luarocks-site icon indicating copy to clipboard operation
luarocks-site copied to clipboard
verified publisher icon luarocks

SSL Certificate for `luarocks.org` is not valid for `www.luarocks.org`

Open grenewode opened this issue 1 year ago • 4 comments

The SSL certificate for luarocks.org is not valid for www.luarocks.org. This can cause problems if the browser does not redirect https://www.luarocks.org to https://luarocks.org.

grenewode avatar Mar 05 '25 17:03 grenewode 

$ curl -vI 'https://www.luarocks.org'
* Host www.luarocks.org:443 was resolved.
* IPv6: (none)
* IPv4: 45.33.61.132
*   Trying 45.33.61.132:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=luarocks.org
*  start date: Mar  2 11:45:08 2025 GMT
*  expire date: May 31 11:45:07 2025 GMT
*  subjectAltName does not match hostname www.luarocks.org
* SSL: no alternative certificate subject name matches target hostname 'www.luarocks.org'
* closing connection #0
curl: (60) SSL: no alternative certificate subject name matches target hostname 'www.luarocks.org'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

grenewode avatar Mar 05 '25 17:03 grenewode

Why are you using www. in the first place? Is it written anywhere?

This can cause problems if the browser does not redirect https://www.luarocks.org to https://luarocks.org.

Both Chrome and Firefox redirect to the non www. version with no warning from my quick testing

leafo avatar Mar 06 '25 18:03 leafo

I'm seeing this when I use the link (https://www.luarocks.org/) from the sidebar on https://github.com/luarocks/luarocks. Strangely, this only happens if I open the link normally - if I open it in a tab, the redirect works. Also, if I enter the URL manually, it is also redirected correctly.

grenewode avatar Mar 06 '25 18:03 grenewode

Thanks, I fixed the link on the luarocks github repo

leafo avatar Mar 06 '25 20:03 leafo