Re: [Tails-dev] TLS certificate for git.tails.boum.org

Borrar esta mensaxe

Responder a esta mensaxe
Autor: sajolida
Data:  
Para: The Tails public development discussion list
Asunto: Re: [Tails-dev] TLS certificate for git.tails.boum.org
Adam Burns:
> On 28/01/16 10:55, sycamoreone wrote:
>> flapflap:
>>> I get a certificate warning when visiting https://git.tails.boum.org,
>>> issued by immerda.ch.
>>
>> The certificate served by https://git.tails.boum.org is signed by
>> immerda.ch itself (CN of the issuer is immerda_public_web_4-ca), so it
>> won't be accepted by browser by default.
>
> and tails.boum.org / boum.org use a wildcard certificate *.boum.org
> issued by Gandi


tails.boum.org and boum.org are both hosted by the boum collective, with
their wildcard certificate for boum.org and *.boum.org but not for
*.tails.boum.org.

git.tails.boum.org, or better git-tails.immerda.ch, is hosted by the
immerda collective with their wildcard certificate for immerda.ch and
*.immerda.ch.

If you go on git.tails.boum.org you end up on a machine run by immerda
which displays the immerda certificate.

That's why you should always and only use git-tails.immerda.ch.

>> But this is probably not much of a problem, as I don't believe that site
>> is really for general use: The official place for Tails' Git
>> repositories is https://git-tails.immerda.ch/, which has a proper
>> certificate signed by Gandi Standard SSL CA 2. git.tails.boum.org is
>> only used by "developers with write access to the repositories" (see
>> https://tails.boum.org/contribute/git/).
>>
>> That of course doesn't mean that having a letsencrypt certificate
>> wouldn't be great :).
>
> I guess it depends on what the certificate is intended to be used for. I
> think supporting CA-Cert is also a good thing (tm).
>
> Whatever, I guess documented consistency is important.


Exactly! So my question now is:

Where did you get the git.tails.boum.org URL?

Because that's the problem that needs to be solved and we should replace
it with git-tails.immerda.ch.