Codeberg/Community
54
325
Fork
You've already forked Community
12

codeberg.org TLS server sometimes serves *.codeberg.page certificate #1673

Open
opened 2024年10月15日 17:33:11 +02:00 by mgrubb · 6 comments

Comment

Opening a new issue from #1368 as I'm not sure about the visibility of closed issues.

I'm not going to recapitulate the entirety of the previous issue, but tl;dr command line tools get unpredictable results when trying to connect to codeberg.org, not sure why it doesn't present in browsers as well.

I'm more than willing to help troubleshoot or look at configurations (I do have some experience with haproxy). I can reproduce this regularly from my end:
Also this isn't a matter of just waiting an it resolves itself, it may take 10-20 attempts to get a proper response from the git side.
If it were just a matter of me trying over and over with a git clone command that's one thing I guess, but when the clone is part of a larger installation package which is out of my control it makes for a very frustrating experience. At any rate, closing this because you can't solve it seems the wrong move and sends a message that it's unimportant. This should remain open until a fix is found.
Just my $.02. Again I'm willing to help in any way that I can.

Without knowing what the full architecture looks like, it seems that what is happening is that the haproxy is doing a round-robin load balancing to a pool of servers but the servers are specialized so that some are only doing pages and others are only doing git, but the load balancer isn't inspecting the request to determine which pool to forward the connection to, so sometimes you get a pages server and sometimes you get a git server. I'm not certain why this doesn't appear to be an issue in the browser but only on the command line, I haven't been able to reproduce this behavior in the browser.

Here are the outputs I get for both a successful attempt and failed attempt:

Failure:

openssl s_client -showcerts -connect codeberg.org:443
Connecting to 217.197.91.145
CONNECTED(00000005)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R10
verify return:1
depth=0 CN=*.codeberg.page
verify return:1
---
Certificate chain
 0 s:CN=*.codeberg.page
 i:C=US, O=Let's Encrypt, CN=R10
 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
 v:NotBefore: Sep 13 04:06:34 2024 GMT; NotAfter: Dec 12 04:06:33 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE/TCCA+WgAwIBAgISBE41DOxX9tvwZZi/byTCJ0z3MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwOTEzMDQwNjM0WhcNMjQxMjEyMDQwNjMzWjAaMRgwFgYDVQQD
DA8qLmNvZGViZXJnLnBhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC0JYdtNveSPU1kN/f0SjNL6/ZgWXOqCj4PrhSjxsQClFOqKvdEVMV2KjgL3A7P
LSWxdok18AlAcxmP/UNo3YbX0lBa0HxPnjqT+Ned2hDJAhlXi2j0sUemHoAK6a7q
lE3Bl4lJMGRlgnKvLRKl9E7jRLyEuGHFPQZ0bFDnxr5J7tS1DCzo+boHS86NYsBQ
0IBpq1wAMOqswzpNQC/4o0T8y1zK52B00AEbjEWTFNJJHhPiIp81PNqnZTAUUQQa
IDR1s+YsjoTDAmzC9dv1Wq+94K5J37WX0Tt4WFquaTzSR2OqaMcUZBl85LIcCqzF
y9+XtHGCUvP5fhdgR5ooZ1a7AgMBAAGjggIiMIICHjAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFEmRhcGRheHwxTaoLpeBKbgx8IVyMB8GA1UdIwQYMBaAFLu8w0el5Lyp
xsOkcgwQjaI14cjoMFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0cDov
L3IxMC5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMC5pLmxlbmNy
Lm9yZy8wKQYDVR0RBCIwIIIPKi5jb2RlYmVyZy5wYWdlgg1jb2RlYmVyZy5wYWdl
MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA
GZgQcQnw1lIuMIDSnj9ku4NuKMz5D1KO7t/OSj8WtMoAAAGR6cVCFwAABAMARzBF
AiEAmhjzPZi5n+OaxjhTK0pAzhMILgAE3QpzYcnvqZwVAzUCIEFyhAuZHFSJWhz9
ukfAfoB/Rz1YzIrqtMcP8YpJbNJJAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhC
Cp/mZ0xaOnQAAAGR6cVCIgAABAMARzBFAiEAvzE/BNeFCS+sAsb3amN6dUYOJoAj
QDx+UQIbT0RDcV0CICuR8wel4gEJiRJcL8uoeCClFbztEfZqxjzGN6mPOQgwMA0G
CSqGSIb3DQEBCwUAA4IBAQAbbyGECdDcair6brWj1Fxuh8f0NTaOaQQxpfYVz57G
QScYoLxHWIaxiwFLUaJS/ojq4qW6mZGEwKnmhUBfh024jB9BsSF8A30BeWSeKE7l
/1DY5dV1KFH/NDnJB31i1DaCJAhAXVpj89GL8IXdETzsieQla0//IYoc8vCdsKpD
rktULWx30zcRja6GhP6ikNzpUx0wIQwTtIjlXFcRZj9o9soLm2jG3JH5yb+rkf24
+oyvSFhXRlF++/lz5X8Law9M5ZZVkK1UAicPLnarGp6nmDMP1eeAxXh5XUw2qIBK
FHu4COLvaXLwUqo4qh145O4acZuFimn73SYNORTemfK5
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=R10
 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=*.codeberg.page
issuer=C=US, O=Let's Encrypt, CN=R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3115 bytes and written 384 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
 Protocol : TLSv1.3
 Cipher : TLS_AES_128_GCM_SHA256
 Session-ID: 466B38D82ACD1A14FCAD1C205F0F16A273BA8081CD2AF57F441F8A2FBCC5F658
 Session-ID-ctx:
 Resumption PSK: A5DAF331F6558FE553F6C4DF4B88413E815AB08892F8BF72E4931C1F737520B0
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 604800 (seconds)
 TLS session ticket:
 0000 - 09 03 c6 f9 57 95 da 95-e0 5c 08 74 81 f6 35 f0 ....W....\.t..5.
 0010 - 37 e7 bd cc 00 44 bf 5c-c7 25 a2 f8 b1 51 40 61 7....D.\.%...Q@a
 0020 - cf 8a d7 4a e7 9c 4d f6-1d e0 0e fb 66 34 26 db ...J..M.....f4&.
 0030 - 9d 16 73 0b a2 44 d6 3b-ed 3e b7 bf 85 b0 47 7c ..s..D.;.>....G|
 0040 - 54 a2 ec 63 50 69 de 99-c6 30 c7 c2 1a ae fe ac T..cPi...0......
 0050 - dd 61 f0 d9 06 21 64 a2-76 4e d3 95 f6 3e 8e e6 .a...!d.vN...>..
 0060 - db 93 9a 41 cc 5d a6 96-96 ...A.]...
 Start Time: 1729004588
 Timeout : 7200 (sec)
 Verify return code: 0 (ok)
 Extended master secret: no
 Max Early Data: 0
---
read R BLOCK
DONE

Success:

openssl s_client -showcerts -connect codeberg.org:443 < /dev/null
Connecting to 217.197.91.145
CONNECTED(00000005)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E5
verify return:1
depth=0 CN=codeberg.org
verify return:1
---
Certificate chain
 0 s:CN=codeberg.org
 i:C=US, O=Let's Encrypt, CN=E5
 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
 v:NotBefore: Oct 5 21:13:57 2024 GMT; NotAfter: Jan 3 21:13:56 2025 GMT
-----BEGIN CERTIFICATE-----
MIIDnDCCAyKgAwIBAgISAxBTn0w7udVUmebFLvqlzQTDMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNDEwMDUyMTEzNTdaFw0yNTAxMDMyMTEzNTZaMBcxFTATBgNVBAMTDGNv
ZGViZXJnLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxXbn7bGqIykrQO
7EnGmha4+IhLGI4eyGCzBjXSbXDgXEJkeQOj9naGOmA9/2whggd//YTlqzU9njjy
CpMsVrGjggIxMIICLTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFeWLnKF1/QDZBrW
gg4hG2RqMckpMB8GA1UdIwQYMBaAFJ8rX888IU+dBLftKyzExnCL0tcNMFUGCCsG
AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2U1Lm8ubGVuY3Iub3JnMCIG
CCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5vcmcvMDoGA1UdEQQzMDGCDiou
Y29kZWJlcmcub3JnghFjb2RlYmVyZy10ZXN0Lm9yZ4IMY29kZWJlcmcub3JnMBMG
A1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAfVke
EuF4KnscYWd8Xv340IdcFKBOlZ65Ay/ZDowuebgAAAGSXr3E2wAABAMARzBFAiAp
L7fYQp+Ai0U6FkVKFBrsazeahGmKaKTyUllue/gBYwIhAKpEJ9tUTH7UjxQvBrsG
mJhpYzdxTlbYgCkyJW9E/HFZAHYAzxFW7tUufK/zh1vZaS6b6RpxZ0qwF+ysAdJb
d87MOwgAAAGSXr3EoAAABAMARzBFAiEAjIj78E3uw6f9h+1DoCe7u3w9bvaSakL/
y4RWq4d5Y+ACICZhUga6990OCdK5hzdJ67Z5987jzUJi0KMHzuj5KWNDMAoGCCqG
SM49BAMDA2gAMGUCMQCpX/X3QNPC1khLmKZOR4VLVpvpwX4I0npBArB4vjPkYK3c
t8fL9iCbELfdLKRaSFoCMDJt2NitvLH0s3GauPYP0VW40UeyPthrSopnW5UGfJD4
Iq9w7OCi6mY7D97mhSOWnA==
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=E5
 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK
a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO
VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw
i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C
2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+
bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG
6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV
XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO
koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq
cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI
E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e
K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
VQD9F6Na/+zmXCc=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=codeberg.org
issuer=C=US, O=Let's Encrypt, CN=E5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2423 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

For curl failure:

curl -vv https://codeberg.org/ideasman42/emacs-undo-fu-session.git
* Host codeberg.org:443 was resolved.
* IPv6: (none)
* IPv4: 217.197.91.145
* Trying 217.197.91.145:443...
* Connected to codeberg.org (217.197.91.145) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=*.codeberg.page
* start date: Sep 13 04:06:34 2024 GMT
* expire date: Dec 12 04:06:33 2024 GMT
* subjectAltName does not match host name codeberg.org
* SSL: no alternative certificate subject name matches target host name 'codeberg.org'
* Closing connection
curl: (60) SSL: no alternative certificate subject name matches target host name 'codeberg.org'
More details here: https://curl.se/docs/sslcerts.html

Curl success:

curl -vv https://codeberg.org/ideasman42/emacs-undo-fu-session.git
* Host codeberg.org:443 was resolved.
* IPv6: (none)
* IPv4: 217.197.91.145
* Trying 217.197.91.145:443...
* Connected to codeberg.org (217.197.91.145) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
* subject: CN=codeberg.org
* start date: Oct 5 21:13:57 2024 GMT
* expire date: Jan 3 21:13:56 2025 GMT
* subjectAltName: host "codeberg.org" matched cert's "codeberg.org"
* issuer: C=US; O=Let's Encrypt; CN=E5
* SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://codeberg.org/ideasman42/emacs-undo-fu-session.git
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: codeberg.org]
* [HTTP/2] [1] [:path: /ideasman42/emacs-undo-fu-session.git]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /ideasman42/emacs-undo-fu-session.git HTTP/2
> Host: codeberg.org
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< cache-control: max-age=0, private, must-revalidate, no-transform
< content-type: text/html; charset=utf-8
< set-cookie: i_like_gitea=08b76050b4428f39; Path=/; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax
< set-cookie: _csrf=4ur6Tuf76VvNh-Egs43ZwUmjhw06MTcyOTAwNDg3MzMyMDAwNTgxNA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax
< date: 2024年10月15日 15:07:53 GMT
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< permissions-policy: interest-cohort=()
< x-frame-options: sameorigin
< x-content-type-options: nosniff
<
---- Content omitted ---
### Comment Opening a new issue from #1368 as I'm not sure about the visibility of closed issues. I'm not going to recapitulate the entirety of the previous issue, but tl;dr command line tools get unpredictable results when trying to connect to codeberg.org, not sure why it doesn't present in browsers as well. I'm more than willing to help troubleshoot or look at configurations (I do have some experience with haproxy). I can reproduce this regularly from my end: Also this isn't a matter of just waiting an it resolves itself, it may take 10-20 attempts to get a proper response from the git side. If it were just a matter of me trying over and over with a git clone command that's one thing I guess, but when the clone is part of a larger installation package which is out of my control it makes for a very frustrating experience. At any rate, closing this because you can't solve it seems the wrong move and sends a message that it's unimportant. This should remain open until a fix is found. Just my $.02. Again I'm willing to help in any way that I can. Without knowing what the full architecture looks like, it seems that what is happening is that the haproxy is doing a round-robin load balancing to a pool of servers but the servers are specialized so that some are only doing pages and others are only doing git, but the load balancer isn't inspecting the request to determine which pool to forward the connection to, so sometimes you get a pages server and sometimes you get a git server. I'm not certain why this doesn't appear to be an issue in the browser but only on the command line, I haven't been able to reproduce this behavior in the browser. Here are the outputs I get for both a successful attempt and failed attempt: Failure: ``` openssl s_client -showcerts -connect codeberg.org:443 Connecting to 217.197.91.145 CONNECTED(00000005) depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 verify return:1 depth=1 C=US, O=Let's Encrypt, CN=R10 verify return:1 depth=0 CN=*.codeberg.page verify return:1 --- Certificate chain 0 s:CN=*.codeberg.page i:C=US, O=Let's Encrypt, CN=R10 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 13 04:06:34 2024 GMT; NotAfter: Dec 12 04:06:33 2024 GMT -----BEGIN CERTIFICATE----- MIIE/TCCA+WgAwIBAgISBE41DOxX9tvwZZi/byTCJ0z3MA0GCSqGSIb3DQEBCwUA MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD EwNSMTAwHhcNMjQwOTEzMDQwNjM0WhcNMjQxMjEyMDQwNjMzWjAaMRgwFgYDVQQD DA8qLmNvZGViZXJnLnBhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC0JYdtNveSPU1kN/f0SjNL6/ZgWXOqCj4PrhSjxsQClFOqKvdEVMV2KjgL3A7P LSWxdok18AlAcxmP/UNo3YbX0lBa0HxPnjqT+Ned2hDJAhlXi2j0sUemHoAK6a7q lE3Bl4lJMGRlgnKvLRKl9E7jRLyEuGHFPQZ0bFDnxr5J7tS1DCzo+boHS86NYsBQ 0IBpq1wAMOqswzpNQC/4o0T8y1zK52B00AEbjEWTFNJJHhPiIp81PNqnZTAUUQQa IDR1s+YsjoTDAmzC9dv1Wq+94K5J37WX0Tt4WFquaTzSR2OqaMcUZBl85LIcCqzF y9+XtHGCUvP5fhdgR5ooZ1a7AgMBAAGjggIiMIICHjAOBgNVHQ8BAf8EBAMCBaAw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD VR0OBBYEFEmRhcGRheHwxTaoLpeBKbgx8IVyMB8GA1UdIwQYMBaAFLu8w0el5Lyp xsOkcgwQjaI14cjoMFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0cDov L3IxMC5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMC5pLmxlbmNy Lm9yZy8wKQYDVR0RBCIwIIIPKi5jb2RlYmVyZy5wYWdlgg1jb2RlYmVyZy5wYWdl MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA GZgQcQnw1lIuMIDSnj9ku4NuKMz5D1KO7t/OSj8WtMoAAAGR6cVCFwAABAMARzBF AiEAmhjzPZi5n+OaxjhTK0pAzhMILgAE3QpzYcnvqZwVAzUCIEFyhAuZHFSJWhz9 ukfAfoB/Rz1YzIrqtMcP8YpJbNJJAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhC Cp/mZ0xaOnQAAAGR6cVCIgAABAMARzBFAiEAvzE/BNeFCS+sAsb3amN6dUYOJoAj QDx+UQIbT0RDcV0CICuR8wel4gEJiRJcL8uoeCClFbztEfZqxjzGN6mPOQgwMA0G CSqGSIb3DQEBCwUAA4IBAQAbbyGECdDcair6brWj1Fxuh8f0NTaOaQQxpfYVz57G QScYoLxHWIaxiwFLUaJS/ojq4qW6mZGEwKnmhUBfh024jB9BsSF8A30BeWSeKE7l /1DY5dV1KFH/NDnJB31i1DaCJAhAXVpj89GL8IXdETzsieQla0//IYoc8vCdsKpD rktULWx30zcRja6GhP6ikNzpUx0wIQwTtIjlXFcRZj9o9soLm2jG3JH5yb+rkf24 +oyvSFhXRlF++/lz5X8Law9M5ZZVkK1UAicPLnarGp6nmDMP1eeAxXh5XUw2qIBK FHu4COLvaXLwUqo4qh145O4acZuFimn73SYNORTemfK5 -----END CERTIFICATE----- 1 s:C=US, O=Let's Encrypt, CN=R10 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT -----BEGIN CERTIFICATE----- MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a /6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4 FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3 DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/ AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5 tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9 1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0 GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh 1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N 4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54= -----END CERTIFICATE----- --- Server certificate subject=CN=*.codeberg.page issuer=C=US, O=Let's Encrypt, CN=R10 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3115 bytes and written 384 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 Session-ID: 466B38D82ACD1A14FCAD1C205F0F16A273BA8081CD2AF57F441F8A2FBCC5F658 Session-ID-ctx: Resumption PSK: A5DAF331F6558FE553F6C4DF4B88413E815AB08892F8BF72E4931C1F737520B0 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: 0000 - 09 03 c6 f9 57 95 da 95-e0 5c 08 74 81 f6 35 f0 ....W....\.t..5. 0010 - 37 e7 bd cc 00 44 bf 5c-c7 25 a2 f8 b1 51 40 61 7....D.\.%...Q@a 0020 - cf 8a d7 4a e7 9c 4d f6-1d e0 0e fb 66 34 26 db ...J..M.....f4&. 0030 - 9d 16 73 0b a2 44 d6 3b-ed 3e b7 bf 85 b0 47 7c ..s..D.;.>....G| 0040 - 54 a2 ec 63 50 69 de 99-c6 30 c7 c2 1a ae fe ac T..cPi...0...... 0050 - dd 61 f0 d9 06 21 64 a2-76 4e d3 95 f6 3e 8e e6 .a...!d.vN...>.. 0060 - db 93 9a 41 cc 5d a6 96-96 ...A.]... Start Time: 1729004588 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK DONE ``` Success: ``` openssl s_client -showcerts -connect codeberg.org:443 < /dev/null Connecting to 217.197.91.145 CONNECTED(00000005) depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 verify return:1 depth=1 C=US, O=Let's Encrypt, CN=E5 verify return:1 depth=0 CN=codeberg.org verify return:1 --- Certificate chain 0 s:CN=codeberg.org i:C=US, O=Let's Encrypt, CN=E5 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Oct 5 21:13:57 2024 GMT; NotAfter: Jan 3 21:13:56 2025 GMT -----BEGIN CERTIFICATE----- MIIDnDCCAyKgAwIBAgISAxBTn0w7udVUmebFLvqlzQTDMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NTAeFw0yNDEwMDUyMTEzNTdaFw0yNTAxMDMyMTEzNTZaMBcxFTATBgNVBAMTDGNv ZGViZXJnLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBxXbn7bGqIykrQO 7EnGmha4+IhLGI4eyGCzBjXSbXDgXEJkeQOj9naGOmA9/2whggd//YTlqzU9njjy CpMsVrGjggIxMIICLTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFeWLnKF1/QDZBrW gg4hG2RqMckpMB8GA1UdIwQYMBaAFJ8rX888IU+dBLftKyzExnCL0tcNMFUGCCsG AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2U1Lm8ubGVuY3Iub3JnMCIG CCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5vcmcvMDoGA1UdEQQzMDGCDiou Y29kZWJlcmcub3JnghFjb2RlYmVyZy10ZXN0Lm9yZ4IMY29kZWJlcmcub3JnMBMG A1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAfVke EuF4KnscYWd8Xv340IdcFKBOlZ65Ay/ZDowuebgAAAGSXr3E2wAABAMARzBFAiAp L7fYQp+Ai0U6FkVKFBrsazeahGmKaKTyUllue/gBYwIhAKpEJ9tUTH7UjxQvBrsG mJhpYzdxTlbYgCkyJW9E/HFZAHYAzxFW7tUufK/zh1vZaS6b6RpxZ0qwF+ysAdJb d87MOwgAAAGSXr3EoAAABAMARzBFAiEAjIj78E3uw6f9h+1DoCe7u3w9bvaSakL/ y4RWq4d5Y+ACICZhUga6990OCdK5hzdJ67Z5987jzUJi0KMHzuj5KWNDMAoGCCqG SM49BAMDA2gAMGUCMQCpX/X3QNPC1khLmKZOR4VLVpvpwX4I0npBArB4vjPkYK3c t8fL9iCbELfdLKRaSFoCMDJt2NitvLH0s3GauPYP0VW40UeyPthrSopnW5UGfJD4 Iq9w7OCi6mY7D97mhSOWnA== -----END CERTIFICATE----- 1 s:C=US, O=Let's Encrypt, CN=E5 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT -----BEGIN CERTIFICATE----- MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C 2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG 6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd VQD9F6Na/+zmXCc= -----END CERTIFICATE----- --- Server certificate subject=CN=codeberg.org issuer=C=US, O=Let's Encrypt, CN=E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2423 bytes and written 400 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- DONE ``` For curl failure: ``` curl -vv https://codeberg.org/ideasman42/emacs-undo-fu-session.git * Host codeberg.org:443 was resolved. * IPv6: (none) * IPv4: 217.197.91.145 * Trying 217.197.91.145:443... * Connected to codeberg.org (217.197.91.145) port 443 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF * ALPN: server accepted h2 * Server certificate: * subject: CN=*.codeberg.page * start date: Sep 13 04:06:34 2024 GMT * expire date: Dec 12 04:06:33 2024 GMT * subjectAltName does not match host name codeberg.org * SSL: no alternative certificate subject name matches target host name 'codeberg.org' * Closing connection curl: (60) SSL: no alternative certificate subject name matches target host name 'codeberg.org' More details here: https://curl.se/docs/sslcerts.html ``` Curl success: ``` curl -vv https://codeberg.org/ideasman42/emacs-undo-fu-session.git * Host codeberg.org:443 was resolved. * IPv6: (none) * IPv4: 217.197.91.145 * Trying 217.197.91.145:443... * Connected to codeberg.org (217.197.91.145) port 443 * ALPN: curl offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF * ALPN: server accepted h2 * Server certificate: * subject: CN=codeberg.org * start date: Oct 5 21:13:57 2024 GMT * expire date: Jan 3 21:13:56 2025 GMT * subjectAltName: host "codeberg.org" matched cert's "codeberg.org" * issuer: C=US; O=Let's Encrypt; CN=E5 * SSL certificate verify ok. * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://codeberg.org/ideasman42/emacs-undo-fu-session.git * [HTTP/2] [1] [:method: GET] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: codeberg.org] * [HTTP/2] [1] [:path: /ideasman42/emacs-undo-fu-session.git] * [HTTP/2] [1] [user-agent: curl/8.7.1] * [HTTP/2] [1] [accept: */*] > GET /ideasman42/emacs-undo-fu-session.git HTTP/2 > Host: codeberg.org > User-Agent: curl/8.7.1 > Accept: */* > * Request completely sent off < HTTP/2 200 < cache-control: max-age=0, private, must-revalidate, no-transform < content-type: text/html; charset=utf-8 < set-cookie: i_like_gitea=08b76050b4428f39; Path=/; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax < set-cookie: _csrf=4ur6Tuf76VvNh-Egs43ZwUmjhw06MTcyOTAwNDg3MzMyMDAwNTgxNA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax < date: 2024年10月15日 15:07:53 GMT < strict-transport-security: max-age=63072000; includeSubDomains; preload < permissions-policy: interest-cohort=() < x-frame-options: sameorigin < x-content-type-options: nosniff < ---- Content omitted --- ```

I did another look over the haproxy config and while reading the documentation for the SNI based routing I came across the following that may be interesting:

If content switching is needed, it is recommended to first wait for a complete client hello (type 1), like in the example below.

tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend bk_allow if { req.ssl_sni -f allowed_sites }
default_backend bk_sorry_page

From https://docs.haproxy.org/2.9/configuration.html#req.ssl_sni

The current HAProxy config does not have such configuration - it seems like that it will default to Codeberg Pages if in the request the client hello is not send in the first chunk of data (or after an already specified lower timeout?). It would be worth a try to see if adding the first two lines resolves this instability.

I did another look over the haproxy config and while reading the documentation for the SNI based routing I came across the following that may be interesting: > If content switching is needed, it is recommended to first wait for a complete client hello (type 1), like in the example below. > >``` > tcp-request inspect-delay 5s > tcp-request content accept if { req.ssl_hello_type 1 } > use_backend bk_allow if { req.ssl_sni -f allowed_sites } > default_backend bk_sorry_page > ``` From https://docs.haproxy.org/2.9/configuration.html#req.ssl_sni The current HAProxy config does not have such configuration - it seems like that it will default to Codeberg Pages if in the request the client hello is not send in the first chunk of data (or after an already specified lower timeout?). It would be worth a try to see if adding the first two lines resolves this instability.

I completely overlooked this portion, so it seems we already do wait for a SNI.

# Wait up to 5s for a SNI header & only accept TLS connections
tcp-request inspect-delay 15s
tcp-request content capture req.ssl_sni len 255
I completely overlooked this portion, so it seems we already do wait for a SNI. https://codeberg.org/Codeberg-Infrastructure/scripted-configuration/src/commit/84e03c0d04f6467c3f14e4731b3a3ae303632fec/hosts/kampenwand/etc/haproxy/haproxy.cfg#L88-L90

After the crash a earlier this month, it seems that Codeberg now consistently serves *.codeberg.page, codeberg.page certificates in specific cases.

  • One is for 3rd party F-Droid repos hosted on Codeberg and linked to via an URL like https://codeberg.org/user/fdroid-repo/raw/branch/main/fdroid/repo.
  • When something is downloaded via Windows APIs like Msxml2.XMLHTTP (you'll need to have Check for server certificate revocation enabled under Internet Options>Advanced to have the warning shown.

This might still be related to SNI, but perhaps the default without SNI is now codeberg.page whereas it was codeberg.org before?

After the crash a earlier this month, it seems that Codeberg now consistently serves `*.codeberg.page, codeberg.page` certificates in specific cases. - One is for 3rd party F-Droid repos hosted on Codeberg and linked to via an URL like `https://codeberg.org/user/fdroid-repo/raw/branch/main/fdroid/repo`. - When something is downloaded via Windows APIs like `Msxml2.XMLHTTP` (you'll need to have `Check for server certificate revocation` enabled under `Internet Options`>`Advanced` to have the warning shown. This might still be related to SNI, but perhaps the default without SNI is now `codeberg.page` whereas it was `codeberg.org` before?

@ltguillaume Do you have specific links where this happens? Which tool do you use to access these links?

@ltguillaume Do you have specific links where this happens? Which tool do you use to access these links?
  1. F-Droid: try using the IronFox repo: https://fdroid.link/#https://codeberg.org/ironfox-oss/fdroid/raw/branch/main/fdroid/repo?fingerprint=c5e291b5a571f9c8cd9a9799c2c94e02ec9703948893f2ca756d67b94204f904 (uncheck the non-Codeberg mirrors). Result:
    image
  2. The second point was reproducible until yesterday, but it seems that something has changed since.
1. [F-Droid](https://f-droid.org): try using the [IronFox](https://gitlab.com/ironfox-oss/IronFox) repo: https://fdroid.link/#https://codeberg.org/ironfox-oss/fdroid/raw/branch/main/fdroid/repo?fingerprint=c5e291b5a571f9c8cd9a9799c2c94e02ec9703948893f2ca756d67b94204f904 (uncheck the non-Codeberg mirrors). Result: ![image](/attachments/276e0a7c-b284-4d62-97b0-70f176f3d82b) 2. The second point was reproducible until yesterday, but it seems that something has changed since.

@Gusted Have you been able to reproduce this? Just import the repo and disable the other two mirrors, leaving only the Codeberg mirror enabled.

@Gusted Have you been able to reproduce this? Just import the repo _and disable the other two mirrors_, leaving only the Codeberg mirror enabled.
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.
bug

Something is not working the way it should. Does not concern outages.
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages
Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.
contributions welcome

Please join the discussion and consider contributing a PR!
docs

No bug, but an improvement to the docs or UI description will help
duplicate

This issue or pull request already exists
enhancement

New feature
infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.
legal

An issue directly involving legal compliance
licence / ToS

involving questions about the ToS, especially licencing compliance
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.
public relations

Things related to Codeberg's external communication
question

More information is needed
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.
s/Forgejo

Related to Forgejo. Please also check Forgejo's issue tracker.
s/Forgejo/migration

Migration related issues in Forgejo
s/Pages

Issues related to the Codeberg Pages feature
s/Weblate

Issue is related to the Weblate instance at https://translate.codeberg.org
s/Woodpecker

Woodpecker CI related issue
security

involves improvements to the sites security
service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)
upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)
wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/Community#1673
Reference in a new issue
Codeberg/Community
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?