[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Bad-cert-domain on https://lua-users.org/lists/lua-l/
- From: David Favro <lua@...>
- Date: Wed, 21 Jun 2023 21:03:50 +0000
On June 21, 2023 7:43:42 AM UTC, Rob Kendrick <rjek@rjek.com> wrote:
> The problem with preventing the error is that it would require a
> dedicated IP address just for lua-users.org:
In fact, this has not been true for a very long time [1]. Just add lua-users.org (and as many other domains as you like, provided you control them) to the SubjectAltName field of the TLS (X.509) certificate: they can then all be served with the same certificate, including all from the same IP address. The cert can be had for free from Let's Encrypt [2].
It's becoming increasingly hard to keep browsers from redirecting to https, even without an extension. Rightly or not, it's probably best (and easy) to add an SAN. Understandable if sys-admin overhead prevents it, but to be clear, it's not a technical (nor financial) impediment.
> the web server is trying to send you an error message saying "nope, no TLS for that hostname" but
Actually, it looks to me like it's sending the real content, not an error page, but using a cert that lacks the correct SAN. Your browser may (and should) display that as an error.
[1]: Described in RFC 3280 (from 2002), but I'm not sure which version of SSL made it mandatory.
[2] Why in the world does anyone still pay for certs?
-- David
