tickets #92299
closedopensuse.com.br and other domains not matching *.opensuse.org
100%
Description
go to https://www.opensuse.com.br/ and you will see the certificate warning because 'opensuse.com.br' is obviously not covered by our wildcard certificate.
This will not doubt not be the only domain - from the dnsmasq config on anna:
opensuse.de
opensuse.asia
opensuse.co
opensuse.com
opensuse.com.br
opensuse.com.es
opensuse.com.mx
opensuse.de
opensuse.eu
opensuse.fr
opensuse.gen.tr
opensuse.jp
opensuse.kr
opensuse.me
opensuse.mu
opensuse.mx
opensuse.net
opensuse-project.com
opensuse-project.de
opensuse-project.net
opensuse-project.org
Updated by pjessen almost 3 years ago
- Category set to Core services and virtual infrastructure
- Private changed from Yes to No
Updated by pjessen almost 3 years ago
Judging by /etc/ssl/services on anna, we have wildcard certs for opensuse.de and opensuse.fr, but they are not actually being used?
Updated by pjessen over 2 years ago
Just a thought - before we go and generate LE certs for all of these, maybe we should think about what they are being used for - I didn't check them all, but opensuse.mx, opensuse.de, www.opensuse.mx, www.opensuse.de, lists.opensuse.de and even perjessen.opensuse.de all redirect to download.o.o ? :-)
Another question is, why is it only this small subset of all country-specific TLDs ? I don't see 'opensuse.ch' or 'opensuse.org.uk' or 'opensuse.ee', for instance.
Updated by pjessen over 2 years ago
pjessen wrote:
Just a thought - before we go and generate LE certs for all of these, maybe we should think about what they are being used for - I didn't check them all, but opensuse.mx, opensuse.de, www.opensuse.mx, www.opensuse.de, lists.opensuse.de and even perjessen.opensuse.de all redirect to download.o.o ? :-)
Sorry, not a redirect, it just shows download.o.o under whatever name you use.
Updated by bmwiedemann over 2 years ago
I would have expected https://www.opensuse.de/ to redirect to the German version of https://www.opensuse.org/ , so maybe we need to update the haproxy.cfg on anna as well.
http://web.archive.org/web/20190902222326/https://www.opensuse.de/ shows 2y ago it was a 301 to https://www.opensuse.org/
Updated by pjessen about 2 years ago
- Related to tickets #106769: cert seems not to match the server name when opening https://www.opensuse.com/ added
Updated by pjessen almost 2 years ago
FYI, I have added an SPF record for all of those unused domains v=spf1 -all
Updated by crameleon over 1 year ago
I think the issue is no longer present:
$ echo|openssl s_client -connect opensuse.com.br:443 2>/dev/null | openssl x509 -noout -text -in -|grep DNS
DNS:*.opensuse.com.br, DNS:opensuse.com.br
Can this ticket be closed?
Updated by pjessen over 1 year ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
crameleon wrote:
I think the issue is no longer present:
$ echo|openssl s_client -connect opensuse.com.br:443 2>/dev/null | openssl x509 -noout -text -in -|grep DNS DNS:*.opensuse.com.br, DNS:opensuse.com.br
Can this ticket be closed?
Yes, it looks good. I did a couple of spot checks, and got redirected to www.opensuse.org.
Thanks for checking up on it, Georg.