https://discussion.fedoraproject.org/t/fedoralinux-org-does-not-support-https/84688

So, we can of course fix this... but I am not sure we want to.

We have a large number of domains that we have registered, but do not currently use for anything.
Nothing should be linking to these domains or using them.

So, they simply redirect to our real domain.

We could get ssl certs for each of them, but... that seems like a lot of effort for not much gain. If we were using or pointing to the domain we would of course make sure it had a valid cert.

How did you find/get to/link to fedoralinux.org ? Is there some document or comment or place pointing you and others to it?

We have a large number of domains that we have registered, but do not currently use for anything.

Where is the list of those?

Nothing should be linking to these domains or using them.

I agree with many other domains, but fedoralinux.org is good when referring only to Fedora Linux.

We could get ssl certs for each of them, but... that seems like a lot of effort for not much gain. If we were using or pointing to the domain we would of course make sure it had a valid cert.

Adding certs to them is pretty trivial.

How did you find/get to/link to fedoralinux.org ? Is there some document or comment or place pointing you and others to it?

From one Discord chat.

I don't think this is a bug. We don't recommend using fedoralinux.org. I didn't even know that existed. People should use our official websites/URLs. Those have proper SSL certificates. If someone is giving this out in Discord, you might want to let them know that is not the right URL.

We could get ssl certs for each of them, but... that seems like a lot of effort for not much gain. If we were using or pointing to the domain we would of course make sure it had a valid cert.

As suggested on IRC recently regarding a very similar redirect, why not redirect by DNS CNAME rather than HTTP?

That way you wouldn't need to maintain a bunch of SSL certs and it would also prevent users from bookmarking outdated URLs.

I might be missing something. It's been some time since I last wrangled with domains and websites.

You can only do that for hosts on a domain and not the base domain. So
www.fedoralinux.org-> CNAME -> wildcard.fedoraproject.org

fedoralinux.org needs to be an A record.

What about to set all the alternative domains to HTTP only (no HTTPS) only for the purpose of having a 301 redirect to https://fedoraproject.org/ ?
Users with always-HTTPS-only mode will still see a warning, but this time it will just say that the site doesn't support HTTPS and ask them if they want to continue. It seems better than a warning about a potentially compromised website.

Otherwise, can the SSL fedoraproject.org certificate be modified to be a multi-domain certificate?
https://docs.digicert.com/en/certcentral/manage-certificates/reissue-an-ssl-tls-certificate/add-sans-to-your-multi-domain-ssl-tls-certificate.html

Yeah, I got that wrong. Thanks for correcting me @smooge.

fedoralinux.org needs to be an A record.

Not sure it needs to be. But the browser would connect to whatever IP address the DNS name resolves to and expect a matching cert being offered.

Otherwise, can the SSL fedoraproject.org certificate be modified to be a multi-domain certificate?

I don't think Let's Encrypt, the current CA, supports multi domain certs. It's easy enough to renew the certs using the ACME tools. But I think eventually we would like to get rid of outdated, unused domains.

What about to set all the alternative domains to HTTP only (no HTTPS) only for the purpose of having a 301 redirect

That sounds good. Although, I'm not sure if that's easy to setup. I believe all the domains end up on the same proxy servers. Probably best to have someone from infra, who is more familiar, answer that.

Otherwise, can the SSL fedoraproject.org certificate be modified to be a multi-domain certificate?

I don't think Let's Encrypt, the current CA, supports multi domain certs. It's easy enough to renew the certs using the ACME tools. But I think eventually we would like to get rid of outdated, unused domains.

certbot -d let specify multiple domains for the same cert.

Our *.fedoraproject.org cert is not issued from letsencrypt. It's a digicert cert. This is so we can make it compliant for FUTURE crypto policies (since mirrors.fedoraproject.org uses it).

I don't really want to mess with it for this.

I could look at getting a new multidomain cert for these domains. Still seems a waste of time, but I guess less so if it's just one cert.

Would it make sense if we did this to rethink how these get done? Currently we have an added section to our proxies to deal with all these domains in order to get them right. The proxy system is complicated as it is, and adding more certs or domains will not make it easier. Maybe set up a single usage vm which has letsencrypt certs for said domains and just does a set of redirects?

http://foobar.foo -> https://foobar.foo -> https://getfedora.org/

This divorces the two systems apart and could allow for a bit less complexity in playbooks and such.

How about a radical proposal: we stop resolving these domains we don't use.

If we resolve them, serve them from our web servers (even a redirect) and get them valid ssl certs, people will use them. Then, if we try and use them for something else down the road, we will 'break' all the people who have been using them.

I think the domains have to have an A record to be 'legitimate' and not be taken over by some other party. Maybe it would be better to hand them all back to Red Hat for their redirect/protection tool and Infra gets out of dealing with these tickets :smile:

I don't think thats the case.

I just pushed out an update to fedoralinux.org that is valid and we still answer for it, but has no A records.

It seems to work here...

All parked zones have been updated to not have A records in them.