atomic-site icon indicating copy to clipboard operation
atomic-site copied to clipboard

Published 20 hours ago verified publisher icon projectatomic

Bad certificate for https://projectatomic.io and bad redirect

Open jlebon opened this issue 8 years ago • 10 comments

Accessing https://projectatomic.io yields the following in Firefox:

projectatomic.io uses an invalid security certificate.

The certificate is only valid for the following names
 *.redhat.com, redhat.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

The www variant does have a properly signed certificate however.

Additionally, even if we add an exception for the above, we get redirected to http://www.projectatomic.io/ rather than https://www.projectatomic.io/

jlebon avatar Jan 10 '17 13:01 jlebon

@garrett ?

jberkus avatar Jan 10 '17 16:01 jberkus

@jberkus @jlebon Here everything is ok. It could have been something related to renewal of ssl certification, I believe. Issue closed please ;)

scovl avatar Feb 20 '17 11:02 scovl

Hmm, still getting SSL_ERROR_BAD_CERT_DOMAIN here.

jlebon avatar Feb 21 '17 14:02 jlebon

I think it's always been broken this way. AFAIK the site is hosted in OpenShift v2...hopefully soon we can cut over.

cgwalters avatar Feb 21 '17 15:02 cgwalters

See it https://www.ssllabs.com/ssltest/analyze.html?d=www.projectatomic.io

scovl avatar Mar 05 '17 14:03 scovl

Yah, we don't have a solution for this yet.

jberkus avatar Mar 06 '17 01:03 jberkus

It seems both sites are pointing to different places:

$ dig +short projectatomic.io
209.132.183.105

$ dig +short www.projectatomic.io
test-atomicproject.rhcloud.com.
ex-std-node676.prod.rhcloud.com.
ec2-54-175-82-185.compute-1.amazonaws.com.
54.175.82.185

gtirloni avatar Jun 21 '17 19:06 gtirloni

@mscherer ?

jberkus avatar Jun 21 '17 23:06 jberkus

So, sorry, forgot about this one.

So that's a consequence of the limitation of the openshift hosting, and various RFC.

Openshift online v2 requires to have the domain of the website (www.projectatomic.io) to point a CNAME (ie,test-atomicproject.rhcloud.com) , so the "gear" (ie, the container) can be moved around automatically (since the rhcloud.com is under the control of openshift v2).

Various RFCs requires that the apex of the domain (ie, projectatomic.io) can't be a CNAME (cf https://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain ).

So we can't have projectatomic.io as a alias on the httpd hosting on openshift.

In turn, that mean we have to point to a A record, and in this case, RH IT has a redirection service, called redirect.redhat.com, on 209.132.183.105.

So what was setup was that projectatomic.io would redirect to www, using that service, and that we should use www.projectatomic.io for everything.

Now, the problem is that the server on redirect.redhat.com is under RH IT control. I am not sure what it is running right now, besides "bigIP F5", and what version, and what does it support (ie, does it support SNI, yes, does it support SNI on the version we have, no idea).

So someone should go ask to IT if they can add SNI there, and get a certificate.

mscherer avatar Jun 28 '17 22:06 mscherer

So now we migrated to openshift v3 and since the hw doing redirection got upgraded, I did ask to IT about it. If they can't offer the service, I will be looking with my team to setup a redirector on our DC.

mscherer avatar Dec 15 '17 11:12 mscherer