On Fri, 16 Jul 2010 11:09:15 +0200, Thomas Bächler <thomas@archlinux.org> wrote:
I just performed the switch to https only on bbs! I also adjusted some internal URLs, so all files will be properly fetched via https directly. http is redirected automatically. Note that the navbar links on Archweb and all other sites still point to http, but that is redirected automatically.
There is a catch: 1) Apache configures SSL per-vhost. That means that even though we have a wildcard certificate, the browser must support SNI for name-based vhosts to work. All clients that are not SNI-capable will be redirected to www instead. 2) wget doesn't like wildcard certificates. That means you need to use --no-check-certificate with wget. 3) Our certificate is from CACert. AFAIK, this is not included in many browsers by default. If you use Arch Linux, at least everything that uses the OpenSSL certificate store and all Mozilla browsers are CACert-enabled - on other operating systems, our certificate might show up as untrusted.
Let me know if any of the above (especially 1) cause any problems.
Didn't we have a discussion about this soem time ago? Point 1) is simply not true. A SNI compatible client is not needed here. (at least if you haven't altered the ssl config) Point 2) is afaik a known wget bug. (I wonder if there is a patch) -- Pierre Schmitz, https://users.archlinux.de/~pierre