:: Re: [DNG] deb.devuan.org - bad cert…
Kezdőlap
Delete this message
Reply to this message
Szerző: Ralph Ronnquist
Dátum:  
Címzett: dng
Tárgy: Re: [DNG] deb.devuan.org - bad certificate?
On Thu, Aug 29, 2024 at 05:01:43PM -0400, Dan Purgert via Dng wrote:
> On Aug 30, 2024, onefang wrote:
> > On 2024-08-29 14:05:04, Dan Purgert via Dng wrote:
> > > On Aug 28, 2024, R A Montante, Ph.D. via Dng wrote:
> > > > Hello all,
> > > >
> > > > I'm having an issue  doing "sudo apt update" --- it runs very slowly and
> > > > gives the results below.  Does anyone know what's going on?  (There's a 2nd
> > > > copy-paste after this one, BTW).
> > > >
> > > >
> > > > Tried from my school just now (I've highlighted the first lines in red
> > > > because they're so surprising):
> > > >
> > > > > Err:5 http://deb.devuan.org/merged daedalus InRelease
> > > > > Err:6 http://deb.devuan.org/merged daedalus-security InRelease
> > > > > Err:7 http://deb.devuan.org/merged daedalus-updates InRelease
> > > > >  Temporary failure resolving 'deb.devuan.org'
> > >
> > > Your DNS resolver doesn't like deb.devuan.org for some reason or other.
> > >
> > > > So I tried/browsing/ to "deb.rr.devuan.org" (the CNAME) and got this error
> > > > message (I highlighted the certificate problem in red):
> > > >
> > > > >
> > > > > Warning: Potential Security Risk Ahead
> > > > >
> > > > > Firefox detected a potential security threat and did not continue to
> > > > > *deb.rr.devuan.org*. If you visit this site, attackers could try to
> > > > > steal information like your passwords, emails, or credit card details.
> > >
> > > Testing with FF here causes FF to whine because it's http:// not
> > > https:// (which is a non-issue for repos anyway, as packages are checked
> > > against GPG-signed hashes).
> > >
> > > IN OTHER WORDS -->> the big scary warning is fallout from the "HTTPS
> > > Everywhere" movement pushed by Google et. al. about a decade ago. Well,
> > > at least I think that was what people were calling it; quick check at
> > > wikipedia says it was just a plugin for browsers pushed by the EFF.
> > >
> > > If I force https:// ; then I get a cert error for a LE cert applied for
> > > various "rrq.au" domains. I'd assume it's just apache falling through
> > > to whatever cert it has available, rather than any malice.
> >
> > deb.devuan.org is a DNS round robin (DNS-RR), mirror.rrq.au was recently
> > added to it. So sometimes you'll get the IPs of rrq's mirror when you
> > ask for deb.devuan.org, sometimes you'll get one of the other mirrors.
> >
> > deb.devuan.org can't have a HTTPS cert, coz it would have to be shared
> > with all the package mirrors in the DNS-RR.
>
> I seem to have edited out quite a bit more than I had intended to with
> regards to *why* the cname hosts wouldn't have certs for deb.devuan.org
> either (oops :( ).
>
> > Last I checked rrq's mirror doesn't support HTTPS, but he may have
> > changed that.
>
> Well, it "works" (or at least falls through and presents the cert with a
> bunch of his other domains anyway :) )
>
> >
> > > Pretty sure 'rrq' is a semi-frequent commenter here, so perhaps he'll
> > > see it and chime in.
> >
> > rrq is one of our Devuan developers, and does indeed comment here.
>
> I thought he did something like that; but made a similar mistake with
> someone else using a 3-letter nickname on IRC a few weeks ago (oops)


Hmm. I'm not sure how you link up the domain "deb.devuan.org" with a
certificate of mine.

Yes, the same host is set up with http virtual service for
"deb.devuan.org", "mirror.rrq.au" and in fact "*.mirror.rrq.au" (i.e.
http only) and https virtual service of a few of other, unrelated
domains such as e.g. "deb.rrq.au", "git.rrq.au" and "transfer.rrq.au".

But host "owner" (renter) and domain "owner" (renter) are two totally
different things. The deb.devuan.org owner does not own all the hosts
serving that domain, and all those various hosts serving that domain
for mirroring purpose cannot purport owning the domain.

Which domain did you access when getting that certificate?

An https access to the host with any other domain than those having
virtual services should not result in any of their certificates being
offered for that other domain. If that has happened I have
misconfigured the server (nginx front-end). It is I suppose one of my
superpowers to misconfigure servers, but I thought I had mta.rrq.au
fairly tight, nice and tidy :)

Ralph

>
> --
> |_|O|_|
> |_|_|O| Github: https://github.com/dpurgert
> |O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860




> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng