Bug 20250

It's a cost thing. fd.o is predominately a volunteer organisation. If your willing to pay for the certificate then we're happy to fulfill your request.

(In reply to comment #1)
> It's a cost thing. fd.o is predominately a volunteer organisation. If your
> willing to pay for the certificate then we're happy to fulfill your request.

There's actually several ways to get valid SSL certificates for free...

* GoDaddy gives open source projects *free* SSL certificates (https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp).

* StartSSL (https://www.startssl.com) has fully valid *free* SSL certificates that work in most browsers (not IE).

Both of the above options are better than the current usage of CAcert.org, which is not trusted by any major browser, so I'm reopening this bug.

Wow, didn't know about the godaddy offer. The startssl.com doesn't appear to work with Chrome though. I'll certainly look into the godaddy offer though.

Thanks!

Any progress on this?

(In reply to comment #1)
> It's a cost thing. fd.o is predominately a volunteer organisation. If your
> willing to pay for the certificate then we're happy to fulfill your request.

The X.Org Foundation is willing to pay for it - we've been talking about it
with Keith Packard for the last week or so.

Ok, so I'm happy to install the crt if someone buys it as I don't have details/access to buy one.

Hi Folks has there been advances on the SSL certificate for bugzilla? 
Digicert seems to have some at reasonable rates:

http://www.digicert.com/welcome/ssl-plus.htm

Not only Firefox, but Chrome also tries everything to prevent you from accessing f.d.o. bugzilla, with HUGE WARNINGS COVERED IN BLOOD (complete with the red pirate head insigna). This needs to be fixed.

Godaddy gives em for free for you, and you've been talking about it for a week back in october. What's holding this back now?

CC

*** Bug 30863 has been marked as a duplicate of this bug. ***

I tried the godaddy route but despite repeated email, they kept requesting information how the fd.o uses an open source repository. They couldn't understand that fd.o is the open source repository. Simply put because we're not part of sf.net the didnt list us as an open source project. 

Hence buying the certificate makes the most sense. We just need one of the fd.o board members to ok and tell the sysadmins how we can go about purchasing the certificate.

*** Bug 31750 has been marked as a duplicate of this bug. ***

Even when the certs are installed:
http://www.cacert.org/index.php?id=3
per
http://wiki.cacert.org/BrowserClients
still had issues today.

Cleared & reinstalled the certs & lo & behold:
====
bugs.freedesktop.org uses an invalid security certificate.

The certificate expired on 11/19/2010 08:23 PM.

(Error code: sec_error_expired_certificate)
====
Not valid after:
11/19/2010 20:23:04
(11/20/2010 04:23:04 GMT)

Note: had to add a temporary exception to post to this bug report.

  I've found when installing you certificates you need to kick apache 
with a restart, a graceful won't do it.

apache2ctl restart


On 22/11/10 06:19, bugzilla-daemon@freedesktop.org wrote:
> https://bugs.freedesktop.org/show_bug.cgi?id=20250
>
> NoOp<glgxg@sbcglobal.net>  changed:
>
>             What    |Removed                     |Added
> ----------------------------------------------------------------------------
>                   CC|                            |glgxg@sbcglobal.net
>
> --- Comment #13 from NoOp<glgxg@sbcglobal.net>  2010-11-21 11:49:32 PST ---
> Even when the certs are installed:
> http://www.cacert.org/index.php?id=3
> per
> http://wiki.cacert.org/BrowserClients
> still had issues today.
>
> Cleared&  reinstalled the certs&  lo&  behold:
> ====
> bugs.freedesktop.org uses an invalid security certificate.
>
> The certificate expired on 11/19/2010 08:23 PM.
>
> (Error code: sec_error_expired_certificate)
> ====
> Not valid after:
> 11/19/2010 20:23:04
> (11/20/2010 04:23:04 GMT)
>
> Note: had to add a temporary exception to post to this bug report.
>

Say what? What has apache to do with the bugs.freedesktop.org cert expiring?
Not valid after:
11/19/2010 20:23:04
(11/20/2010 04:23:04 GMT)

You *did* look at the cert before making that comment... right?

<sigh> My mistake, I took it you had reinstalled the certificate on the server not on the client.

I've upgraded the cacert certificate so it's at least not expired. The CA is still invalid as FF/IE don't recognise cacert as a CA. Hence you'll still get a warning but the certificate won't be out of date.

I would be really nice to resolve this by the fd.o foundation letting us know how we could proceed with the purchase of a certificate.

*** Bug 30465 has been marked as a duplicate of this bug. ***

On 11/21/2010 09:27 PM, bugzilla-daemon@freedesktop.org wrote:
...
> I've upgraded the cacert certificate so it's at least not expired. The CA is
> still invalid as FF/IE don't recognise cacert as a CA. Hence you'll still get a
> warning but the certificate won't be out of date.
...
Thanks. Actually, using the instructions in
http://wiki.cacert.org/BrowserClients works for me (SeaMonkey 2.0.10
linux) as long as the cert is not out of date. I used the instructions
for Mozilla Firefox on that page.

(In reply to comment #16)
> <sigh> My mistake, I took it you had reinstalled the certificate on the server
> not on the client.
> 
> I've upgraded the cacert certificate so it's at least not expired. The CA is
> still invalid as FF/IE don't recognise cacert as a CA. Hence you'll still get a
> warning but the certificate won't be out of date.
> 
> I would be really nice to resolve this by the fd.o foundation letting us know
> how we could proceed with the purchase of a certificate.

Note that there are some widely accepted CA's that will give open source projects certificates for free....  I forget which ones off hand, but google is your friend.

... or just get a free StartCom SSL certificate? :)

https://www.startssl.com/

Why don't you try that out? It's actually supported by a good number of
browsers (much better than CAcert).

At this point, Startcom claims to have support from Chrome, Android, iPhone, and anything else I could think of offhand.  Alternatively, Thawte will give free certificates to FOSS projects; I've gone through that process and it proved fairly straightforward.

Well the starcom method ended up with a failed registration and no way to be able to reissue the 'certificate' they need to authenticate.

Time to try Thawte

As a follow up and to finally close this bug, Eddy Nigg from StartCom contacted me after noticing I had some issues with the account creation process. After a quick interplay of email we sorted things out and hence now Bug.fd.o is officially ssl enabled with the free key from StartCom.

Many thanks to Eddy for helping resolve the issue and to StartCom for the certificate!

I suppose I should file a new bug, but since this is related to the new StartCom cert:

Perhaps you can get Florian and/or Eddy to update all the certs to include libreoffice.org? Clicking on Installation etc., brings up:
====
www.libreoffice.org uses an invalid security certificate.

The certificate is only valid for the following names:
  *.documentfoundation.org , documentfoundation.org  

(Error code: ssl_error_bad_cert_domain)
====

And examining the cert shows that it is only valid for documentfoundation.org.

Ok, I'm fairly certain we can a certificate for libreoffice.org but who does the hosting? 

Non-authoritative answer:
Name:	www.libreoffice.org
Address: 88.198.53.251

This doesn't appear to be a fd.o or x.org machine.

My apologies. I was having issues with https://www.libreoffice.org/download defaulting to the *.documentfoundation.org certificate rather than the StartCom *.libreoffice.org cert. Found out that the cert from StartCom is using sni & my browser client was set for ssl2 true. Reset to ssl2 false and it now works.