i too get the amsl cert in response to an opelssl cert query with a bog standard starfield class 2 chain % openssl s_client -connect secretariat.nanog.org:443 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/CN=*.amsl.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.amsl.com i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/serialNumber=10688435 i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority 2 s:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGRDCCBSygAwIBAgIJAInJ3xG7x0IgMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD with chrome, https://secretariat.nanog.org gets me a redirect to the insecure http://www.nanog.org/ (note lack of 's') via the tls-failing cert, see above
let's take the conversation off of nanog to spare the list.
one of the purposes of this list is for us to learn from eachother. in this case, techniques for diagnosing tls & cert issues are worth sharing. [ sadly, folk with bugs love to redirect discussion off public media ] randy