pythondotorg
pythondotorg copied to clipboard
python
Bug: Website SSL certificates invalid for some server IPv6 addresses
Describe the bug
Unable to view docs.python.org using ipv6 due to incorrect name in ssl certificate. This appears to be an issue with the particular IP address as using a different IPv6 address (obtained via google's public DNS) works.
See also https://github.com/pypi/support/issues/6959 for the same issue with files.pythonhosted.org
To Reproduce
Browse to https://docs.python.org/ returns an invalid certificate.
> curl -6 -v https://docs.python.org/
* Host docs.python.org:443 was resolved.
* IPv6: 2a04:4e42:d000::223
* IPv4: (none)
* Trying [2a04:4e42:d000::223]:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
* closing connection #0
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Expected behavior
Website returns the correct certificate. e.g.:
curl -v https://docs.python.org/ --resolve 'docs.python.org:443:2a04:4e42:200::223'
* Added docs.python.org:443:2a04:4e42:200::223 to DNS cache
* Hostname docs.python.org was found in DNS cache
* Trying [2a04:4e42:200::223]:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Connected to docs.python.org (2a04:4e42:200::223) port 443
* using HTTP/1.x
> GET / HTTP/1.1
> Host: docs.python.org
> User-Agent: curl/8.11.1
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* Request completely sent off
< HTTP/1.1 302 Moved Temporarily
< Connection: keep-alive
< Content-Length: 138
< server: nginx
< content-type: text/html
< location: https://docs.python.org/3/
< x-clacks-overhead: GNU Terry Pratchett
< strict-transport-security: max-age=315360000; includeSubDomains; preload
< Via: 1.1 varnish, 1.1 varnish
< Accept-Ranges: bytes
< Age: 596713
< Date: Tue, 15 Jul 2025 09:44:55 GMT
< X-Served-By: cache-lga21989-LGA, cache-lhr-egll1980038-LHR
< X-Cache: HIT, HIT
< X-Cache-Hits: 66, 0
< X-Timer: S1752572696.884347,VS0,VE1
<
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host docs.python.org left intact
URL to the issue
No response
Screenshots
Certificate returned (according to Chrome):
Subject: default.ssl.fastly.net
Issuer: GlobalSign RSA OV SSL CA 2018
Expires on: 2 Jun 2026
Current date: 15 Jul 2025
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIGvTCCBaWgAwIBAgIMd09EvXDMOQx/ji/kMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yNTA1MDExNjI2MDhaFw0y
NjA2MDIxNjI2MDdaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxGYXN0bHksIEluYy4x
HzAdBgNVBAMTFmRlZmF1bHQuc3NsLmZhc3RseS5uZXQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDH8Jwi3G6LDp5A27g9xWWXIvWCFOMN8Fk7gIgn9YeQ
S/MXUy9dsL3RyrvG25loyxgumAX2+u7uqSGqfc2MnsOelLEPyyrjin6+cPn7EjL9
lKhMmPQeD5N47WA8RBVW6yN3g2dHYkK/ahEKjKVe4/slhSR/uvhyCkShLV+vM6FQ
xQbdu8YnDTX/wxWA2kv5o/yNBeb5WQQLXUF1hhuXJZXI7pd2cX+i57YETWis8pas
edoYk8sryTt2lLcdtFfsbL7k5EqKrM5cTdvp/LPXUTc8Et7dxcFFGr6JyP6lqU+T
Tg50InwD91nFwdS2zIK3XLnYRSE211BpwwSXVjpjapB1AgMBAAGjggNzMIIDbzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADCBjgYIKwYBBQUHAQEEgYEwfzBE
BggrBgEFBQcwAoY4aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQv
Z3Nyc2FvdnNzbGNhMjAxOC5jcnQwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmds
b2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIwMTgwVgYDVR0gBE8wTTBBBgkrBgEE
AaAyARQwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20v
cmVwb3NpdG9yeS8wCAYGZ4EMAQICMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9j
cmwuZ2xvYmFsc2lnbi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwQwYDVR0RBDww
OoIWZGVmYXVsdC5zc2wuZmFzdGx5Lm5ldIISKi5ob3N0cy5mYXN0bHkubmV0ggwq
LmZhc3RseS5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1Ud
IwQYMBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1UdDgQWBBTsZ+yYN4exZu4+
6s+MfSQ1eBsaSTCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYAZBHEbKQS7KeJ
HKICLgC8q08oB9QeNSer6v7VA8l9zfAAAAGWjKt/4QAABAMARzBFAiBJF5CYHzDy
wv8fy159pL0GjGOtMUCQQBL8/Q7WpS951QIhAKXTYH2XztRq7njg5Iw5US4Q/cR8
r9g99fGMrTMd0X/lAHYAyzj3FYl8hKFEX1vB3fvJbvKaWc1HCmkFhbDLFMMUWOcA
AAGWjKt/MAAABAMARzBFAiEA7GuZbLGpvtthN+KwFJasc8iWvpwh7bXtWHADUY6X
7DkCIB3O7uoUb9wbh4ygr+ArTZMIwin5QL75qGAfbesTvgNNAHcASZybad4dfOz8
Nt7Nh2SmuFuvCoeAGdFVUvvp6ynd+MMAAAGWjKuACQAABAMASDBGAiEAjfjRmRNZ
V6jI0og4xNuB0njwoyP6jwAblATK1CK0IfUCIQCK4zOtn9U74Z9zaS7se6DJqhEo
xG2oF72axCZRZ3w3EjANBgkqhkiG9w0BAQsFAAOCAQEABrhZzyORjly0OcaxIQqG
FFL1Ftg361cEoe6zIcUVbS1wSdk6MfZBQ8Hp230Qt9BybjKyC0PJ32z7XOR6ej1k
w41DKd2tjKc3SERaiIJZudY7rUOolayH4+k0uoeINv6e9deLxhTYVjqf+/ob7c9h
JYUG3ZWe5RXki95CS+bwKk80RIUaqnTRn78X1M5s71Xe10HPf1XJFfvBMXiSowdt
9/klL8ZdW0ygbTE68m3evgeliu67UH2fWzfOh2jJV7LGNPRofXZCK4ZSftBA3qe9
1/EbihcIQX6wZaCBcsK9NlpoMMKpYVrbYuNkkJKQj8DwooefUYcrOW5Q7v7SprqQ
rg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx
MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52
LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP
UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3
idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM
abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1
lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq
o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA
AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F
JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+
MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz
EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb
0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0
6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw
fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz
hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e
SPY=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
WD9f
-----END CERTIFICATE-----
Browsers
Chrome
Operating System
Windows
Browser Version
138.0.7204.100
Relevant log output
Additional context
No response
Can confirm this issue. Looks like 2a04:4e4:d000:223 is presenting a default fastly certificate, while 2a04:4e42:400::223 works fine.
* Host files.pythonhosted.org:443 was resolved.
* IPv6: 2a04:4e42:d000::223
* IPv4: 167.82.52.223
* Trying [2a04:4e42:d000::223]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=default.ssl.fastly.net
* start date: May 1 16:26:08 2025 GMT
* expire date: Jun 2 16:26:07 2026 GMT
* subjectAltName does not match hostname files.pythonhosted.org
* SSL: no alternative certificate subject name matches target hostname 'files.pythonhosted.org'
* ```
The problem still persists for 2a04:4e42:d000::223
Adding the pip error for reference:
> pip3 install flask
Collecting flask
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“default.ssl.fastly.net” certificate name does not match input'))': /packages/ec/f9/7f9263c5695f4bd0023734af91bedb2ff8209e8de6ead162f35d8dc762fd/flask-3.1.2-py3-none-any.whl.metadata
