Re: [Savannah-users] savannah.gnu.org certificate expired?

[Bob Proulx]

James Cloos wrote:
> >>>>> "BP" == Bob Proulx writes:
> 
> BP> Nico obtained a new SSL certificate from Gandi for us.  I have
> BP> installed it on the frontend.  All looks good to me.  Good to go
> BP> for another year!
> 
> I can't remember for certain whether they used to work, and don't
> know whether gandi would have been willing to include them in the
> subjectAltName, but the aliases sv.gnu.org and sv.nongnu.org are
> not coverred by the new certs.

First I should say that I didn't look previously and so I don't
actually know if https://sv.gnu.org/ reported a valid certificate or
not.  But as far as I can see they should not have been covered
previously.  I don't think this is a change.  I also don't think it is
in the plan to have sv.{non,}gnu.org work for https.

In order to support sv.gnu.org and sv.nongnu.org it would need four
total certificates.  And the Apache config would also need the setup
to have each of those serve the right certificate.  It has only been
set up for two for years.

I still have a dump from the previous certificates.  They are
specifically savannah.gnu.org and one for savannah.nongnu.org.  The
old certificates were replaced with new ones and so there are still
the same two names supported.  They were not wildcard certificates.

Additional if you actually try to log in using sv.{non,}gnu.org then
Savane complains of cookie problems.

And so I will say thanks for noting that corner case but I think that
is all as it is expected to be because it is not expected to use
either of those names.

Bob