Closed dessalines closed 5 years ago
Can't reproduce. Can you show me the certificate ?
Le 14/10/2018 à 21:45, Dessalines a écrit :
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sametmax/0bin/issues/119, or mute the thread https://github.com/notifications/unsubscribe-auth/ABmK3gvFt3iDzDIceZ6z1Ln53EhTfU5Jks5uk5RbgaJpZM4XbS9H.
The certificate subject is 0bin.net
. The subjectAlternativeName
is also 0bin.net
.
So yes, when going to www.0bin.net
, the domain doesn't match.
> echo "" | openssl s_client -connect www.0bin.net:443 2> /dev/null | openssl x509 -text | grep -A3 -P 'Subject(:| Alternative)'
Subject: CN = 0bin.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
--
X509v3 Subject Alternative Name:
DNS:0bin.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
The thing is we have a redirection from www.0bin.net to 0bin.net and I tested it on 3 machines, one Linux, one Windows, and one android. All of them redirect.
Are you getting only this error by accessing the website programmatively or do you get it using a web browser ?
Le 15/10/2018 à 09:55, Glandos a écrit :
The certificate subject is |0bin.net|. The |subjectAlternativeName| is also |0bin.net|. So yes, when going to |www.0bin.net|, the domain doesn't match.
echo "" | openssl s_client -connect www.0bin.net:4432> /dev/null| openssl x509 -text| grep -A3 -P'Subject(:| Alternative)' Subject: CN = 0bin.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
X509v3 Subject Alternative Name: DNS:0bin.net X509v3 Certificate Policies: Policy: 2.23.140.1.2.1
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sametmax/0bin/issues/119#issuecomment-429743988, or mute the thread https://github.com/notifications/unsubscribe-auth/ABmK3vTWr9bimt4H3-hIY_pSKAQ4sVh5ks5ulD9lgaJpZM4XbS9H.
Yes, but maybe the user entered the HTTPS manually (I doubt it), or (s)he uses something like HTTPS-Everywhere. You could either:
subjectAlternativeName
to your CSR for Let's Encrypt.Ok, thanks. subjectAlternativeName seems the best way to go.. |
| Le 15/10/2018 à 13:48, Glandos a écrit :
Yes, but maybe the user entered the HTTPS manually (I doubt it), or (s)he uses something like HTTPS-Everywhere. You could either:
Add a |subjectAlternativeName| to your CSR for Let's Encrypt. Use wildcard certificate. * Do nothing. After all, it should only affect a very small portion of users. Check your logs for that.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sametmax/0bin/issues/119#issuecomment-429820738, or mute the thread https://github.com/notifications/unsubscribe-auth/ABmK3iQbBQzG773togXxfb2P5W2wal1Cks5ulHYqgaJpZM4XbS9H.
I still get this error when coming to it from:
https://duckduckgo.com/?q=0bin+&t=ffab&ia=web
Edit: I figured out what you need to do. Add the www.0bin....
to your letsencrypt, you don't have it currently.
I get the same indeed.
Le 15/10/2018 à 19:43, Dessalines a écrit :
I still get this error when coming to it from:
https://duckduckgo.com/?q=0bin+&t=ffab&ia=web
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/sametmax/0bin/issues/119#issuecomment-429947536, or mute the thread https://github.com/notifications/unsubscribe-auth/ABmK3l3HR0wIVOhJWZXKzadB9Td3rtL-ks5ulMlFgaJpZM4XbS9H.
This appears to be fixed.