midnight-commander.org uses self-signed ssl certificate

[bircoph]

Hello,

this site uses a self-signed SSL certificate, which is a barely valid and insecure approach.

You may sign site certificate via any open certification authority. (I can remember cacert.org, but you may use any at your wish, I do not care).

Also this site supports both www.midnight-commander.org and midnight-commander.org names, so you should either maintain certificates for both names or use only one URI for https connections.

[schuay]

Hi, I'm the current maintainer of the mc package in the Archlinux [community] repository. Our makepkg build tool (which uses wget) cannot download the source code because of certificate issues:

$ wget https://midnight-commander.org/downloads/mc-4.7.5.4.tar.bz2
--2011-09-12 19:23:07--  https://midnight-commander.org/downloads/mc-4.7.5.4.tar.bz2
Resolving midnight-commander.org... 137.226.80.153
Connecting to midnight-commander.org|137.226.80.153|:443... connected.
ERROR: cannot verify midnight-commander.org's certificate, issued by `/C=AU/ST=Some-State/O=midnight-commander.org/OU=midnight-commander.org/CN=midnight-commander.org':
  Self-signed certificate encountered.
To connect to midnight-commander.org insecurely, use `--no-check-certificate'.

Now I'm not sure if it's caused by using a self signed cert, or because there is a redirect from midnight-commander.org to www.midnight-commander.org:

> wget --no-check-certificate https://midnight-commander.org/downloads/mc-4.7.5.4.tar.bz2 -O /dev/null
--2011-09-12 19:36:29--  https://midnight-commander.org/downloads/mc-4.7.5.4.tar.bz2
Resolving midnight-commander.org... 137.226.80.153
Connecting to midnight-commander.org|137.226.80.153|:443... connected.
WARNING: cannot verify midnight-commander.org's certificate, issued by `/C=AU/ST=Some-State/O=midnight-commander.org/OU=midnight-commander.org/CN=midnight-commander.org':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.midnight-commander.org/downloads/mc-4.7.5.4.tar.bz2 [following]
--2011-09-12 19:36:29--  https://www.midnight-commander.org/downloads/mc-4.7.5.4.tar.bz2
Resolving www.midnight-commander.org... 137.226.80.153
Connecting to www.midnight-commander.org|137.226.80.153|:443... connected.
WARNING: cannot verify www.midnight-commander.org's certificate, issued by `/C=AU/ST=Some-State/O=midnight-commander.org/OU=midnight-commander.org/CN=midnight-commander.org':
  Self-signed certificate encountered.
    WARNING: certificate common name `midnight-commander.org' doesn't match requested host name `www.midnight-commander.org'.
HTTP request sent, awaiting response... 200 Ok
Length: 2678184 (2.6M) [application/octet-stream]
Saving to: `/dev/null'
 
100%[===================================================================================>] 2,678,184   1.87M/s   in 1.4s   

I can work around this for now, but it'd be nice to get it fixed. Thanks!

[sorin]

That's more than annoying and is send bad vibes to potential users. It's better to make it HTTP instead if you can't fix the certificate problem.

[slavazanko]

Agenda:

• register on www.startssl.com
• generate private key
• generate certificate request
• send csr to startssl and receive certificate
• install certificate to web-server
• in web-server: remove redirection from unsecured connections to SSL
• in web-server: set up redirections from m-c.o to www.m-c.o
• describe in WIKI how to re-sign the certificate and re-install to web-server (once per year)

[slavazanko]

register on www.startssl.com

done

generate private key

done

generate certificate request

done

[slavazanko]

send csr to startssl and receive certificate

done

[slavazanko]

install certificate to web-server

done

[slavazanko]

in web-server: remove redirection from unsecured connections to SSL

done. Just /login path will be redirected

in web-server: set up redirections from m-c.o to www.m-c.o

done

[slavazanko]

describe in WIKI how to re-sign the certificate and re-install to web-server (once per year)

​http://www.midnight-commander.org/wiki/maintain/SSL