gdal.org SSL_ERROR_BAD_CERT_DOMAIN

[jbelien]

There is an issue with your SSL certificate for https://www.gdal.org/.

SSL certificate is issued for the following (www.github.com, *.github.io, *.githubusercontent.com, *.github.com, github.com, github.io, githubusercontent.com) and so is not valid for gdal.org.

[mloskot]

I think this is something @hobu needs to look at

[wildintellect]

I looked into the problem a little. It's fine for https://gdal.org but breaks on https://www.gdal.org Search engines have the www variant in them. Looking at the github docs on the topic https://help.github.com/en/articles/using-a-custom-domain-with-github-pages

You can set up an apex domain and a www subdomain through your DNS provider and GitHub Pages' servers will automatically create redirects between them. For example, your site can be found at www.example.com or example.com.

So fix needs to be applied at the DNS registration/server level.

[robe2]

FWIW deegree.org ran into the same issue when switching to github pages. Their solution seems a bit suboptimal -- but not sure if anything in github would allow you to have the letsencrypt cert work for both gdal.org and www.gdal.org

Related ticket
https://trac.osgeo.org/osgeo/ticket/2272

Key comment:

I have checked the settings of the github-pages, and also started an update, which did not lead to the desired working result.

The SSL settings were running when the CNAME was still present, but it is also documented on the github pages that forwarding (deegree.org and www.deegree.org simultaneously) can cause problems with some providers.

After talking to another TMC member, we decided to redirect only www.deegree.org via CNAME to Github pages and continue to use our own server (plaza.deegree.org/136.243.175.5) for the redirection of deegree.org to www.deegree.org. (Which should also solve our SSL problem)

[jbelien]

Yes, we had the same issue with https://openstreetmap.be/.
What I did is point https://www.openstreetmap.be/ to my own server and redirect that url to https://openstreetmap.be/ ; not really convenient but it works.

[robe2]

If everyone is amenable with that change -- I could just put in an https://www.gdal.org to go to https://gdal.org (could even proxy it if that's more desirable)

At very least - we probably should get rid of the static ip of github pages because I fear that will fail suddenly for round-robin or if github changes their ip. Right now looking at pairs it's set to ip instead of CNAME.

[robe2]

disregard my comment about the A record, I see now from Alex's link that that part is okay and that's why we have 4 A's as described here since they resolve to all the possible github page locations

https://help.github.com/en/articles/setting-up-an-apex-domain

not sure if there is a better fix for the letsencrypt as @jbelien mentioned. Maybe worth a github bug ticket as it seems like a pretty common thing to want to do.

[robe2]

ah wait -- is gdal setup like this in githubpages?

one apex domain & one www subdomain	example.com & www.example.com

as described in: https://help.github.com/en/articles/about-supported-custom-domains

If it's put in as two separate entries, then maybe that's the problem why the letsencrypt only works for one of them.

[jbelien]

@robe2 Yes but ...

Warning: If your domain has HTTPS enforcement enabled, GitHub Pages' servers will not automatically route redirects. You must configure www subdomain and root domain redirects with your domain registrar.

Source: https://help.github.com/en/articles/setting-up-an-apex-domain-and-www-subdomain

[rouault]

Issue solved per https://trac.osgeo.org/osgeo/ticket/2311