#4668 Sometimes the wrong certificate is used for till.id.fedoraproject.org
Closed: Fixed None Opened 9 years ago by till.

= bug description = When I access https://till.id.fedoraproject.org the certificate does not match sometimes: good: {{{ $ curl -vi https://till.id.fedoraproject.org * Rebuilt URL to: https://till.id.fedoraproject.org/ * Hostname was NOT found in DNS cache * Trying 2607:f188::dead:beef:cafe:fed1... * Trying 85.236.55.6... * Connected to till.id.fedoraproject.org (85.236.55.6) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=*.id.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US }}} bad: {{{ $ curl -vi https://till.id.fedoraproject.org * Rebuilt URL to: https://till.id.fedoraproject.org/ * Hostname was NOT found in DNS cache * Trying 2610:28:3090:3001:dead:beef:cafe:fed3... * Connected to till.id.fedoraproject.org (2610:28:3090:3001:dead:beef:cafe:fed3) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US * start date: Apr 22 00:00:00 2014 GMT * expire date: Apr 26 12:00:00 2017 GMT * common name: *.fedoraproject.org * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US * NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN) * Unable to communicate securely with peer: requested domain name does not match the server's certificate. * Closing connection 0 curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate. }}} = bug analysis = Maybe it is IPv6 related or only affects certain proxies. = fix recommendation = Maybe sync ansible/puppet proxy conf or rebuild all puppet proxies with ansible, if the ansible proxies are the good ones.

This was a bug in the ansible proxy playbooks.

Corrected in a958741a5ab9049c45aed55e0d3cd8eeb59073cf

All the proxies should be right now. Thanks for noticing this, it may well have caused various weird id issues people were seeing. ;)

Login to comment on this ticket.

Metadata