[vim/vim] www.vim.org website certificate expired (Issue #13079)
Matthias Hörmann
Steps to reproduce
Go to https://www.vim.org
See certificate error
Expected behaviour
Valid certificate
Version of Vim
N/A
Environment
N/A
Logs and stack traces
Certificate expiry section of the Let's Encrypt certificate, presumably the ACME-client didn't manage to get a new one
Not Before Sat, 10 Jun 2023 04:38:43 GMT
Not After Fri, 08 Sep 2023 04:38:42 GMT—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
yeah, something strange is going on. If you reload the page, chances are, you get to the site and the cert is also valid 🤷
See also discussed here: https://groups.google.com/g/vim_dev/c/YAy0EbfpjD0/m/pdlsrWaNEQAJ
I suspect something wrong with OSDN or such. Not sure how to fix it, other than finally moving vim.org homepage.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
I have opened a ticket with support about this.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
stefanos
Works on my side via Firefox-ESR 115.2.0esr (64-bit):
Not Before Sat, 26 Aug 2023 23:34:41 GMT
Not After Fri, 24 Nov 2023 23:34:40 GMT
Seems like the Apache settings are a bit messed up...
stefanos@debian:~ $ curl -IL vim.org
curl: (6) Could not resolve host: vim.org
stefanos@debian:~ $ curl -IL www.vim.org
HTTP/1.1 302 Found
Date: Tue, 12 Sep 2023 22:10:38 GMT
Server: Apache/2.4.10 (Debian)
Location: https://www.vim.org/
Content-Type: text/html; charset=iso-8859-1
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
stefanos@debian:~ $ curl -IL http://www.vim.org
HTTP/1.1 302 Found
Date: Tue, 12 Sep 2023 22:10:47 GMT
Server: Apache/2.4.10 (Debian)
Location: https://www.vim.org/
Content-Type: text/html; charset=iso-8859-1
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
stefanos@debian:~ $ curl -IL https://vim.org
curl: (6) Could not resolve host: vim.org
stefanos@debian:~ $ curl -IL https://www.vim.org
HTTP/1.1 200 OK
Date: Tue, 12 Sep 2023 22:11:03 GMT
Server: Apache/2.4.10 (Debian)
Content-Type: text/html
Content-Language: ja
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
stefanos
Could it be a missing domain setting via certbot that system admin forgot to add, so the necessary certificate would have gotten generated the first place, via certbot -d vim.org -d www.vim.org?
That's a plausible scenario... 🤔
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Shane-XB-Qian
now it is totally not working
Firefox detected an issue and did not continue to www.vim.org. The website is either misconfigured or your computer clock is set to the wrong time.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
stefanos
I have just tested it via elinks and this is what I get from http://www.vim.org
So, as you can see, there's a database problem being reported.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Saquib Akhtar
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
21/09/2023 18:12.41 /home/mobaxterm curl -IL https://www.vim.org -k
HTTP/1.1 200 OK
Date: Thu, 21 Sep 2023 12:42:48 GMT
Server: Apache/2.4.10 (Debian)
Content-Type: text/html
Content-Language: ja
21/09/2023 18:12.48 /home/mobaxterm dig -t a vim.org
; <<>> DiG 9.11.5-P4 <<>> -t a vim.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31491
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vim.org. IN A
;; AUTHORITY SECTION:
vim.org. 393 IN SOA ns.42.org. sec.42.org. 2023072100 28800 3600 864000 57600
;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 21 18:13:15 IST 2023
;; MSG SIZE rcvd: 82
✓
21/09/2023 18:13.15 /home/mobaxterm dig -t a www.vim.org
; <<>> DiG 9.11.5-P4 <<>> -t a www.vim.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55082
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.vim.org. IN A
;; ANSWER SECTION:
www.vim.org. 4643 IN CNAME vhost.osdn.jp.
vhost.osdn.jp. 21554 IN CNAME vhost.osdn.io.
vhost.osdn.io. 14 IN A 44.237.4.221
;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 21 18:13:26 IST 2023
;; MSG SIZE rcvd: 110
✓
21/09/2023 18:13.26 /home/mobaxterm openssl s_client -servername www.vim.org -connect www.vim.org:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jun 10 04:38:43 2023 GMT
notAfter=Sep 8 04:38:42 2023 GMT
Christian Brabandt
yes, working on getting a better hosting soon: https://groups.google.com/g/vim_announce/c/itcFF4DNj4A
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Shane-XB-Qian
i donot understand how's this related to db, seems you are using http.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
even if you are lucky enough and connect to http://www.vim.org you won't be able to login, because then the database has another issue :(
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Shane-XB-Qian
// if gave me access, i may help to check :lol:
--
shane.xb.qian
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Shane-XB-Qian
googlemail also blocked my mail to maillist, repaste here:
was that ok if just renew the cert? not sure who's in charge of oschina, if that required some admin from there, perhaps just call them, i may help if gave me a their admin contact num, :-) // i can speak Chinese (Mandarin) :lol:
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Shane-XB-Qian
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;vim.org. IN A
;; AUTHORITY SECTION:
vim.org. 187 IN SOA ns.42.org. sec.42.org. 2023072100 28800 3600 864000 57600
;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Sep 21 21:38:49 HKT 2023
;; MSG SIZE rcvd: 82
SOA looks stands for service out available?
currently vim.org is a unreachable domain.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Matthias Hörmann
No SOA stands for State of Authority which is the central record type with the metadata for every DNS zone.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Shane-XB-Qian
ok, ping and curl saying it is service out available.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Michael Han
A Japanese user is reporting that instabilities have been observed with OSDN-hosted sites after the OSChina took over OSDN, and that many projects are moving over to SourceForge (or GitHub). I don't think SourceForge offers a type of hosting service that OSDN had offered(VPS?), but I guess we'll see. Aren't there other options besides SourceForge or GitHub for dedicated hosting?
Ref: https://forest.watch.impress.co.jp/docs/serial/yajiuma/1520801.html
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
SAQUIB AKHTAR
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to a topic in the Google Groups "vim_dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vim_dev/SsXNsBhfIRM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vim_dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/vim/vim/issues/13079/1729907155%40github.com.
Christian Brabandt
This should be fixed now since we have been moved to a new hosting provider. See the announcements on the vim_announce list
the ssl cert should also work now.
so I am closing this now.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
Closed #13079 as completed.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
Closed #13079 as completed.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
SAQUIB AKHTAR
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to a topic in the Google Groups "vim_dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vim_dev/SsXNsBhfIRM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vim_dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/vim/vim/issues/13079/1736748333%40github.com.
Marvin Renich
> provider. Everything now works fine. But vim.org --->does not resolves or
> redirects to www.vim.org , can someone fix this by adding 1 CNAME in DNS ?
convince Bram to do this. Bram was adamant that he would not. vim.org
is a domain, not a host, and the host serving the Vim website is
www.vim.org. (In DNS RFC parlance, a host name is also a domain name,
but not necessarily the other way around.)
This is an organizational decision of those running the domain; there is
nothing, such as an HTTP standard, that requires or even encourages what
you are asking. If the current Vim website managers want to make
vim.org redirect to www.vim.org, there is nothing wrong with that, but
it is entirely their decision.
I have no opinion one way or the other on this. I supported Bram in the
past, and will support the new maintainers whichever way they go. If
they do want to make vim.org redirect, the rest of this message is
important.
According to the relevant RFCs (1034 and 1035), a CNAME must not be used
at the apex of a zone (e.g. vim.org), so your proposed implementation is
wrong (i.e. non-compliant).
The alias (left side of the CNAME in a zone file) cannot have any other
records associated with it (e.g. it must not be the name of an SOA, MX,
SRV, or other record).
If the current maintainers decide to do this, there are a few ways, but
there is really only one viable way if they wish to keep the canonical
name of the web server as www.vim.org:
Add an A (and possibly AAAA) record for vim.org, and run a small
HTTP/HTTPS server that redirects to www.vim.org.
The IP address(es) for vim.org can be the same as www.vim.org if the web
server handles virtual domains correctly. It should respond with a
redirect (preferably 301 rather than 302) to handle browser history and
caching correctly.
If the website maintainers would like to change the canonical URI to
vim.org, with www.vim.org redirecting to that, use the above method,
just changing which host is redirected to the other.
Another way (of changing the canonical to vim.org) would be to give
vim.org the IP address(es) and have www.vim.org be the CNAME alias.
This is standards-compliant, whereas having vim.org be the CNAME alias
is not. One problem with using a CNAME is that the web browser is
unaware of it; the DNS resolver simply returns the IP address for the
canonical name of the alias that it was told to look up. This
effectively results in two different web sites with identical content.
Think about how your browser handles this. If you go to
www.vim.org/about.php, and also to vim.org/about.php, the browser
considers these to be two different pages. History and cache treat
these as different pages.
Using CNAME should be avoided when possible. It generally has
non-obvious side effects, like the browser history and cache above. If
you really want to have two names where one is an alias for the other,
and both hames are in the same zone, simply use duplicate A and AAAA
records with different names and the same IP addresses. This can have
some of the same problems as CNAMEs (e.g. if the web server serves the
same site from both names without redirection), but avoids extra DNS
traffic to resolve the CNAME and then resolve the A record for the
response.
If an alias and a canonical name are in the same zone, use multiple
address records rather than a CNAME record.
If you still think you want a CNAME record, read the above two
paragraphs again, and then reread this paragraph and follow its
directions.
...Marvin