Fedoralinux.org does not support HTTPS

fedoralinux.org does not support HTTPS. This needs fix.

Looks fine to me. It’s using a certificate with SHA-256 signature C8:4F:B2:7F:41:20:5D:74:D4:9C:B1:F4:3C:02:30:8A:0E:E6:A6:C8:C6:36:93:16:5F:2F:75:F1:BD:60:CE:49

For clarity: fedoralinux.org redirects to https://fedoraproject.org/ which does support HTTPS, but fedoralinux.org itself does not. The effect of this is that if you are using the always-HTTPS-only mode in your browser, you’ll get a warning when navigating to fedoralinux.org.

Ah! That makes sense. @fransqui please file an issue with the Infrastructure team.

Indeed, thanks for the clarity!

Where are you finding a link to fedoralinux.org anyway?

Even with HTTPS-only mode in Firefox, if you type fedoralinux.org, it will redirect to https://fedoraproject.org without issue.

The warning SSL_ERROR_BAD_CERT_DOMAIN only appears if you type (or follow a link to) https://fedoralinux.org

If you type fedoralinux.org, http://fedoralinux.org, https://fedoralinux.org or click these links you will get: “Secure Site Not Available You’ve enabled HTTPS-Only Mode for enhanced security, and a HTTPS version of fedoralinux.org is not available.” This is not acceptable.

fedoralinux.org (and http://fedoralinux.org and https://fedoralinux.org) will work without warning after you get the warning once. Clear your browser cache/history and you will get the warning again.

Nope, I can’t repro with Firefox 114.0.2 on Linux, or Firefox 114.2 on iOS. Only explicitly going to https://fedoralinux.org gives the warning.

Please test with clean state. Quit Firefox, remove $HOME/.mozilla directory, toggle HTTPS-only-mode for all tabs/windows on and type fedoralinux.org. If you still cant repro, please test with Firefox for Android (remember toggle HTTPS-only-mode on).

I will check version of my Firefox when I am at the home. Version of my Firefox is 113.0.2.

And anyway this needs fix, who is admin of the server?

1 Like

See my previous reply in this thread

1 Like

Oh, thanks.

just for completness I’ll add here what I added to the infra ticket:

So, we can of course fix this… but I am not sure we want to.

We have a large number of domains that we have registered, but do not currently use for anything.
Nothing should be linking to these domains or using them.

So, they simply redirect to our real domain.

We could get ssl certs for each of them, but… that seems like a lot of effort for not much gain. If we were using or pointing to the domain we would of course make sure it had a valid cert.

How did you find/get to/link to fedoralinux.org ? Is there some document or comment or place pointing you and others to it?

1 Like

Where is the list of those?

I agree with many other domains, but fedoralinux.org is good when referring only to Fedora Linux.

Adding certs to them is pretty trivial.

From one Discord chat.

They should fix the incorrect link then. Please let them know that fedoraproject.org is the canonical URL of Fedora (since ~2005?).

As suggested on IRC recently regarding a very similar redirect, why not
redirect by DNS CNAME rather than HTTP?

That way you wouldn’t need to maintain a bunch of SSL certs and it would
also prevent users from bookmarking outdated URLs.

I might be missing something. It’s been some time since I last wrangled
with domains and websites.

PS: I added this to the
ticket as well.

CNAME won’t do a redirect — if the web server is configured to just serve fedoraproject.org content at that URL, there will be a cert mismatch (and warning/error), and also it might be confusing.

If it is configured as a separate virtual host with an http redirect, CNAME or A record both have the same effect.

This is probably good, because if I could CNAME my mymaliciousname.example.com to your site and have it just transparently work, I could then do a number of excitingly bad things.

Where is the list of those?

I don’t think we have any public list of them…

I agree with many other domains, but fedoralinux.org is good when referring only to Fedora Linux.

But it’s… wrong. It’s not the link we use. fedoraproject.org is that.

Adding certs to them is pretty trivial.

Sure, but it means setting up seperate sites for them all (increasing
open file descriptiors on proxies having to keep open log files for
each), having to make sure and monitor and renew those all the time.
Granted most of it’s automated, but… I don’t see the advantge.

From one Discord chat.

Yeah, I would suggest they use fedoraproject.org. :slight_smile:

1 Like

Yeah, I got that wrong. The URL wouldn’t change in the browser. It connects to whatever IP the domain name resolves to and expects a matching cert. Thanks for refreshing my memory. :classic_smiley: