Gitlab Pages letsencrypt error - Warning: Potential Security Risk Ahead

Hopefully this is posted in the right place. I am new here.

I recently added a custom domain to a website in Gitlab Pages. I verified the domain successfuly with the TXT record and pointed my A record to the correct GL Pages IP address. Gitlab Pages reports that my letsencrypt certificates was obtained.

I can access my website without https just fine, but with https I get a “Warning: Potential Security Risk Ahead” error in my browser. It has been almost a full day.

I have another Pages site with the same configuration and everything works fine, though it usually has issues with the letsencrypt auto renewal.

Am I missing something here? Thanks!

1 Like

I’m having the same issue. Only one of my certificates works. Try all the certificates: I find only one of mine works. I suspect this is a bug.

Are you using Cloudflare? Try playing with the certificate on the Cloudflare side.

2 Likes

I have several GL pages websites. It seems the www subdomain certificates on all of them stopped working at some point, though GL reports they are active and verified. The root domain certs work fine. No, I’m not using Cloudflare.

I just set up a redirect to point www to my root domains, which is good enough for me in my case.

1 Like

It seem I encountered the same problem, only one certificate is correctly served

1 Like

Just to add, same here, the certificate contains only one of the aliases and fails for the others. It started failing about a week ago which is odd because the certificate’s validity is from beginning of August through October.

I don’t remember whether the certificates used to contain all the aliases or whether different certificates used to be served from different aliases. Does anyone know?

Hi all - We’ve received some additional reports, so thanks for bringing this up. We’ve started some investigations in this issue. I don’t have much information at the moment but I’d recommend to follow it for updates on our findings.

Some context that might help GitLab to debug: I deleted both domains (petsc.org and www.petsc.org), re-added one (petsc.org), and waited for a new Lets Encrypt cert to be issued, but GitLab Pages is still serving the old certificate for www.petsc.org (even though that domain is no longer listed).

$ curl --verbose https://petsc.org
*   Trying 35.185.44.232:443...
* Connected to petsc.org (35.185.44.232) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.petsc.org
*  start date: Aug 19 13:51:13 2022 GMT
*  expire date: Nov 17 13:51:12 2022 GMT
*  subjectAltName does not match petsc.org
* SSL: no alternative certificate subject name matches target host name 'petsc.org'
* Closing connection 0
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'petsc.org'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

This should be fixed now. See this comment. Feel free to ping me if for some reason you are not seeing this resolved.

1 Like

@clevelandbledsoe this seems to be happening on my sites today. I have multiple domains associated with one site and it looks like the certificate for one site (maadh.com) is being served when you visit the other mapped domains (aareet.com or mahadevan.ca). See below for the certificate that’s served when visiting aareet.com

It looks like this was related to a recent rollout of a FF that had the same impact: [Feature flag] Rollout of `cache_pages_domain_api` (#364127) · Issues · GitLab.org / GitLab · GitLab It was disabled once we received some reports. I’ll note this on the issue, thanks for the ping!

1 Like