A colleague of mine noticed that an automated process that he maintains stopped being able to retrieve a file from a Cloudfront hosted site that DISA maintains. Essentially he started receiving TLS related errors. I looked into this with him and we noticed that the SAN certificate was issued by Entrust and was renewed 5 days ago, exactly when the issue started. While it’s possible to reach https://dl.dod.cyber.mil in a modern web browser (like Safari, Chrome, Edge or Firefox), curl on Ubuntu and RHEL seem to fail on validating the certificate.

We were able to validate that it looks the certificate may have been issued with a different chain of roots and intermediates than it was before and perhaps curl is not aware of this (or it’s not trusted).

Even using a free tool hosted by Qualys to check the certificate reveals that the chain is broken. This may be by design.

To get around this you can download the root and intermediate for G2 and L1K and concatenate them in a single PEM file. Once you do that, you can test this with curl on Ubuntu or RHEL and you should be able to securely access the domain again.