It only does a redirect to www.duplicati.com, but if someone hits that page and doesn’t redirect, it has generates a certificate error.
I wonder if this is GitHub Pages with a custom domain? If so, it can’t do a certificate with two domains, however the problem here is that it’s seemingly not even doing one. I’m not expert, but Wireshark saw:
Extension: server_name (len=18) Type: server_name (0) Length: 18 Server Name Indication extension Server Name list length: 16 Server Name Type: host_name (0) Server Name length: 13 Server Name: duplicati.com
attempting to access
https://duplicati.com in Chromium based Microsoft Edge. The result of that is:
Your connection isn’t private
Attackers might be trying to steal your information from duplicati.com (for example, passwords, messages, or credit cards).
This server couldn’t prove that it’s duplicati.com; its security certificate is from *.github.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Continue to duplicati.com (unsafe)
Server Name Indication seems like it tells GitHub Pages which certificate to use, and it’s not
Custom domains on GitHub Pages gain support for HTTPS seems to say you should get a Let’s Encrypt certificate for the custom domain. GitHub Pages generated a (rogue?) TLS cert for my own domain! was some discussion of the surprise the feature generated, but the feature doesn’t seem to be working here…
GitHub Pages: Generate SSL certificate for www subdomain when a custom domain is set to an apex (and vice versa) #1675 is what might be ideal, and it links to a lot of attempts at working around the current plan. Duplicati seems to work around it by
www.duplicati.com going direct, while
duplicati.com use redirect, except redirect can’t be done when the wrong certificate is returned, which kills the communication early…
$ nslookup duplicati.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: Name: duplicati.com Address: 188.8.131.52 Name: duplicati.com Address: 184.108.40.206 $ nslookup www.duplicati.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: Name: www.duplicati.com Address: 220.127.116.11 $ curl -I http://duplicati.com HTTP/1.1 301 Moved Permanently Server: GitHub.com Date: Sat, 05 Dec 2020 20:02:52 GMT Content-Type: text/html Content-Length: 162 Location: http://www.duplicati.com/ X-GitHub-Request-Id: D1FC:0685:42C34D:516353:5FCBE76C $ curl -I https://duplicati.com curl: (51) SSL: certificate subject name (*.github.com) does not match target host name 'duplicati.com' $
EDIT: I thought maybe curl needed special coaxing to do SNI, found some formulas that failed, then tried a regular web browser, then looked at its traffic in Wireshark. At this point it looks like GitHub error, but why?
It was a setup error of my doing, and had been on my TODO list for a while. I have fixed it now so it does not go to Github at all.
Originally, Github Pages did not support
https for custom subdomains, so I hosted the content on Digital Ocean. Now it does support
https but not for root domains. The root domain was pointing at Github and redirected to the
www. site, but naturally did not hold a certificate for the root domain, making it break if you attempted to use
I have changed it so the A record points to the same site with and without
www. prefix (hosted on Digital Ocean). The TLS certificate has both hostnames, so either works now.