James Cloos wrote: > >>>>> "BP" == Bob Proulx writes: > > BP> Nico obtained a new SSL certificate from Gandi for us. I have > BP> installed it on the frontend. All looks good to me. Good to go > BP> for another year! > > I can't remember for certain whether they used to work, and don't > know whether gandi would have been willing to include them in the > subjectAltName, but the aliases sv.gnu.org and sv.nongnu.org are > not coverred by the new certs.
First I should say that I didn't look previously and so I don't actually know if https://sv.gnu.org/ reported a valid certificate or not. But as far as I can see they should not have been covered previously. I don't think this is a change. I also don't think it is in the plan to have sv.{non,}gnu.org work for https. In order to support sv.gnu.org and sv.nongnu.org it would need four total certificates. And the Apache config would also need the setup to have each of those serve the right certificate. It has only been set up for two for years. I still have a dump from the previous certificates. They are specifically savannah.gnu.org and one for savannah.nongnu.org. The old certificates were replaced with new ones and so there are still the same two names supported. They were not wildcard certificates. Additional if you actually try to log in using sv.{non,}gnu.org then Savane complains of cookie problems. And so I will say thanks for noting that corner case but I think that is all as it is expected to be because it is not expected to use either of those names. Bob
