Re: [Savannah-users] SSL cert for git0.savannah.gnu.org: wrong host
Hi Bob, Thank you very much for fixing all this on such short notice! :) Best regards, Marcus On 9 August 2017 2:13:58 AM GMT+02:00, Bob Proulx wrote: >Hi Marcus, > >> > Where did you see git0.savannah.gnu.org documented so that this may >be >> > corrected? >> >> I got that URL from the gitweb instance [1] that the autoconf >savannah >> page [2] points to. > >> http://git.savannah.gnu.org/gitweb/?p=autoconf.git > >Aha! We look at these pages all of the time and after a while the >details all blur together. That should have been fixed last December! >That was set that way during turn-on of the new server image and >should never have escaped into production. > >Thank you for letting us know. I have fixed it now. I also removed >the DNS alias too so that it can't be used moving forward. > >> Admittedly, the savannah page itself has a non-TLS variant of the >URL: >> >> git clone http://git.sv.gnu.org/r/autoconf.git > >Right. You may use either. However the https is recommended. But we >don't prevent people from using the http or git protocols. For some >those are the only ones they can easily get to. > >> but: non-TLS http for source code distribution felt like it shouldn't >be >> the recommended way, so I payed no further attention to that >http://... >> URL, and just clicked through to the webgit to figure out a way of >> cloning that would allow to check authenticity of the remote! > >You may use either. And of course people should always check gpg >signatures to verify the validity of downloaded bits regardless of the >protocol. > >Bob -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: [Savannah-users] SSL cert for git0.savannah.gnu.org: wrong host
Hi Marcus, > > Where did you see git0.savannah.gnu.org documented so that this may be > > corrected? > > I got that URL from the gitweb instance [1] that the autoconf savannah > page [2] points to. > http://git.savannah.gnu.org/gitweb/?p=autoconf.git Aha! We look at these pages all of the time and after a while the details all blur together. That should have been fixed last December! That was set that way during turn-on of the new server image and should never have escaped into production. Thank you for letting us know. I have fixed it now. I also removed the DNS alias too so that it can't be used moving forward. > Admittedly, the savannah page itself has a non-TLS variant of the URL: > > git clone http://git.sv.gnu.org/r/autoconf.git Right. You may use either. However the https is recommended. But we don't prevent people from using the http or git protocols. For some those are the only ones they can easily get to. > but: non-TLS http for source code distribution felt like it shouldn't be > the recommended way, so I payed no further attention to that http://... > URL, and just clicked through to the webgit to figure out a way of > cloning that would allow to check authenticity of the remote! You may use either. And of course people should always check gpg signatures to verify the validity of downloaded bits regardless of the protocol. Bob
Re: [Savannah-users] SSL cert for git0.savannah.gnu.org: wrong host
Hi Bob, thanks for getting back to me! > Where did you see git0.savannah.gnu.org documented so that this may be > corrected? I got that URL from the gitweb instance [1] that the autoconf savannah page [2] points to. Admittedly, the savannah page itself has a non-TLS variant of the URL: git clone http://git.sv.gnu.org/r/autoconf.git but: non-TLS http for source code distribution felt like it shouldn't be the recommended way, so I payed no further attention to that http://… URL, and just clicked through to the webgit to figure out a way of cloning that would allow to check authenticity of the remote! > BTW... We are already using Let's Encrypt certificates for all of the > site certificates. I saw that, I just thought you might have missed that specific git0... subdomain :) Best regards, Marcus [1] http://git.sv.gnu.org/gitweb/?p=autoconf.git, redirects to http://git.savannah.gnu.org/gitweb/?p=autoconf.git [2] https://www.gnu.org/software/autoconf/autoconf.html On 09.08.2017 01:12, Bob Proulx wrote: > Marcus Müller wrote: >> https://git0.savannah.gnu.org is unusable at the moment, since the SSL >> certificate is for bzr.savannah.gnu.org; noticed that when trying to >> clone the autoconf repo. > > You have a typo in your URL. You are using git0.savannah.gnu.org but > that is the underlying node hostname. You should be using the virtual > name git.savannah.gnu.org, without the "0" part. > > https://savannah.gnu.org/git/?group=autoconf > > Where did you see git0.savannah.gnu.org documented so that this may be > corrected? > >> See openssl output below: > ... >> Could someone please fix that by getting a Let's Encrypt cert for the >> actual git0 subdomain? > > Regardless of the typo we appreciate the reports. :-) > > BTW... We are already using Let's Encrypt certificates for all of the > site certificates. > > Thanks, > Bob >
Re: [Savannah-users] SSL cert for git0.savannah.gnu.org: wrong host
Marcus Müller wrote: > https://git0.savannah.gnu.org is unusable at the moment, since the SSL > certificate is for bzr.savannah.gnu.org; noticed that when trying to > clone the autoconf repo. You have a typo in your URL. You are using git0.savannah.gnu.org but that is the underlying node hostname. You should be using the virtual name git.savannah.gnu.org, without the "0" part. https://savannah.gnu.org/git/?group=autoconf Where did you see git0.savannah.gnu.org documented so that this may be corrected? > See openssl output below: ... > Could someone please fix that by getting a Let's Encrypt cert for the > actual git0 subdomain? Regardless of the typo we appreciate the reports. :-) BTW... We are already using Let's Encrypt certificates for all of the site certificates. Thanks, Bob