Bug 1403 - Secure certificate not properly setup, says untrusted site
: Secure certificate not properly setup, says untrusted site
Product: maemo.org Website
: unspecified
: All Linux
: High normal (vote)
: ---
Assigned To: Niels Breet
  Show dependency tree
Reported: 2007-05-12 10:59 UTC by Quim Gil
Modified: 2008-04-07 15:23 UTC (History)
4 users (show)

See Also:

Cetificate properties 1 (45.44 KB, image/png)
2007-05-12 11:00 UTC, Quim Gil
Certificate properties 2 (45.44 KB, image/png)
2007-05-12 11:01 UTC, Quim Gil
Error message 1 (21.42 KB, image/png)
2007-05-12 11:02 UTC, Quim Gil
Error message 2 (21.27 KB, image/png)
2007-05-12 11:02 UTC, Quim Gil
Error when opening https://maemo.org/news (184.44 KB, image/png)
2007-10-29 08:12 UTC, Quim Gil


You need to log in before you can comment on or make changes to this bug.

Description Quim Gil (reporter) nokia 2007-05-12 10:59:54 UTC
As far as I know we are paying a SSL certificate to handle properly anything
behind https:// . However, it doesn't save the normal screens of untrusted
sites. In some cases logging to bugzilla implies to accept twice an "untrusted
site" window, one for maemo.org and another one for bugs.maemo.org. Other times
you get in a kind of loop having to accept up to 6 times.

Of course chicking the "Trust this site from now" checkbox saves you this
hassle, but then why we need a proper certification in place.

It looks like a problem of configuration. Attaching screenshots.
Comment 1 Quim Gil (reporter) nokia 2007-05-12 11:00:54 UTC
Created an attachment (id=421) [details]
Cetificate properties 1
Comment 2 Quim Gil (reporter) nokia 2007-05-12 11:01:36 UTC
Created an attachment (id=422) [details]
Certificate properties 2
Comment 3 Quim Gil (reporter) nokia 2007-05-12 11:02:12 UTC
Created an attachment (id=423) [details]
Error message 1
Comment 4 Quim Gil (reporter) nokia 2007-05-12 11:02:37 UTC
Created an attachment (id=424) [details]
Error message 2
Comment 5 Niels Breet maemo.org 2007-05-16 22:48:20 UTC
*** Bug 1444 has been marked as a duplicate of this bug. ***
Comment 6 Jake Kunnari 2007-05-22 15:03:16 UTC
Moved to correct Product and Component.
Comment 7 Ferenc Szekely maemo.org 2007-05-29 14:01:24 UTC
Thanks, known issue. We are in the process of ordering new certificates. I take
this bug.
Comment 8 Quim Gil (reporter) nokia 2007-07-16 01:28:14 UTC
Complaints about this in ITT, setting to P2.
Comment 9 Ferenc Szekely maemo.org 2007-07-16 11:37:58 UTC
Got the new SSL certs today morning, this will be fixed shortly.
Comment 10 Quim Gil (reporter) nokia 2007-07-17 11:07:38 UTC
From a user point of view the problem still persists. Reopening until the issue
is completely solved.
Comment 11 Ferenc Szekely maemo.org 2007-07-17 13:10:54 UTC
If you check your browser does not complain about untrusted site, it says
untrusted authority. Well, this is plain wrong, since the certificate is coming
from Verisign.
We will not get any better than this, I am afraid. The 'Common Name' of the
authority who issued the certificate is missing, but all our certificates at
maemo.org are like that. 
I try to complain, let's see...
Comment 12 Ferenc Szekely maemo.org 2007-07-17 14:11:36 UTC
Alright, we got it sorted out now. The intermediate certificate was missing.
Now you are not supposed to receive any weird message.
Comment 13 Quim Gil (reporter) nokia 2007-10-23 07:46:49 UTC
The thing is that those messages are still appearing. I was trying to find the
moment to report back but there is other user that has done it. Reopening.
Comment 14 Quim Gil (reporter) nokia 2007-10-23 07:47:47 UTC
*** Bug 2153 has been marked as a duplicate of this bug. ***
Comment 15 Quim Gil (reporter) nokia 2007-10-23 07:48:54 UTC
Please look at the additional details provided in
Comment 16 timeless 2007-10-23 12:32:23 UTC
i.e., *.garage.maemo.org is also affected.

not quite sure what protocol says, but this should be treated as a blocker. At
some point svn clients should refused access to the svn repositories (curl I'm
told already does) which means teams may be unable to do commits.
Comment 17 timeless 2007-10-23 12:34:01 UTC
for reference, you can use this syntax:
bug 2153 instead of including a url, Bugzilla likes it better.

I guess that currently svn is hosted by https://garage instead of
https://project.garage, so it's unaffected.
Comment 18 Ferenc Szekely maemo.org 2007-10-23 18:08:16 UTC
We will not get a wildcard certificate for garage. So you can forgot about
https://*.garage.maemo.org 'sites'.

We will not get a wildcard certificate for *.maemo.org either, so you can keep
on posting that your browser complains when you type https://a.maemo.org or
https://b.maemo.org. It will not be fixed. 

For the reference here is a list of valid sub domains that are in use and have
valid certificates:
https://bugs.maemo.org (not bugzilla.maemo.org)

As far as the repo is concerned the correct address is: 
http://repository.maemo.org (not https), so we do not need a certificate there.
Comment 19 timeless 2007-10-23 23:23:30 UTC
ok, then please do us a favor and stop running https servers for any other dns
entries, otherwise you're going to get very unhappy and confused users.

note that not offering https downloads is bad news. for security reasons you
really should offer downloads via https (arguably only via https, but...).
Comment 20 Justin Dolske 2007-10-23 23:31:19 UTC
Not using wildcard certs is your choice, but some of the root issues in this
bug (and bug 2153, which was duped to this) are clearly not fixed. A minimal
example is http://maemo.org/community/mailing-lists.html, where all the
"Subscribing via Web" links exhibit this problem.

Not supporting reasonable URLs like https://www.maemo.org in a mistake IMO, but
whatever. Still, the fact that many of these URLs *work* (if you ignore the SSL
warning) means that people are inevitably going to be linking to those pages.
Seems like the right thing to do would be to return error pages.
Comment 21 Quim Gil (reporter) nokia 2007-10-24 08:05:03 UTC
Is this list of subdomains something static or can we add i.e. news or
downloads? Or why can't we have this wildcard cert? (I'm asking out of
ignorance, please bare with me if I'm asking something stupid).

What is true is that as people get new versions of popular browsers these pages
under https not covered by a certificate will simply not load. We need a plan
for that.
Comment 22 Quim Gil (reporter) nokia 2007-10-29 08:11:35 UTC
We are still looking at this with Ferenc. By now I'm removing the "blocker"
since as for today it is not a blocker.

Jumping directly to https://maemo.org and (apprently) any subpage under it
generates and error "Unable to verify the identity of maemo.org as a trusted
site". See screenshot.
Comment 23 Quim Gil (reporter) nokia 2007-10-29 08:12:58 UTC
Created an attachment (id=589) [details]
Error when opening https://maemo.org/news
Comment 24 Patrick C. F. Ernzer 2007-12-02 13:10:32 UTC
still experiencing this bug as described in Comment  #22, can you please make
this a blocker bug again?
Comment 25 Quim Gil (reporter) nokia 2008-01-29 11:02:51 UTC
Ferenc, please delegate this bug to Niels updating him with any info. He will
push it. Thanks.
Comment 26 Tony Green 2008-02-07 16:27:00 UTC
This is also causing me severe difficulties, as I am getting blocked when I
click the "Log in" link at http://maemo.org/, try to use Bugzilla or try to log
in to edit pages related to applications I've ported to OS2007 and am trying to
re-port to OS2008.

This is especially problematic as I am working with the Firefox 3 Beta (to give
it a good test) which doesn't even give the option of accepting un-trusted
certificates, so I have to log in as another user specifically to launch
Firefox 2 to do anything, which is, frankly, a pain in the backside.
Comment 27 Niels Breet maemo.org 2008-02-25 14:05:32 UTC
Problem seems to be that the certificate is signed by Verisign with a
certificate that has expired. The server should provide an intermediate
certificate to fix this problem.

Somehow the maemo.org server isn't sending this intermediate certificate
together with the maemo.org certificate. All settings look ok.

Marcell is talking to the ISP to resolve this issue.
Comment 28 Niels Breet maemo.org 2008-04-07 15:23:51 UTC
This issue has now been resolved. There shouldn't be any warnings about the
certificate for https://maemo.org.