myip.bitnami.com TLS misconfiguration

paxan commented 3 months ago

Platform

AWS

bndiagnostic ID

not applicable

Error output from `curl`

output fragment from curl -sv https://myip.bitnami.com/:

* Server certificate:
*  subject: CN=bitnami.com
*  start date: Jun 24 01:44:52 2024 GMT
*  expire date: Sep 22 01:44:51 2024 GMT
*  subjectAltName does not match myip.bitnami.com
* SSL: no alternative certificate subject name matches target host name 'myip.bitnami.com'

bndiagnostic was not useful. Could you please tell us why?

Network issue is with myip.bitnami.com itself

Describe your issue as much as you can

The certificate associated with myip.bitnami.com only covers bitnami.com. It should also have SANs that cover myip.bitnami.com and any other variations such as myip2.bitnami.com

gongomgra commented 3 months ago

Hi @paxan,

Thanks for using Bitnami. It is true that myip.bitnami.com is not covered by any SSL certificate, but it works that way on purpose. Can you give us more information on what are you trying to achieve? If your question or use case is related to your other ticket #1606, please let's move the conversation there.

paxan commented 3 months ago

Just noticed this by accident. If a public server endpoint responds to TLS protocol isn't this just default expectation that it should offer a valid cert? Automation uses this endpoint to obtain ip address to be used in config scripts. A valid cert prevents various MITM-like attacks.

gongomgra commented 3 months ago

Hi @paxan,

Thanks for the information. As mentioned in the other ticket, I will check it with the rest of the team. We will keep you posted.

bitnami / vms