https://demo.reviewboard.org/ has broken ssl certificate

[Paul Mansfield]

If you're going to enforce HSTS you need to keep the cert up to date because it entirely breaks access to the site when it expires

Your connection is not private

Attackers might be trying to steal your information from demo.reviewboard.org (for example, passwords, messages or credit cards). Learn more

NET::ERR_CERT_COMMON_NAME_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy Policy

ReloadHide advanced

demo.reviewboard.org normally uses encryption to protect your information. When Google Chrome tried to connect to demo.reviewboard.org this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be demo.reviewboard.org, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit demo.reviewboard.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

[Christian Hammond]

Oof. Thanks for letting me know. Looks like some form of configuration issue, which I'm trying to diagnose. The cert coming across is for the wrong subdomain, but only Chrome is hitting this error for me -- Firefox is not having any issues.

I'll have this up and running once I know what's going on.

Christian

--
Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "Review Board Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/0598b2c0-3a79-4381-8161-0492362dc0f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Christian Hammond

President/CEO of Beanbag

Makers of Review Board

[Christian Hammond]

Should be taken care of. We had a bad rule in a config file. Make sure you're accessing using http:// and not https://, though. I'll explain why.

We don't use SSL for demo.reviewboard.org at this time. This is partly to continue supporting people contributing patches who are running on versions of Python that don't support SNI (resulting in posts to reviews.reviewboard.org sometimes going to demo.reviewboard.org or vice-versa, as both are hosted on the same IP). We're hoping we can drop support for those users soon, but we're not there yet. To help deal with this, demo.reviewboard.org doesn't take real account credentials -- we generate a guest username and password people are expected to use to log in. And of course, posting anything confidential to a public demo server is not a good idea.

Christian

[Paul Mansfield]

starting at https://www.reviewboard.org/

I click demo down in the bottom nav bar. that link is for http://demo.reviewboard.org/ but it still gets redirected/bounced via www.reviewboard.com to the https demo.reviewboard.com

I don't think Firefox honours HSTS?

[Christian Hammond]

Unfortunately, you might have to clear reviewboard.org/demo.reviewboard.org from your HSTS cache in chrome://net-internals/#hsts. Clearing mine solved the redirect locally. It's too bad that Chrome caches it even though the end result is invalid... Though I get why.

Christian

--

Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "Review Board Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/0d9aeebf-2fa4-4175-8bbb-5db36483f816%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Paul Mansfield]

yes, that worked. the UI in Chrome for controlling HSTS is quite primitive, but did allow me to enter each domain in turn and delete from the cache.