Task #2563
closedRequest “proper” X.509 certs for https://libreoffice.$tld
0%
Description
Go to https://libreoffice.in/
=> error:
libreoffice.in uses an invalid security certificate. The certificate is only valid for the following names: ar.libreoffice.org, bg.libreoffice.org, bn.libreoffice.org, bo.libreoffice.org, brx.libreoffice.org, ca.libreoffice.org, conference.libreoffice.org, cs.libreoffice.org, cy.libreoffice.org, cz.libreoffice.org, da.libreoffice.org, de.libreoffice.org, documentation.libreoffice.org, donate.libreoffice.org, el.libreoffice.org, eo.libreoffice.org, es.libreoffice.org, et.libreoffice.org, fa.libreoffice.org, fi.libreoffice.org, fr.libreoffice.org, ga.libreoffice.org, gd.libreoffice.org, gl.libreoffice.org, he.libreoffice.org, hi.libreoffice.org, hr.libreoffice.org, hu.libreoffice.org, it.libreoffice.org, ja.libreoffice.org, ka.libreoffice.org, km.libreoffice.org, ko.libreoffice.org, libocon.com, libocon.net, libocon.org, libreoffice.org, lo.libreoffice.org, lt.libreoffice.org, marketing.libreoffice.org, ml.libreoffice.org, mt.libreoffice.org, my.libreoffice.org, nl.libreoffice.org, no.libreoffice.org, oc.libreoffice.org, pl.libreoffice.org, pt-br.libreoffice.org, pt.libreoffice.org, py.libreoffice.org, qa.libreoffice.org, ro.libreoffice.org, ru.libreoffice.org, si.libreoffice.org, sid.libreoffice.org, sk.libreoffice.org, sl.libreoffice.org, sr.libreoffice.org, sv.libreoffice.org, ta.libreoffice.org, th.libreoffice.org, tr.libreoffice.org, uk.libreoffice.org, us.libreoffice.org, vec.libreoffice.org, vi.libreoffice.org, website.libreoffice.org, www.libocon.com, www.libocon.net, www.libocon.org, www.libreoffice.org, zh-cn.libreoffice.org, zh-tw.libreoffice.org, zh.libreoffice.org Error code: SSL_ERROR_BAD_CERT_DOMAIN
Updated by Guilhem Moulin about 7 years ago
- Assignee set to Guilhem Moulin
Is there any link to https://libreoffice.in/ anywhere? I thought libreoffice.$tld domains were just a convenience and there are 301 (permanent) redirections in place from http://libreoffice.$tld to https://$tld.libreoffice.org or https://libreoffice.org. So I guess nothing should link to https://libreoffice.in/ ; when someone enters libreoffice.in in a browser the proper redirection takes place.
Updated by - Raal about 7 years ago
Hi,
https://in.libreoffice.org/ doesn't exist. https://libreoffice.in/ exist. The redirection doesn't work.
Updated by Guilhem Moulin about 7 years ago
Redirection from what to what?
Guilhem Moulin wrote:
I thought libreoffice.$tld domains were just a convenience and there are 301 (permanent) redirections in place from http://libreoffice.$tld to https://$tld.libreoffice.org or https://libreoffice.org.
$ curl -w '%{http_code} -> %{redirect_url}\n' -so/dev/null http://libreoffice.in
301 -> https://www.libreoffice.org/
The main question is, is it a regression? Does https://libreoffice.in appear anywhere? There are quite a few other libreoffice.$tld for which there is no valid X.509 cert (and never was AFAIK), because these domains are just a convenience: when the user types libreoffice.$tld in the browser URL bar they're permanently redirected to the right site. Fair enough, requesting a new cert is cheap, but why should we also redirect https://libreoffice.$tld (or other scheme and/or subdomains)?
Updated by - Raal about 7 years ago
Hi Guilhem,
I don't know if it's a regression or not or if exist link to .in site anywhere. It's just bad user experience. Steps:
- write https://libreoffice.in/
- you get error, nothing is redirectedcurl -w '%{http_code} -> %{redirect_url}\n' -so/dev/null https://libreoffice.in
000 ->
probably redirect exist only for http:// but not for https://
Updated by Guilhem Moulin about 7 years ago
- Subject changed from https://libreoffice.in/ SSL_ERROR_BAD_CERT_DOMAIN to Request “proper” X.509 certs for https://libreoffice.$tld
- Priority changed from Normal to Low
- Raal wrote:
probably redirect exist only for http:// but not for https://
Yes I know, adding redirects for https:// means that we need to issue X.509 for all the “dummy” TLDs. It's cheap, but since if there is no regression I'm demoting the priority to low. AFAIK it's always been like this, apart from a few TLDs for which someone explicitly request a cert with a similar bug report, and I guess in practice people don't enter scheme:// in their browser bar, just the hostname and path.
We should probably request certs for all TLDs at some point, instead of doing it one by one by user request. Thus changing the title, too.
Updated by Florian Effenberger about 7 years ago
Let's Encrypt now supports wildcard certificates - that might be the way
to go?
Updated by Guilhem Moulin about 7 years ago
Florian Effenberger wrote:
Let's Encrypt now supports wildcard certificates - that might be the way
to go?
Wouldn't help here, as “libreoffice.*” isn't a valid request (only the leftmost label can be a ‘*’). Generally I don't think wildcard certs are helpful for us because most services have a fixed and short list of virtual hostnames (with the exception of vm168, where wildcard certs can be useful for *.libreoffice.org, but even there new NL sites don't pop up every day).
Updated by Florian Effenberger about 7 years ago
Wouldn't help here, as “libreoffice.*” isn't a valid reques
Stupid me, you're right of course... ;-)
Updated by Guilhem Moulin about 7 years ago
Guilhem Moulin wrote:
and I guess in practice people don't enter scheme:// in their browser bar, just the hostname and path.
To clarify, what I meant here is that looking at the logs, people don't enter https://libreoffice.$tld in their browser bar (and I guess not http://libreoffice.$tld either, though there is no way to check as browsers automatically prepends http:// when someone enters a bare hostname). People do enter https://$nl.libreoffice.org and https://libreoffice.org though, and there are also links with these scheme & hostname. So while not having a working redirection from https://libreoffice.org to https://www.libreoffice.org would be a regression, IMHO from https://libreoffice.$tld it's not.
Updated by Florian Effenberger almost 7 years ago
- Target version set to Pool
What Guilhem says sounds sensible indeed to me. Raal, is there a use case to adjust the certificates in the way you proposed? Otherwise I'd not spend time on this... ;-)
Updated by - Raal almost 7 years ago
Florian Effenberger wrote:
What Guilhem says sounds sensible indeed to me. Raal, is there a use case to adjust the certificates in the way you proposed? Otherwise I'd not spend time on this... ;-)
Hi Florian, I have not problem with closing this task. When i type the URL and I get the error, I can repair URL by myself.