Hey all,
Not sure who is responsible for this, or whether it is a known issue..
but donate.wikimedia.org.uk is throwing up a "Are you sure you want to visit this site" error (yup that red error page!) in Google Chrome due to an SSL certificate error.
The certificate is signed for directdebit.wikimedia.org.uk, not donate.wikimedia.org.uk, so the browser considers it untrusted.
Cheers, Tom
Yes, it's a known issue that I haven't gotten to the bottom of yet. Basically we have two SSL certificates for the two subdomains, but the server assumes that one of them is the default one and uses that for all of the subdomains. I suspect we need to buy a wildcard SSL certificate to cover the whole of the wikimedia.org.uk domain, but we haven't done that yet because a) they're expensive and b) I'd like to investigate the problem more first to ensure that this would definitely fix the issue.
If anyone's particularly knowledgable about SSL certificates and their various nuances, please get in touch.
Thanks, Mike
On 4 May 2012, at 12:58, Thomas Morton wrote:
Hey all,
Not sure who is responsible for this, or whether it is a known issue..
but donate.wikimedia.org.uk is throwing up a "Are you sure you want to visit this site" error (yup that red error page!) in Google Chrome due to an SSL certificate error.
The certificate is signed for directdebit.wikimedia.org.uk, not donate.wikimedia.org.uk, so the browser considers it untrusted.
Cheers, Tom _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org http://mail.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: http://uk.wikimedia.org
Long story short; you can only (reliably) use one SSL certificate per* IP address*. This is due to how SSL operates.
I'm guessing you are using Named Vhosts in Apache? For Apache to figure out the appropriate named vhost over HTTPS it first needs to establish an SSL handshake... so obviously it can't intelligently figure out which certificate to use. Hence using the default.
SNI is intended to get around this ( http://en.wikipedia.org/wiki/Server_Name_Indication) but unfortunately that is not probably not a solution you could use, as yet.
Your two main options are to either:
* Have a wildcard SSL (as you say, expensive) * Get an additional IP address (pointed at the server) and send one of the domains from that IP
(SSL is a pain in the neck :P)
Cheers, Tom
On 4 May 2012 13:03, Michael Peel michael.peel@wikimedia.org.uk wrote:
Yes, it's a known issue that I haven't gotten to the bottom of yet. Basically we have two SSL certificates for the two subdomains, but the server assumes that one of them is the default one and uses that for all of the subdomains. I suspect we need to buy a wildcard SSL certificate to cover the whole of the wikimedia.org.uk domain, but we haven't done that yet because a) they're expensive and b) I'd like to investigate the problem more first to ensure that this would definitely fix the issue.
If anyone's particularly knowledgable about SSL certificates and their various nuances, please get in touch.
Thanks, Mike
On 4 May 2012, at 12:58, Thomas Morton wrote:
Hey all,
Not sure who is responsible for this, or whether it is a known issue..
but donate.wikimedia.org.uk is throwing up a "Are you sure you want to
visit this site" error (yup that red error page!) in Google Chrome due to an SSL certificate error.
The certificate is signed for directdebit.wikimedia.org.uk, not
donate.wikimedia.org.uk, so the browser considers it untrusted.
Cheers, Tom _______________________________________________ Wikimedia UK mailing list wikimediauk-l@wikimedia.org http://mail.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: http://uk.wikimedia.org
Wikimedia UK mailing list wikimediauk-l@wikimedia.org http://mail.wikimedia.org/mailman/listinfo/wikimediauk-l WMUK: http://uk.wikimedia.org
wikimediauk-l@lists.wikimedia.org