Second Life SSL rejects Sectigo Public Root CA certificates
needs info
Dancing Lemon
Sectigo have migrated their certificate issuance to Public Root CA's. Since that change, calls to in-world HTTPS services from sites using a new certificate are rejected with a 499 error.
Log In
Maestro Linden
marked this post as
needs info
Maestro Linden
Hi Dancing Lemon, can you point to a URL that uses the new certificates from Sectigo? In a Second Life Server 2025-09-16.17777995432 region, I ran a basic llHTTPRequest test script against the URL you supplied, and it's able to connect to https://sectigo.com without issue:
key http_request_id;
string url = " https://www.sectigo.com/sectigo-public-root-cas-migration";
default
{
touch_start(integer detected)
{
llOwnerSay("Sending request to " + url);
http_request_id = llHTTPRequest(url, [], "");
llResetTime();
}
http_response(key request_id, integer status, list metadata, string body)
{
if(request_id == http_request_id )
{
llOwnerSay("Got http response after " + (string)llGetTime() + "s. Data from " + url + " status: "
+ (string)status + " metadata: '" + llList2CSV(metadata) + "'\nbody:");
// print the body 1000 bytes at a time to avoid chat truncation
integer i;
for(i = 0 ; i < llStringLength(body); i += 1000)
{
llOwnerSay(llGetSubString(body, i, i + 999));
}
}
else
{
llOwnerSay("Strange, got unknown http_response id " + (string)request_id);
}
}
}
For reference, here's what
curl
on my local machine reports about the cert on that site when I make the same request to that URL:* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: C=GB; ST=Manchester; O=Sectigo Limited; CN=sectigo.com
* start date: Oct 9 00:00:00 2025 GMT
* expire date: Jan 7 23:59:59 2026 GMT
* subjectAltName: host "www.sectigo.com" matched cert's "www.sectigo.com"
* issuer: C=GB; O=Sectigo Limited; CN=Sectigo Public Server Authentication CA OV R36
* SSL certificate verify ok.
Maestro Linden
It also occurred to me that you might be talking about the built-in browser on the viewer. I'm able to load the same sectigo URL within my Second Life Release 7.2.2.18475198968 (64bit) viewer.