After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 667231 - Certificate for
Certificate for
Product: sysadmin
Classification: Infrastructure
Component: Certificates
Other Linux
: Normal normal
: ---
Assigned To: GNOME Sysadmins
GNOME Sysadmins
Depends on:
Blocks: 639269
Reported: 2012-01-03 22:58 UTC by Gil Forcada
Modified: 2013-03-06 13:56 UTC
See Also:
GNOME target: ---
GNOME version: ---

Description Gil Forcada 2012-01-03 22:58:31 UTC
Right now, the authentication on (module Damned-Lies[1]) is done in http.

Could we obtain a SSL certificate to enable https to login users?

Comment 1 Olav Vitters 2012-01-03 23:42:55 UTC
We could also turn https on for everything. However, IE users will get an annoying warning (doesn't trust startssl).

Comment 2 Gil Forcada 2012-01-04 22:37:10 UTC
Is it possible to send plain HTTP for IE users (so they do not get the warning) and HTTPS for any other browser?
Comment 3 Olav Vitters 2012-01-04 22:55:02 UTC
Don't really like that option.

IE users can test it by going to either, or + some other sites
Comment 4 Antonio Fernandes 2012-01-05 01:10:38 UTC
Hi Olav,

I did a test with an IE 6.0 and showed no warning. IE is the list of browsers supported by this certificate. I am a translator, and I think it is very important to test more inclusive of SSL on the DL.
Comment 5 Olav Vitters 2012-01-05 08:58:34 UTC
I have IE8.0 at work under Windows XP, and it always shows a warning.

It seems there is a patch for Windows XP to support it,

Did you specifically install this patch? I'm wondering if the Windows XP is missing some normal update.

The reason various GNOME websites still default to http is:
1. Multiple websites on one IP address (IE on Windows XP cannot handle that)
2. That SSL warning IE gives me under Windows XP

If my machine is the exception, then we can go ahead and enable SSL for most of the GNOME websites.
Comment 6 Johannes Schmid 2012-01-05 09:52:53 UTC
Olav, I can confirm that the certificate is NOT trusted with Windows XP and IE8 on my work PC. I am pretty sure all updates are installed here by the IT-Support.
Comment 7 Antonio Fernandes 2012-01-05 11:51:14 UTC

As I said earlier, I had no problem in opening https sites with the domain of GNOME. Here are a few screenshots with machine information. The only update that 
has Windows XP SP2.

This SSL certificate startssl uses no intermediate certificate? I have some vhosts, using the same IP with a WildCard certificate and got set up without any problems. I used the technique of SNI (Service Name Indication) in Apache.
Comment 8 Olav Vitters 2012-01-05 12:05:47 UTC
I have Windows XP SP3. I still had to install the root certificate update for the error messages to go away.

The free certificates are not wildcards, so it needs SNI if you have multiple on one IP address, and that doesn't work with IE on Windows XP. This doesn't matter for though, only thing on that IP address.

I'm wondering how many people have this root certificate update. We've been using it on GNOME Bugzilla for ages, so maybe we can just ignore...
Comment 9 Johannes Schmid 2012-01-05 15:36:32 UTC
In general I think there are only few people who manually installed the certificate. On the other hand the number of IE users on Windows accessing are probably minimal and can be ignored (statistics?).
Comment 10 Gil Forcada 2012-01-05 19:52:02 UTC
Good point Johannes, actually most of the GNOME translators will be already using GNOME hopefully so we can just ignore the IE users :)
Comment 11 Antonio Fernandes 2012-01-05 20:01:38 UTC
I agree.

I think we have to have security for users. I think installing a certificate is not so difficult if the browser needs.
Comment 12 Gil Forcada 2012-08-24 13:58:28 UTC
Any progress so far, what can I do to make this happen sooner than later, setting aside asking countlessly? :)
Comment 13 Olav Vitters 2012-08-24 14:23:50 UTC
The only one who can create certificates at the moment is Jeff Schroeder..
Comment 14 Andrea Veri 2012-08-24 15:41:18 UTC
As soon as Jeff provides us with a new certificate (that will probably cover other services currently in need of a cert like git.g.o, library.g.o, developer.g.o and more) we can enable SSL on the specified hosts.
Comment 15 Gil Forcada 2012-10-16 23:28:31 UTC
Where should we send the bottles of Jeff preferred beverage so that this happens? :) (aka friendly-ping...)
Comment 16 Andrea Veri 2013-03-06 13:16:34 UTC
The certificate has been added yesterday. All requests to port 80 are now redirect to port 443.
Comment 17 Antonio Fernandes C. Neto 2013-03-06 13:56:52 UTC