Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle SSL certificate verifications for others than Let's Encrypt #8182

Merged
merged 1 commit into from
Feb 6, 2018
Merged

Handle SSL certificate verifications for others than Let's Encrypt #8182

merged 1 commit into from
Feb 6, 2018

Conversation

robert-scheck
Copy link
Contributor

Do no longer (wrongly) rewrite URLs like

for automated SSL certificate verifications. All (common commercial) certificate authorities (CA) except Let's Encrypt (via ACME) seem to use "pki-validation" rather "acme-challenge" for their domain control validation (DCV).

Signed-off-by: Robert Scheck robert@fedoraproject.org

@robert-scheck
Handle SSL certificate verifications for others than Let's Encrypt
7583615 
Do no longer (wrongly) rewrite URLs like

  * http://example.net/.well-known/pki-validation/file.txt (Comodo)
  * http://example.net/.well-known/pki-validation/fileauth.txt (DigiCert, Thawte, GeoTrust)
  * http://example.net/.well-known/pki-validation/gsdv.txt (GlobalSign)
  * http://example.net/.well-known/pki-validation/starfield.htm (Starfield, GoDaddy)
  * http://example.net/.well-known/pki-validation/swisssign-check.txt (SwissSign)

for automated SSL certificate verifications. All (common commercial)
certificate authorities (CA) except Let's Encrypt (via ACME) seem to
use "pki-validation" rather "acme-challenge" for their domain control
validation (DCV).

Signed-off-by: Robert Scheck <robert@fedoraproject.org>
@rullzer
Copy link
Member

rullzer commented Feb 6, 2018

I'm still not at all a fan of this. IMO this kind of stuff has to be taken care of at the webserver level.

@robert-scheck
Copy link
Contributor Author

Once you are running Nextcloud on a shared webhosting system, the customer/user is not able to do this on webserver level. Given there is already an exception for Let's Encrypt, I would like to see other CAs not to be disadvantaged at least.

@nickvergessen nickvergessen added this to the Nextcloud 13.0.1 milestone Feb 6, 2018
@nickvergessen nickvergessen added bug 3. to review Waiting for reviews labels Feb 6, 2018
@nickvergessen
Copy link
Member

Fine by me

@robert-scheck
Copy link
Contributor Author

Btw, PR #8183 is backport to Nextcloud 13.x, PR #8184 is backport to Nextcloud 12.x.

This was referenced Feb 6, 2018
Merged
Merged
@MorrisJobke
Copy link
Member

The phan failure is fixed in master -> merging.

@MorrisJobke MorrisJobke closed this Feb 6, 2018
@MorrisJobke MorrisJobke reopened this Feb 6, 2018
@MorrisJobke MorrisJobke merged commit 27f5056 into nextcloud:master Feb 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@MorrisJobke MorrisJobke MorrisJobke approved these changes

@LukasReschke LukasReschke Awaiting requested review from LukasReschke

Assignees
No one assigned
Labels
3. to review Waiting for reviews bug
Projects
None yet
Milestone
Nextcloud 14
Development

Successfully merging this pull request may close these issues.
4 participants
@robert-scheck @rullzer @nickvergessen @MorrisJobke