This is also causing issues to packagers (in this case, the one of Guix), because their build system verify certificate, and so they can't package pagure.

This certificate has been ordered, and is awaiting delivery.

Any ETA on cert delivery ? firefox blocks access to releases.pagure.org now and won't even allow a certificate exception to be added because the site uses HSTS. So the release downloads are completely inaccessible to firefox users right now. Perhaps HSTS can be turned off until the new cert is available ?

I will let either @smooge or @puiterwijk reply and if we have no news, I will turn off HSTS (and the redirect) until the cert arrives.

Sorry for all the troubles :(

I don't know wether my email reply is hold back, sorry if this comes in twice:

My current working draft (currently in QA) for pagure solves it
like this (part of the package definition, looks better without the broken markup):

+ (source + (origin + (method url-fetch) + (uri (list + ;; XXX: upstream serves an invalid certificate. + (string-append "https://web.archive.org/web/20161211142731/" + "https://releases.pagure.org/pagure/pagure-" + version ".tar.gz") + (string-append "https://releases.pagure.org/pagure/" + name "-" version ".tar.gz"))) + (sha256 + (base32 + "1h629hd8wfvdnmlrd1g3hpxcgkqzrxdpnxnmqhd2wi04g86pn7pg"))))

You are also able to access the web.archive.org page and download
pagure this way. It's a cheap hack which shouldn't be necessary
and should be avoided as soon as the certificate works.

ok, I dropped the http -> https redirect for now.

Your browser might be caching it though, but curl goes through.

The new cert is now in place.

:birthday: