On Fri, 16 Jul 2010 11:09:15 +0200, Thomas Bächler <[email protected]> wrote: > I just performed the switch to https only on bbs! I also adjusted some > internal URLs, so all files will be properly fetched via https directly. > http is redirected automatically. Note that the navbar links on Archweb > and all other sites still point to http, but that is redirected > automatically. > > There is a catch: > 1) Apache configures SSL per-vhost. That means that even though we have > a wildcard certificate, the browser must support SNI for name-based > vhosts to work. All clients that are not SNI-capable will be redirected > to www instead. > 2) wget doesn't like wildcard certificates. That means you need to use > --no-check-certificate with wget. > 3) Our certificate is from CACert. AFAIK, this is not included in many > browsers by default. If you use Arch Linux, at least everything that > uses the OpenSSL certificate store and all Mozilla browsers are > CACert-enabled - on other operating systems, our certificate might show > up as untrusted. > > Let me know if any of the above (especially 1) cause any problems.
Didn't we have a discussion about this soem time ago? Point 1) is simply not true. A SNI compatible client is not needed here. (at least if you haven't altered the ssl config) Point 2) is afaik a known wget bug. (I wonder if there is a patch) -- Pierre Schmitz, https://users.archlinux.de/~pierre
