Ubuntu CD Images

Wrong certificate on www.releases.ubuntu.com

Bug #1968719 reported by Johannes Rothmayr on 2022-04-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu CD Images	In Progress	Undecided	Unassigned

Bug Description

Hi,

Could not find a better address to write to and on the website it says "Report a bug on this site: which leads here.

www.releases.ubuntu.com uses the same certificate as releases.ubuntu.com so Firefox (or cURL) complains about the "Potential Security Risk Ahead".
Suggestions:
- Permanently redirect www.releases.ubuntu.com to releases.ubuntu.com
- Serve a seperate certificate for the www subdomain.

Best Regards
Johannes

Revision history for this message

Steve Langasek (vorlon) wrote on 2022-04-12:

Where have you found www.releases.ubuntu.com referenced? This may be provided in DNS as an alias, but the only domain name intended to be used for this site is releases.ubuntu.com.

Revision history for this message

Steve Langasek (vorlon) wrote on 2022-04-12:

(The resolution here, from my perspective, is to drop the alias from DNS since it doesn't work.)

Revision history for this message

Johannes Rothmayr (rothmajs) wrote on 2022-04-12:

I got it by searching for "Ubuntu 20.04 LTS" in DuckDuckGo, where it was the first entry found.

Revision history for this message

Steve Langasek (vorlon) wrote on 2022-04-12:

ok, unfortunately that seems like a Duck Duck Go bug. Not sure a good way to resolve this short of dropping the DNS alias, letting the search results be broken in Duck Duck Go for a while, and letting it age out. For comparison, a Google search returns releases.ubuntu.com (correctly); and searching for www.releases.ubuntu.com points back to releases.ubuntu.com, *and* shows this very bug report as the third result, so it's pretty clear www.releases.ubuntu.com isn't being widely referenced.

Revision history for this message

Johannes Rothmayr (rothmajs) wrote on 2022-04-13:

I think this would be sufficient, since the search result is already broken because of the insecure connection warning anyway.
Maybe the DuckDuckGo staff can drop search results for the www subdomain manually.

Revision history for this message

Steve Langasek (vorlon) wrote on 2022-04-13:

I've filed a ticket with our IS team to have this CNAME removed. Internally, this is RT#149482.

Changed in ubuntu-cdimage:
status:	New → In Progress

Revision history for this message

Steve Langasek (vorlon) wrote on 2022-04-27:

FWIW the reason this is in DNS is because there's a DNS wildcard so that per-country domain names work.

These of course also only work over http, not https.

What's particularly strange about the DuckDuckGo results, now that I've thought about it, is that they return https://www.releases.ubuntu.com as a result when that URL would always have returned https errors for them also. So they aren't validating https certificate names?

I've asked our IS team about the possibility of a wildcard SSL cert to go with the wildcard DNS names, we'll see what they come up with.

In the meantime I've also added a rel="canonical" link to the html on the site, which may hint to DuckDuckGo the correct URL to return in searches. (Has not yet had an effect there.)

Revision history for this message

Johannes Rothmayr (rothmajs) wrote on 2022-04-28:

DuckDuckGo not checking the certificates is indeed interesting.
Thanks for the update.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.