Project

General

Profile

Task #2563

Request “proper” X.509 certs for https://libreoffice.$tld

Added by - Raal over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Low
Category:
-
Target version:
Team - Pool
Start date:
Due date:
% Done:

0%

Tags:
URL:

Description

Go to https://libreoffice.in/
=> error:
libreoffice.in uses an invalid security certificate. The certificate is only valid for the following names: ar.libreoffice.org, bg.libreoffice.org, bn.libreoffice.org, bo.libreoffice.org, brx.libreoffice.org, ca.libreoffice.org, conference.libreoffice.org, cs.libreoffice.org, cy.libreoffice.org, cz.libreoffice.org, da.libreoffice.org, de.libreoffice.org, documentation.libreoffice.org, donate.libreoffice.org, el.libreoffice.org, eo.libreoffice.org, es.libreoffice.org, et.libreoffice.org, fa.libreoffice.org, fi.libreoffice.org, fr.libreoffice.org, ga.libreoffice.org, gd.libreoffice.org, gl.libreoffice.org, he.libreoffice.org, hi.libreoffice.org, hr.libreoffice.org, hu.libreoffice.org, it.libreoffice.org, ja.libreoffice.org, ka.libreoffice.org, km.libreoffice.org, ko.libreoffice.org, libocon.com, libocon.net, libocon.org, libreoffice.org, lo.libreoffice.org, lt.libreoffice.org, marketing.libreoffice.org, ml.libreoffice.org, mt.libreoffice.org, my.libreoffice.org, nl.libreoffice.org, no.libreoffice.org, oc.libreoffice.org, pl.libreoffice.org, pt-br.libreoffice.org, pt.libreoffice.org, py.libreoffice.org, qa.libreoffice.org, ro.libreoffice.org, ru.libreoffice.org, si.libreoffice.org, sid.libreoffice.org, sk.libreoffice.org, sl.libreoffice.org, sr.libreoffice.org, sv.libreoffice.org, ta.libreoffice.org, th.libreoffice.org, tr.libreoffice.org, uk.libreoffice.org, us.libreoffice.org, vec.libreoffice.org, vi.libreoffice.org, website.libreoffice.org, www.libocon.com, www.libocon.net, www.libocon.org, www.libreoffice.org, zh-cn.libreoffice.org, zh-tw.libreoffice.org, zh.libreoffice.org Error code: SSL_ERROR_BAD_CERT_DOMAIN

#1

Updated by Guilhem Moulin over 3 years ago

  • Assignee set to Guilhem Moulin

Is there any link to https://libreoffice.in/ anywhere? I thought libreoffice.$tld domains were just a convenience and there are 301 (permanent) redirections in place from http://libreoffice.$tld to https://$tld.libreoffice.org or https://libreoffice.org. So I guess nothing should link to https://libreoffice.in/ ; when someone enters libreoffice.in in a browser the proper redirection takes place.

#2

Updated by - Raal over 3 years ago

Hi,
https://in.libreoffice.org/ doesn't exist. https://libreoffice.in/ exist. The redirection doesn't work.

#3

Updated by Guilhem Moulin over 3 years ago

Redirection from what to what?

Guilhem Moulin wrote:

I thought libreoffice.$tld domains were just a convenience and there are 301 (permanent) redirections in place from http://libreoffice.$tld to https://$tld.libreoffice.org or https://libreoffice.org.

$ curl -w '%{http_code} -> %{redirect_url}\n' -so/dev/null http://libreoffice.in
301 -> https://www.libreoffice.org/

The main question is, is it a regression? Does https://libreoffice.in appear anywhere? There are quite a few other libreoffice.$tld for which there is no valid X.509 cert (and never was AFAIK), because these domains are just a convenience: when the user types libreoffice.$tld in the browser URL bar they're permanently redirected to the right site. Fair enough, requesting a new cert is cheap, but why should we also redirect https://libreoffice.$tld (or other scheme and/or subdomains)?

#4

Updated by - Raal over 3 years ago

Hi Guilhem,
I don't know if it's a regression or not or if exist link to .in site anywhere. It's just bad user experience. Steps:

- write https://libreoffice.in/
- you get error, nothing is redirected

curl -w '%{http_code} -> %{redirect_url}\n' -so/dev/null https://libreoffice.in
000 ->

probably redirect exist only for http:// but not for https://

#5

Updated by Guilhem Moulin over 3 years ago

  • Subject changed from https://libreoffice.in/ SSL_ERROR_BAD_CERT_DOMAIN to Request “proper” X.509 certs for https://libreoffice.$tld
  • Priority changed from Normal to Low

- Raal wrote:

probably redirect exist only for http:// but not for https://

Yes I know, adding redirects for https:// means that we need to issue X.509 for all the “dummy” TLDs. It's cheap, but since if there is no regression I'm demoting the priority to low. AFAIK it's always been like this, apart from a few TLDs for which someone explicitly request a cert with a similar bug report, and I guess in practice people don't enter scheme:// in their browser bar, just the hostname and path.

We should probably request certs for all TLDs at some point, instead of doing it one by one by user request. Thus changing the title, too.

#6

Updated by Florian Effenberger over 3 years ago

Let's Encrypt now supports wildcard certificates - that might be the way
to go?

#7

Updated by Guilhem Moulin over 3 years ago

Florian Effenberger wrote:

Let's Encrypt now supports wildcard certificates - that might be the way
to go?

Wouldn't help here, as “libreoffice.*” isn't a valid request (only the leftmost label can be a ‘*’). Generally I don't think wildcard certs are helpful for us because most services have a fixed and short list of virtual hostnames (with the exception of vm168, where wildcard certs can be useful for *.libreoffice.org, but even there new NL sites don't pop up every day).

#8

Updated by Florian Effenberger over 3 years ago

Wouldn't help here, as “libreoffice.*” isn't a valid reques

Stupid me, you're right of course... ;-)

#9

Updated by Guilhem Moulin over 3 years ago

Guilhem Moulin wrote:

and I guess in practice people don't enter scheme:// in their browser bar, just the hostname and path.

To clarify, what I meant here is that looking at the logs, people don't enter https://libreoffice.$tld in their browser bar (and I guess not http://libreoffice.$tld either, though there is no way to check as browsers automatically prepends http:// when someone enters a bare hostname). People do enter https://$nl.libreoffice.org and https://libreoffice.org though, and there are also links with these scheme & hostname. So while not having a working redirection from https://libreoffice.org to https://www.libreoffice.org would be a regression, IMHO from https://libreoffice.$tld it's not.

#10

Updated by Florian Effenberger over 3 years ago

  • Target version set to Pool

What Guilhem says sounds sensible indeed to me. Raal, is there a use case to adjust the certificates in the way you proposed? Otherwise I'd not spend time on this... ;-)

#11

Updated by - Raal over 3 years ago

Florian Effenberger wrote:

What Guilhem says sounds sensible indeed to me. Raal, is there a use case to adjust the certificates in the way you proposed? Otherwise I'd not spend time on this... ;-)

Hi Florian, I have not problem with closing this task. When i type the URL and I get the error, I can repair URL by myself.

#12

Updated by Florian Effenberger over 3 years ago

  • Status changed from New to Closed

Thanks!

Also available in: Atom PDF