Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#2270 closed defect (fixed)

HTTPS broken for gdal.org and mapserver.org due to certificate issue

Reported by: rouault Owned by: sac@…
Priority: critical Milestone:
Component: Systems Admin Keywords:
Cc:

Description

All in the title. Firefox refuses to access them. wget is also broken

$ LC_ALL=C wget http://gdal.org/gdalicon.png
--2019-03-30 23:14:32--  http://gdal.org/gdalicon.png
Resolving gdal.org (gdal.org)... 140.211.15.3
Connecting to gdal.org (gdal.org)|140.211.15.3|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://gdal.org/gdalicon.png [following]
--2019-03-30 23:14:32--  https://gdal.org/gdalicon.png
Connecting to gdal.org (gdal.org)|140.211.15.3|:443... connected.
ERROR: no certificate subject alternative name matches
	requested host name 'gdal.org'.
To connect to gdal.org insecurely, use `--no-check-certificate'.

Change History (12)

comment:1 Changed 8 months ago by rouault

Summary: HTTPS broken for gdal.org and mapserver.org due to SSL issueHTTPS broken for gdal.org and mapserver.org due to certificate issue

comment:2 Changed 8 months ago by wildintellect

Probably due to ticket #2256 upgrades to cert bot.

comment:3 Changed 8 months ago by rouault

Interestingly, https://www.gdal.org works (with www.), but https://gdal.org used to work

comment:4 Changed 8 months ago by robe

On it now sorry Even it seemed fine when I checked after the change

comment:5 Changed 8 months ago by robe

Resolution: fixed
Status: newclosed

For some reason it was trying to use the www.gdal.org one. I reinstalled the cert and both gdal.org and www.gdal.org seem fine now from my end.

comment:6 Changed 8 months ago by robe

Just fixed mapserver.org too. I'll go thru the others to make sure they are still okay.

comment:7 Changed 8 months ago by rouault

Resolution: fixed
Status: closedreopened

Regina, I confirm that https://gdal.org/ now works, but https://www.gdal.org/ and https://mapserver.org/ have still broken certificates here

Last edited 8 months ago by rouault (previous) (diff)

comment:8 Changed 8 months ago by robe

Alright something is going on. Let me try to troubleshoot the configs.

I saw mapserver.org was broken and then fixed it, but it appears to be broken again.

www.gdal.org seems fine though - redirects to gdal.org for me.

It might be left over from the old certbot I removed, like some apache plugin thing.

comment:9 Changed 8 months ago by robe

Okay I figured out what is going in. These sites all have the same conf file and Let's encrypt when I do a cert for the next replaces the cert that was there.

So cert of the umn. broke the mapserver.org.

I'm going to split these out into separate confs so this doesn't happen again.

comment:10 Changed 8 months ago by robe

Okay I decided not to split them and instead recert them together so they share the same cert with the below commands

certbot-auto -d mapserver.org -d www.mapserver.org -d mapserver.gis.umn.edu -d www3.mapserver.org

certbot-auto -d gdal.org -d www.gdal.org

certbot-auto -d geotools.org -d www.geotools.org

That seems to work. I still need to purge the old certs so they don't bother renewing. I'll do that and then close this out. At a glance mapserver.org and gdal.org appear to be the only ones that have multiple domains in the apache config besides openlayers.

comment:11 Changed 8 months ago by robe

Resolution: fixed
Status: reopenedclosed

Okay so all should be good now and I deleted the redundant ssls that got created so there aren't multiple for each mapserver,gdal,geotools combo.

If you still see issues let me know.

comment:12 Changed 8 months ago by rouault

Everything is fine now. Thanks!

Note: See TracTickets for help on using tickets.