pioneer2.net SSL Cert error

Discussion in 'Technical Support' started by gatesphere, Mar 8, 2020.

  1. gatesphere

    gatesphere Member

    Guildcard:
    42054812
    Firefox 73.0.1 is complaining that the cert for pioneer2.net is only valid for the subdomains www and ephinea. No biggie, just thought I'd point it out that the bare pioneer2.net domain isn't serving a valid cert.

    Having set up the Let's Encrypt certs on my own sites/servers, I know it can be tricky to get everything just right :)
     
  2. Sodaboy

    Sodaboy Administrator Staff Member

    Location:
    Benicia, California
    Guildcard:
    11111111
    It has been like this since I got the certificates and I've never considered this as a problem since the plain HTTP just redirects to ephinea.pioneer2.net

    Anyhow, I've made an adjustment so you don't have to worry about it anymore.
     
    gatesphere and Thomas like this.
  3. gatesphere

    gatesphere Member

    Guildcard:
    42054812
    Hi again,

    The wiki (https://wiki.pioneer2.net/index.php?title=Main_Page) is now reporting SSL_INTERNAL_CERT_ERROR for me, on both Firefox desktop and Firefox for iOS. Safari on iOS doesn't have any issues. Connecting to the wiki over HTTP instead of HTTPS works fine in desktop Firefox, but not Firefox iOS.

    As a unix sysadmin myself, I have a knack for finding these things -- it drives my coworkers nuts. Sorry to keep bugging you! Feel free to ignore me :)
     
  4. Sodaboy

    Sodaboy Administrator Staff Member

    Location:
    Benicia, California
    Guildcard:
    11111111
    You didn’t really find anything.

    The Wiki has never had an SSL certificate on it. Even the link on the home page is regular HTTP.

    We’ll get around to adding a cert sometime, but we have always known it to not be using HTTPS.
     
    gatesphere and Ryan like this.
  5. gatesphere

    gatesphere Member

    Guildcard:
    42054812
    Well, for whatever reason, Firefox on both iOS and Desktop (as of v 74.0) now assume that the wiki does have a cert, and refuse to connect to it over plain http. It used to work on Firefox 73.1 for desktop.

    I've replicated this result across Windows 10 and Arch Linux, across 4 different machines. And on iOS Firefox.

    Mozilla is getting a bit heavy handed with their policies.

    EDIT: Additionally, Chrome exhibits similar behavior if you've ever connected to pioneer2.net via https -- the browser seems to remember that pioneer2.net has an https version, and won't allow you to browse to the plain http version of the wiki, even if manually typing in the address -- it automatically redirects. Weird behavior.
     
    Last edited: Mar 18, 2020
  6. Thomas

    Thomas Member

    Location:
    United States
    Guildcard:
    42001434
    I can confirm this is happening on my end as well.
    Removing the S from HTTPS doesn't do anything and forces a redirect to HTTPS on a new Firefox v74 installation. (Tested with no add-ons)

    My Firefox that recently updated to v74 that has accessed the website before has no issues.

    1. Visited pioneer2.net
    2. Clicked "Wiki" button

    Mozilla links this page on "Learn more."
    https://support.mozilla.org/1/firefox/74.0/WINNT/en-US/connection-not-secure

    upload_2020-3-18_13-56-58.png
     
    gatesphere likes this.
  7. staphen

    staphen Member

    Guildcard:
    42013252
    FYI, this is happening because of HSTS. Basically, if you hit pioneer2.net without a subdomain, you will end up requesting https://pioneer2.net which returns the following header:

    strict-transport-security: max-age=31536000; includeSubDomains

    This header instructs the browser not to trust http for pioneer2.net and any of its subdomains. So the browser is following this instruction by automatically redirecting the http://wiki.pioneer2.net addresses to https ones.

    As a workaround, affected users can look up how to delete their browser's HSTS settings. Then bypass the request to https://pioneer2.net by accessing one of the subdomains: www.pioneer2.net or ephinea.pioneer2.net.
     
    Thomas and gatesphere like this.

Share This Page