ssl warning for wiki.einsteintoolkit.org

Create issue
Issue #2025 closed
Roland Haas created an issue

My browser (Firefox 45.8.0 ESR) reports

wiki.einsteintoolkit.org uses an invalid security certificate. The certificate is only valid for wiki.cct.lsu.edu Error code: SSL_ERROR_BAD_CERT_DOMAIN

for https://wiki.einsteintoolkit.org/

Keyword:

Comments (12)

  1. Frank Löffler
    • removed comment

    The wiki isn't supposed to be accessed via wiki.einsteintoolkit.org, but via https://docs.einsteintoolkit.org. Which page uses the first link? Even if the ssl certificate would work, that is not leading to the ET wiki.

    As for www.einsteintoolkit.org - the same goes here, but it is a little more understandable that someone tries the 'www' version "out of the blue". I've opened a ticket to get a certificate.

  2. Roland Haas reporter
    • removed comment

    Replying to [comment:2 knarf]:

    The wiki isn't supposed to be accessed via wiki.einsteintoolkit.org, but via https://docs.einsteintoolkit.org. Which page uses the first link? Even if the ssl certificate would work, that is not leading to the ET wiki. No page is using that link, I had typed it into the address bar directly in an attempt to remember the wiki page url. Having said that , would it be possible to make wiki.einsteintoolkit.org point to the actual wiki (or redirect there)? So that the ET wiki can be found at a URL with "wiki" in its name? The argument would be the same as for www.einsteintoolkit.org: it seems like a reasonable assumption on the part of a user to expect all sub-domains of einsteintoolkit.org to actually belong to the einstein toolkit and not a cct page (which is in theory a completely different entity from the ET).

    As for www.einsteintoolkit.org - the same goes here, but it is a little more understandable that someone tries the 'www' version "out of the blue". I've opened a ticket to get a certificate. Thank you.

  3. Frank Löffler
    • removed comment

    I should also ask for wiki.einsteintoolkit.org to be removed. Let me find out if that would cause issues.

  4. Roland Haas reporter
    • removed comment

    It's worse now. Even http://wiki.einsteintoolkit.org is now redirected to https://wiki.einsteintoolkit.org which uses a certificate which neither Firefox now Chromium will accept in my workstation.

    Steve: would it be possible to talk to someone at LSU and either

    a. have wiki.einsteintoolkit.org report a "not found" a. provide a ssl certificate for https://wiki.einsteintoolkit.org that browsers recognize (yes I understand that the certificate may well be signed by the LSU certificate authority which can be traced back to some root CA, but it seems at least some browsers do not trust this root CA) a. have wiki.einsteintoolkit.org point to docs.einsteintoolkit.org (both are LSU controlled so I see no problem with this)

  5. Ian Hinder
    • removed comment

    According to sslshopper, https://www.sslshopper.com/ssl-checker.html#hostname=wiki.einsteintoolkit.org, all the correct intermediate certificates are installed, and the certificate should be recognised by all major web browsers. The root CA is not LSU; it is "InCommon RSA Server CA".

    However, the problem is that the leaf certificate does not have a common name which matches the URL being used; the CN is wiki.cct.lsu.edu. This is probably why Firefox and Chromium don't accept it. ... Yes, on my laptop, Firefox says

    wiki.einsteintoolkit.org uses an invalid security certificate. The certificate is only valid for wiki.cct.lsu.edu Error code: SSL_ERROR_BAD_CERT_DOMAIN

    when you click "Advanced".

    We have always used the URL "docs.einsteintoolkit.org" for our wiki (I have no idea why).

    For simplicity at this point, I would probably just remove wiki.einsteintoolkit.org from DNS. It is currently a CNAME alias for wiki.cct.lsu.edu, which is a completely different server (currently 130.39.21.6, vs 130.39.21.43 for docs.einsteintoolkit.org). This is completely wrong.

    A better solution would be to start using wiki.einsteintoolkit.org as the official name of our wiki (it contains more than just documentation), generate a certificate with names wiki.einsteintoolkit.org and docs.einsteintoolkit.org, and have docs repoint to wiki.

    But the first option is much more likely to get implemented on a short timescale...

    PS: Roland, you could also add a bookmark, since you seem unable to remember the URL ;)

  6. Roland Haas reporter
    • removed comment

    Oh, I can remember the URL, I just saw this ticket still open when looking for tickets that I had reported that were still open.

    Yes, completely removing the DNS entry is also fine.

  7. Log in to comment