- changed status to open
Certificate for https://cactuscode.org is not trusted
The certificate for https://cactuscode.org
is not trusted. The certificate for https://www.cactuscode.org
is working fine.
Comments (15)
-
-
-
assigned issue to
-
assigned issue to
-
Works fine for me.
-
reporter I am using Safari. The error is
“lsu.edu” certificate name does not match input
-
Weird. Chrome says, “certificate valid.” If I call “openssl s_client -servername cactuscode.org -showcerts -connect cactuscode.org:443” I don’t see a certificate. If I do “openssl s_client -servername cactuscode.org -showcerts -connect www.cactuscode.org:443” I see a github cert (since the site is now on github). Nowhere, though, do I see an lsu.edu cert. Could that be cached on your machine, Erik?
-
I get the same bad certificate issue (Firefox, Linux, not at LSU). This is also the topic as the “Need config info for cactuscode.org vs www.cactuscode.org” conversation with Sai Pinnepalli at LSU (there should be emails from around May 10th):
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for cactuscode.org. The certificate is only valid for the following names: lsu.edu, *.lsu.edu
Error code: SSL_ERROR_BAD_CERT_DOMAIN
-
reporter With Chrome, I see
Your connection is not private Attackers might be trying to steal your information from cactuscode.org (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_COMMON_NAME_INVALID
-
reporter My cell phone (also Safari) also reports a certificate problem.
I also received an independent report from some else.
-
Erik, do you see information about “lsu.edu” anywhere but your laptop?
-
^ I see the same issue as Erik.
-
reporter Yes, my cell phone lists “lsu.edu” as “Common Name” of the “Subject Name” of the certificate.
It seems “lsu.edu” is the certificate name. This might just be a string that looks like a URL (maybe it could be just “LSU” instead).
I also see “lsu.edu” and “*.lsu.edu” as “DNS Name” in the “Subject Alternative Name” (on my phone).
-
reporter Steve
If you access the web site from within LSU, then maybe your DNS or DHCP setup might mark “lsu.edu” as trusted? Are you accessing it from outside LSU, and without VPN?
-
So dig shows me that cactuscode.org is LSU while www.cactuscode.org is github. I didn’t set this up and am having trouble finding the email where the issue was described.
-
Indeed if we had a DNS A entry from cactuscode.org to einsteintoolkit.github.io then both https://cactuscode.org and https://www.cactuscode.org should result in the same website being delivered. GitHub is not fully clear on this on https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/about-custom-domains-and-github-pages#using-an-apex-domain-for-your-github-pages-site where they state
For example, if you configure
www.example.com
as the custom domain for your site, and you have GitHub Pages DNS records set up for the apex andwww
domains, thenexample.com
will redirect towww.example.com
. Note that automatic redirects only apply to thewww
subdomain. Automatic redirects do not apply to any other subdomains, such asblog
-
Right now with https the certificates do not match eg one gets:
$ curl -I --resolve cactuscode.org:443:185.199.108.153 https://cactuscode.org/ curl: (60) SSL: no alternative certificate subject name matches target host name 'cactuscode.org'
while with www (for which a CNAME entry exists) it works fine:
$ curl -I --resolve www.cactuscode.org:443:185.199.108.153 https://www.cactuscode.org/ HTTP/2 200 server: GitHub.com content-type: text/html; charset=utf-8 last-modified: Thu, 03 Jun 2021 17:52:12 GMT access-control-allow-origin: * etag: "60b916cc-162d" expires: Thu, 03 Jun 2021 18:07:53 GMT cache-control: max-age=600 x-proxy-cache: MISS x-github-request-id: B928:072C:1DF684:3BFC8C:60B91821 accept-ranges: bytes date: Thu, 03 Jun 2021 17:58:04 GMT via: 1.1 varnish age: 11 x-served-by: cache-pwk4948-PWK x-cache: HIT x-cache-hits: 1 x-timer: S1622743085.638120,VS0,VE1 vary: Accept-Encoding x-fastly-request-id: 2995efdb1d35c95f3fd3b967d71a0fb3d980e170 content-length: 5677
- Log in to comment