[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Bad-cert-domain on https://lua-users.org/lists/lua-l/
- From: Rob Kendrick <rjek@...>
- Date: Wed, 21 Jun 2023 23:13:59 +0100
On Wed, Jun 21, 2023 at 09:03:50PM +0000, David Favro wrote:
> On June 21, 2023 7:43:42 AM UTC, Rob Kendrick <rjek@rjek.com> wrote:
>
> > The problem with preventing the error is that it would require a
> > dedicated IP address just for lua-users.org:
>
> In fact, this has not been true for a very long time [1]. Just add lua-users.org (and as many other domains as you like, provided you control them) to the SubjectAltName field of the TLS (X.509) certificate: they can then all be served with the same certificate, including all from the same IP address. The cert can be had for free from Let's Encrypt [2].
The problem is that I don't control lua-users.org - it is not my
business to be requesting TLS certificates for a domain that is not
mine and I do not control. The dedicated IP fix would be such that the
IP does not listen on port 443.
And that's ignoring the fact that the Pepperfish infrastructure for
Lets's Encrypt automation is DNS-based and not HTTP-based, and we have
never hosted the lua-users.org DNS. (Unlike lua.org, and we provide it
for plenty of domains that do not listen on HTTPS.)
lua-users.org does not as it stands do TLS (and never has): any web
browser, search engine, plugin that assumes it does is broken and there
is literaly nothing I can do about that.
B.
