Fedoralinux.org does not support HTTPS

fransqui · June 23, 2023, 1:13pm

fedoralinux.org does not support HTTPS. This needs fix.

bcotton · June 23, 2023, 2:12pm

Looks fine to me. It’s using a certificate with SHA-256 signature C8:4F:B2:7F:41:20:5D:74:D4:9C:B1:F4:3C:02:30:8A:0E:E6:A6:C8:C6:36:93:16:5F:2F:75:F1:BD:60:CE:49

mattipulkkinen · June 23, 2023, 2:27pm

For clarity: fedoralinux.org redirects to https://fedoraproject.org/ which does support HTTPS, but fedoralinux.org itself does not. The effect of this is that if you are using the always-HTTPS-only mode in your browser, you’ll get a warning when navigating to fedoralinux.org.

bcotton · June 23, 2023, 2:32pm

Ah! That makes sense. @fransqui please file an issue with the Infrastructure team.

fransqui · June 23, 2023, 2:33pm

Indeed, thanks for the clarity!

jn64 · June 23, 2023, 2:34pm

Where are you finding a link to fedoralinux.org anyway?

Even with HTTPS-only mode in Firefox, if you type fedoralinux.org, it will redirect to https://fedoraproject.org without issue.

The warning SSL_ERROR_BAD_CERT_DOMAIN only appears if you type (or follow a link to) https://fedoralinux.org

fransqui · June 23, 2023, 2:38pm

If you type fedoralinux.org, http://fedoralinux.org, https://fedoralinux.org or click these links you will get: “Secure Site Not Available You’ve enabled HTTPS-Only Mode for enhanced security, and a HTTPS version of fedoralinux.org is not available.” This is not acceptable.

fransqui · June 23, 2023, 2:41pm

fedoralinux.org (and http://fedoralinux.org and https://fedoralinux.org) will work without warning after you get the warning once. Clear your browser cache/history and you will get the warning again.

jn64 · June 23, 2023, 2:44pm

Nope, I can’t repro with Firefox 114.0.2 on Linux, or Firefox 114.2 on iOS. Only explicitly going to https://fedoralinux.org gives the warning.

fransqui · June 23, 2023, 3:02pm

Please test with clean state. Quit Firefox, remove $HOME/.mozilla directory, toggle HTTPS-only-mode for all tabs/windows on and type fedoralinux.org. If you still cant repro, please test with Firefox for Android (remember toggle HTTPS-only-mode on).

~~I will check version of my Firefox when I am at the home.~~ Version of my Firefox is 113.0.2.

fransqui · June 23, 2023, 3:08pm

And anyway this needs fix, who is admin of the server?

bcotton · June 23, 2023, 3:30pm

See my previous reply in this thread

fransqui · June 23, 2023, 3:42pm

Oh, thanks.

kevin · June 23, 2023, 5:15pm

just for completness I’ll add here what I added to the infra ticket:

So, we can of course fix this… but I am not sure we want to.

We have a large number of domains that we have registered, but do not currently use for anything.
Nothing should be linking to these domains or using them.

So, they simply redirect to our real domain.

We could get ssl certs for each of them, but… that seems like a lot of effort for not much gain. If we were using or pointing to the domain we would of course make sure it had a valid cert.

How did you find/get to/link to fedoralinux.org ? Is there some document or comment or place pointing you and others to it?

fransqui · June 23, 2023, 7:25pm

Where is the list of those?

I agree with many other domains, but fedoralinux.org is good when referring only to Fedora Linux.

Adding certs to them is pretty trivial.

From one Discord chat.

jn64 · June 24, 2023, 2:27am

They should fix the incorrect link then. Please let them know that fedoraproject.org is the canonical URL of Fedora (since ~2005?).

gui1ty · June 24, 2023, 10:33am

As suggested on IRC recently regarding a very similar redirect, why not
redirect by DNS CNAME rather than HTTP?

That way you wouldn’t need to maintain a bunch of SSL certs and it would
also prevent users from bookmarking outdated URLs.

I might be missing something. It’s been some time since I last wrangled
with domains and websites.

PS: I added this to the
ticket as well.

mattdm · June 24, 2023, 10:53am

CNAME won’t do a redirect — if the web server is configured to just serve fedoraproject.org content at that URL, there will be a cert mismatch (and warning/error), and also it might be confusing.

If it is configured as a separate virtual host with an http redirect, CNAME or A record both have the same effect.

This is probably good, because if I could CNAME my mymaliciousname.example.com to your site and have it just transparently work, I could then do a number of excitingly bad things.

kevin · June 24, 2023, 8:51pm

Kevin Fenzi:

We have a large number of domains that we have registered, but do not currently use for anything.

Where is the list of those?

I don’t think we have any public list of them…

Kevin Fenzi:

Nothing should be linking to these domains or using them.

I agree with many other domains, but fedoralinux.org is good when referring only to Fedora Linux.

But it’s… wrong. It’s not the link we use. fedoraproject.org is that.

Kevin Fenzi:

We could get ssl certs for each of them, but… that seems like a lot of effort for not much gain. If we were using or pointing to the domain we would of course make sure it had a valid cert.

Adding certs to them is pretty trivial.

Sure, but it means setting up seperate sites for them all (increasing
open file descriptiors on proxies having to keep open log files for
each), having to make sure and monitor and renew those all the time.
Granted most of it’s automated, but… I don’t see the advantge.

Kevin Fenzi:

How did you find/get to/link to fedoralinux.org ? Is there some document or comment or place pointing you and others to it?

From one Discord chat.

Yeah, I would suggest they use fedoraproject.org.

gui1ty · June 25, 2023, 9:45am

Yeah, I got that wrong. The URL wouldn’t change in the browser. It connects to whatever IP the domain name resolves to and expects a matching cert. Thanks for refreshing my memory.