For many people, http://testdays.qa.fedoraproject.org/ is not accessible. It's because browser automatically directs them to https://testdays.qa.fedoraproject.org/, and https is not configured on that server. But for other people, plain http works.
I've found the difference. It's this: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
If you have visited https://qa.fedoraproject.org/ (e.g. https://qa.fedoraproject.org/blockerbugs/ ) recently, it sets this header for you:
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
and then firefox automatically forces it for all subdomains, including testdays.qa.fedoraproject.org (for the next 6 months).
I guess the solution is to do some of these: set up testdays with https move it to a different domain * don't include subdomains in the HSTS header
As a temporary measure, you can either use Private mode in Firefox, or nuke all history for fp.o: http://classically.me/blogs/how-clear-hsts-settings-major-browsers
I've set up SSL on the testdays machine, but one can not add an exception for the certificate, since the HSTS header blocks the option.
Is there a way to acquire some viable certs without the need to move/re-provision the machine?
Pretty soon we'll be able to use https://letsencrypt.org/ , which is just gonna be awesome.
Who got the cert for qa.fedoraproject.org? Do we know? Can we get it updated to cover subdomains?
Ah - it's using a wildcard cert that covers .fedoraproject.org , but wildcard certs don't recurse...the cert would have to also cover .*.fedoraproject.org to work for testdays. Or I suppose we could try and get it moved to testdays.fedoraproject.org ?
For people landing at this bug report - there is a simple temporary workaround, use the IP address instead of the domain name:
http://209.132.184.193/testdays/all_events
Is this still issue with the new testdays app deployed?
Nope, thanks for the reminder
Metadata Update from @kparal: - Issue tagged with: infrastructure
Login to comment on this ticket.