BgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe
733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw
y/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS
BJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC
k9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv
c6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1
exCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u
Lcw=
-----END CERTIFICATE-----

Update: clarified the problem may reveal itself only a few times due to canada.gc.ca pointing to two servers (DNS A records), only one of which has an expired certificate.

Ax Sharma

Ax Sharma is a Security Researcher and Tech Reporter. His works and expert analyses have frequently been featured by leading media outlets including the BBC, Business Insider, Fortune, TechCrunch, TechRepublic, The Register, WIRED, among others. Ax's expertise lies in vulnerability research, malware analysis and reverse engineering, open source software and scams investigations. He's an active community member of British Association of Journalists (BAJ) and Canadian Association of Journalists (CAJ).