Problem/Motivation

Currently cgit.drupalcode.org domain does serve a valid SSL certificate, which make patching using composer less secure and more difficult specialy in the case of contib profiles composer.json using the patch (row) commit url https://cgit.drupalcode.org/panels/patch/?id=SHA-1

The problem is that a lot of module maintainers do commit directly to the project repository without uploading a patch file to an issue, and composer by default doesn't allow insecure url without a special config [secure-http] in addition the config directive is only avilable to for the Root Package.

Comments

mkhamash created an issue. See original summary.

mlhess’s picture

mlhess CreditAttribution: mlhess as a volunteer commented
Issue tags: +MWDS2016

There should be a cert here. However, I would reference commits by git hash.

jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented

+1 for this. When anyone - a client, or a potential contributor - follows a cgit link, they get e.g. a Chrome net::ERR_CERT_COMMON_NAME_INVALID error or Firefox SSL_ERROR_BAD_CERT_DOMAIN, and then have to jump through hoops to even see the content. This reflects poorly on Drupal in all sorts of ways.

jp.stacey’s picture

jp.stacey CreditAttribution: jp.stacey at Magnetic Phield commented
Category: Feature request » Bug report
Priority: Normal » Major

Marking this as a bug as it causes a HTTPS exception in the browser.

SylvainM’s picture

SylvainM CreditAttribution: SylvainM at Axess Open Web Services commented

+1

Tess Bakker’s picture

Tess Bakker
they/them
Primary language Dutch
CreditAttribution: Tess Bakker at ezCompany commented
Priority: Major » Critical

Please, setup a new valid SSL certificate for cgit.drupalcode.org and dump the wildcard version that is only valid for *.drupal.org

Composer

Could not apply patch! Skipping. The error was: Your configuration does not allow connections to https://cgit.drupalcode.org/config_filter/patch/?id=adbfccc825634901308f.... See https://getcomposer.org/doc/06-config.md#secure-http for details.

.. yes, i know, we should use https ..

Could not apply patch! Skipping. The error was: The "https://cgit.drupalcode.org/config_filter/patch/?id=adbfccc825634901308f..." file could not be downloaded: Peer certificate CN=`*.drupal.org' did not match expected CN=`cgit.drupalcode.org'
Failed to enable crypto
failed to open stream: operation failed

Firefox

cgit.drupalcode.org uses an invalid security certificate.

The certificate is only valid for the following names:
*.drupal.org, drupal.org

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Solution: Allow packages from unsafe locations?!

Tess Bakker’s picture

Tess Bakker
they/them
Primary language Dutch
CreditAttribution: Tess Bakker at ezCompany commented
Status: Active » Fixed

Checked with Composer, Firefox and Chromium and the certificate is valid :)

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.