It only does a redirect to www.duplicati.com, but if someone hits that page and doesn’t redirect, it has generates a certificate error.
You’re right… https://duplicati.com seems to hit github before the redirection, which causes a cert warning. @kenkendk - FYI
I wonder if this is GitHub Pages with a custom domain? If so, it can’t do a certificate with two domains, however the problem here is that it’s seemingly not even doing one. I’m not expert, but Wireshark saw:
Extension: server_name (len=18)
Type: server_name (0)
Length: 18
Server Name Indication extension
Server Name list length: 16
Server Name Type: host_name (0)
Server Name length: 13
Server Name: duplicati.com
attempting to access https://duplicati.com in Chromium based Microsoft Edge. The result of that is:
Your connection isn’t private
Attackers might be trying to steal your information from duplicati.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
This server couldn’t prove that it’s duplicati.com; its security certificate is from *.github.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Continue to duplicati.com (unsafe)
Server Name Indication seems like it tells GitHub Pages which certificate to use, and it’s not github.com.
Custom domains on GitHub Pages gain support for HTTPS seems to say you should get a Let’s Encrypt certificate for the custom domain. GitHub Pages generated a (rogue?) TLS cert for my own domain! was some discussion of the surprise the feature generated, but the feature doesn’t seem to be working here…
GitHub Pages: Generate SSL certificate for www subdomain when a custom domain is set to an apex (and vice versa) #1675 is what might be ideal, and it links to a lot of attempts at working around the current plan. Duplicati seems to work around it by www.duplicati.com going direct, while duplicati.com use redirect, except redirect can’t be done when the wrong certificate is returned, which kills the communication early…
$ nslookup duplicati.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
Name: duplicati.com
Address: 192.30.252.153
Name: duplicati.com
Address: 192.30.252.154
$ nslookup www.duplicati.com
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
Name: www.duplicati.com
Address: 139.59.135.67
$ curl -I http://duplicati.com
HTTP/1.1 301 Moved Permanently
Server: GitHub.com
Date: Sat, 05 Dec 2020 20:02:52 GMT
Content-Type: text/html
Content-Length: 162
Location: http://www.duplicati.com/
X-GitHub-Request-Id: D1FC:0685:42C34D:516353:5FCBE76C
$ curl -I https://duplicati.com
curl: (51) SSL: certificate subject name (*.github.com) does not match target host name 'duplicati.com'
$
EDIT: I thought maybe curl needed special coaxing to do SNI, found some formulas that failed, then tried a regular web browser, then looked at its traffic in Wireshark. At this point it looks like GitHub error, but why?
It was a setup error of my doing, and had been on my TODO list for a while. I have fixed it now so it does not go to Github at all.
Originally, Github Pages did not support https for custom subdomains, so I hosted the content on Digital Ocean. Now it does support https but not for root domains. The root domain was pointing at Github and redirected to the www. site, but naturally did not hold a certificate for the root domain, making it break if you attempted to use https.
I have changed it so the A record points to the same site with and without www. prefix (hosted on Digital Ocean). The TLS certificate has both hostnames, so either works now.
3 Likes