#86 HSTS header breaks testdays.qa.fp.o
Closed: Fixed None Opened 9 years ago by kparal.

For many people, http://testdays.qa.fedoraproject.org/ is not accessible. It's because browser automatically directs them to https://testdays.qa.fedoraproject.org/, and https is not configured on that server. But for other people, plain http works.

I've found the difference. It's this:
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

If you have visited https://qa.fedoraproject.org/ (e.g. https://qa.fedoraproject.org/blockerbugs/ ) recently, it sets this header for you:

Strict-Transport-Security: max-age=15768000; includeSubDomains; preload

and then firefox automatically forces it for all subdomains, including testdays.qa.fedoraproject.org (for the next 6 months).

I guess the solution is to do some of these:
set up testdays with https
move it to a different domain
* don't include subdomains in the HSTS header


As a temporary measure, you can either use Private mode in Firefox, or nuke all history for fp.o:
http://classically.me/blogs/how-clear-hsts-settings-major-browsers

I've set up SSL on the testdays machine, but one can not add an exception for the certificate, since the HSTS header blocks the option.

Is there a way to acquire some viable certs without the need to move/re-provision the machine?

Pretty soon we'll be able to use https://letsencrypt.org/ , which is just gonna be awesome.

Who got the cert for qa.fedoraproject.org? Do we know? Can we get it updated to cover subdomains?

Ah - it's using a wildcard cert that covers .fedoraproject.org , but wildcard certs don't recurse...the cert would have to also cover .*.fedoraproject.org to work for testdays. Or I suppose we could try and get it moved to testdays.fedoraproject.org ?

For people landing at this bug report - there is a simple temporary workaround, use the IP address instead of the domain name:

http://209.132.184.193/testdays/all_events

Is this still issue with the new testdays app deployed?

Nope, thanks for the reminder

Metadata Update from @kparal:
- Issue tagged with: infrastructure

6 years ago

Login to comment on this ticket.

Metadata