Bad certificate for https://projectatomic.io and bad redirect

[jlebon]

Accessing https://projectatomic.io yields the following in Firefox:

projectatomic.io uses an invalid security certificate.

The certificate is only valid for the following names
 *.redhat.com, redhat.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

The www variant does have a properly signed certificate however.

---

Additionally, even if we add an exception for the above, we get redirected to http://www.projectatomic.io/ rather than https://www.projectatomic.io/

[jberkus]

@garrett ?

[scovl]

@jberkus @jlebon
Here everything is ok.
It could have been something related to renewal of ssl certification, I believe.
Issue closed please ;)

[jlebon]

Hmm, still getting SSL_ERROR_BAD_CERT_DOMAIN here.

[cgwalters]

I think it's always been broken this way. AFAIK the site is hosted in OpenShift v2...hopefully soon we can cut over.

[scovl]

See it https://www.ssllabs.com/ssltest/analyze.html?d=www.projectatomic.io

[jberkus]

Yah, we don't have a solution for this yet.

[gtirloni]

It seems both sites are pointing to different places:

$ dig +short projectatomic.io
209.132.183.105

$ dig +short www.projectatomic.io
test-atomicproject.rhcloud.com.
ex-std-node676.prod.rhcloud.com.
ec2-54-175-82-185.compute-1.amazonaws.com.
54.175.82.185

[jberkus]

@mscherer ?

[mscherer]

So, sorry, forgot about this one.

So that's a consequence of the limitation of the openshift hosting, and various RFC.

Openshift online v2 requires to have the domain of the website (www.projectatomic.io) to point a CNAME (ie,test-atomicproject.rhcloud.com) , so the "gear" (ie, the container) can be moved around automatically (since the rhcloud.com is under the control of openshift v2).

Various RFCs requires that the apex of the domain (ie, projectatomic.io) can't be a CNAME (cf https://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain ).

So we can't have projectatomic.io as a alias on the httpd hosting on openshift.

In turn, that mean we have to point to a A record, and in this case, RH IT has a redirection service, called redirect.redhat.com, on 209.132.183.105.

So what was setup was that projectatomic.io would redirect to www, using that service, and that we should use www.projectatomic.io for everything.

Now, the problem is that the server on redirect.redhat.com is under RH IT control. I am not sure what it is running right now, besides "bigIP F5", and what version, and what does it support (ie, does it support SNI, yes, does it support SNI on the version we have, no idea).

So someone should go ask to IT if they can add SNI there, and get a certificate.

[mscherer]

So now we migrated to openshift v3 and since the hw doing redirection got upgraded, I did ask to IT about it. If they can't offer the service, I will be looking with my team to setup a redirector on our DC.