Kubuntu.org security issue warning in firefox
Posted by These_Growth9876@reddit | linux | View on Reddit | 65 comments
Posted by These_Growth9876@reddit | linux | View on Reddit | 65 comments
Head-Mud_683@reddit
Coincidently I saw this yesterday.
michaelpaoli@reddit
Looks like they since got that quite well squared away:
https://www.ssllabs.com/ssltest/analyze.html?d=kubuntu.org
And as u/ArrayBolt3 earlier mentioned:
ArrayBolt3@reddit
Speaking as a Kubuntu dev, we're mid website migration. The people who have control of the DNS didn't quite coordinate with us right and so things went south. We're working on it. This wasn't "oops haha stupid dev forgot to renew cert", this is just a migration mixup.
michaelpaoli@reddit
"Ooopsie!" Uhm, yeah, that comment should be up way higher.
Does rather suck when provider(s) just aren't that competent. And some also make migrations a pain in the rear - at best. Many also, apparently quite intentionally, also make migrating away from them about as difficult as they can manage to make it.
And yes, there are providers that should be avoided like the plague. Heck, even some that offer their services for free to non-profits - that's way the hell too high a price for the (dis)services they provide.
LordAlfredo@reddit
That'd explain why the CA is default-configuration Caddy self-signed!
Ice_Hill_Penguin@reddit
Apparently someone messed up cert things there:
Issued On Thursday, November 6, 2025 at 10:20:56 AMExpires On Thursday, November 6, 2025 at 10:20:56 PMLordAlfredo@reddit
Their signing CA isn't much better, issued Nov 2 expires Nov 9.
fearless-fossa@reddit
A 7 day cycle isn't an issue if you've automated the process. I'd like to say nobody does these things manually... But I encounter these people daily.
The issue the CA has is the CN.
michaelpaoli@reddit
Don't we all wish!
Uhm, but at least hopefully folks have at least mostly automated the procedures.
So, yeah, e.g. much of my rather complex cert architectures, and those I manage, have generally, as feasible, automated the heck out of 'em. But that doesn't mean absolutely everything is fully automated. Some things it's still more efficient to do (semi-)manually than do all the code, etc. to fully automate - some of those edge cases the ROI just isn't there for making it 100% automated, yeah, often the optimal, in e.g. operating costs, is more like about 99.75%+-.
So, e.g. I've got programs that, given appropriate arguments, will get certs - including complex SAN certs with wildcards, and many domains - even lots of certs in one single command. Also have programs that semi-automate a lot of the installation of such certs. But alas, not everything is fully automated. Why spend a week coding up something that'll save 180 seconds every 80 days? On the other hand, a few days coding up what saves many days or more of work/time per month - and cuts it down to minutes or less - that was all done long ago.
syklemil@reddit
Yeah, we used to do this manually a decade ago, and then getting a new cert involved bureaucracy, and came with a bill! So getting long-lived certs cut down on labour and likely got you some discount.
These days I expect Let's encrypt and something like cert-manager, where you more or less just say "I want a cert for this thing for this purpose and it should last this long" and it just … magically appears.
fearless-fossa@reddit
Yeah... A decade ago... Right...
I know enterprises that manually manage several thousand certificates with year long expiration times because "automation isn't how you do serious stuff". And those are all "top of their industry" kind of enterprises.
TheHovercraft@reddit
I at least think 7 days seems too short. If something goes wrong with the update process that's how long you have until the old one expires.
I also don't see the benefit of rotating them out so often. The new standard is 47 days and 7 seems excessive. The only benefit I see from this is forcing people to automate the process and that's a bit of a stretch.
rfc2549-withQOS@reddit
The CA has a week? Smells like someone mixed the units on expiry, in my opinion
winauer@reddit
Let's Encrypt:
Kubuntu:
Markd0ne@reddit
0 second certificates are most secure ones.
patrakov@reddit
It's not 0-second, it is 12-hour.
AntLive9218@reddit
I occasionally wonder when (or if?) will we reach the point of leaving behind ancient, known silly practices like this AM/PM madness.
Science universally uses metric units, organizations not operating in just a single tiny area typically use 24 hours time formats, but some people just refuse to move on from the outdated approach they were taught, solely due to not refusing to learn anymore.
FluxUniversity@reddit
the securest
hadrabap@reddit
Self-signed certificate.
Candid-Scarcity2224@reddit
The dev team is aware of it and have pinged the people in charge: https://www.reddit.com/r/Kubuntu/comments/1oq0vwt/cant_access_kubuntuorg_because_of_invalid_https/
Check the top comment.
realitythreek@reddit
Astonishing that it’s still broken though. Replacing a cert should be quick and painless.
Yeetyeetskrtskrrrt@reddit
If it’s a migration it’s probably a dns issue and we all know how much fun fixing that is
teh_maxh@reddit
I'm guessing they just switched to Caddy and forgot to configure it to use the right certificate.
i_h8_yellow_mustard@reddit
MANJARO NO-
oh sorry, habit
KUBUNTU NO!
abbidabbi@reddit
This is not a regular TLS certificate expiration error though.
rdqsr@reddit
depth=1 CN=Caddy Local Authority - ECC IntermediateHold up. Is that one of the default snake oil certs that a webserver generates for testing purposes?
ivosaurus@reddit
There's nothing about it that's snake oil. It just should never be hitting the public web, and was likely never designed to. Some dev has done an oopsy.
rdqsr@reddit
It's what OpenSSL calls the default self-signed certificate that gets generated for testing ssl.
1esproc@reddit
Yes
rebbsitor@reddit
A certificate valid for only 12 hours? Wow...
Soluchyte@reddit
Standard caddy LA certificate duration, I constantly get these warnings when accessing my local services that I have DNS for.
MairusuPawa@reddit
This one is a bit extreme, but short-lived TLS certs are a good practice yes.
syklemil@reddit
Yeah, the conventional wisdom these days is that you
lproven@reddit
"Yes, boss, I renewed it for 12 years, like you said. It was really cheap!"
tramster@reddit
Is it not? Looks like they just let their chain expire.
0riginal-Syn@reddit
LOL, perfect.
0riginal-Syn@reddit
It is difficult to fathom how these teams allow this to happen. You can automate this without much effort.
LordAlfredo@reddit
It looks like they just did it very badly.
0riginal-Syn@reddit
That is actually less embarrassing to me. That is an honest mistake. Still needs to be automated to avoid the issue.
MyraidChickenSlayer@reddit
From dev.
LordAlfredo@reddit
No it's actually even worse, the current CA is now locally generated and self signed. It looks like they screwed up their migration to a 1 week CA.
ArrayBolt3@reddit
As a Kubuntu dev, this is downright depressing to read. It's not an "oops I forgot to renew my cert", we're right in the middle of migrating the website to a new platform and not everything went according to plan. And this is what we get for trying to actively maintain the distro's infra and make it more stable?
This is the kind of thing that causes contributor burnout and makes people want to stop working on the distro. Do you want to see maintainers give up? Would you like the random person in Nebraska to snap and let all modern digital infra crumble? Then keep this up.
(And yes, I realize I'm being a bit dramatic, obviously one guy being a jerk about a website isn't going to make a development team rage-quit, but this kind of stuff contributes to the general feeling of "this isn't something I enjoy doing anymore", and once enough of that builds up, people stop maintaining things.)
thebouv@reddit
Shit happens. AWS goes down too. 🤷♂️
0riginal-Syn@reddit
You are correct. It can happen to anyone. But these days SSL certs are so easy to automate at no cost and no longer have to worry about. There are also free services for monitoring your SSL certs. Having an expired cert is one of the more embarrassing things to let happen, and with browsers starting to enforce SSL, disruptive.
triemdedwiat@reddit
FANG thuggery to extort money.
SelectionDue4287@reddit
Vibeadmining
ipaqmaster@reddit
Man, I can see the admin for this site's browser tab now:
"Hey chatGTP I need to renew my site's cert can you help meee xddddd"
"Sure thing cunt here ya go <3 <3 <3 <# <# <#<#<#"
And then it outputs some openssl one-liner that doesn't work until you correct most of the non-existent flags it made up and the admin's finally like
Hey this comes up with a certificate warning on my computer and people are complaining about it on reddit! and the llm is like
"Oh wow silly me teehee ecks dee you got me! well spotted! you're a FUCKING genius. Anyway here's the real command:" and gets the fucking flags wrong again and its still self signed.
LordAlfredo@reddit
Uh.
Oh lord they did it with their signing certificate too.
gmes78@reddit
Caddy automatically uses Let's Encrypt. Not sure what went wrong here.
LordAlfredo@reddit
It looks like they probably deployed a default Caddy configuration by accident, a colleague has "the same" CA on his local home network.
__konrad@reddit
It seems you can now click "Accept the Risk" button... if you really want.
These_Growth9876@reddit (OP)
Hell no dude, I would rather just wait.
-not_a_knife@reddit
Does Kubuntu use the Rust uutils? Did they have a bug with the
datebinary that was screwing up scripts?absolutecinemalol@reddit
Manjaro all over again.
Sure-Passion2224@reddit
This happens when their SSL cert expires.
litescript@reddit
"this good to push?"
"looks great on my machine"
mallardtheduck@reddit
Not only are there certificate issues, but the IP it's resolving to (194.26.222.242) for me doesn't appear to be owned by Canonical... Someone screwed up the DNS or some failed DNS hijack?
Also, bypassing the certificate error results in accessing a website that looks substantially different (and unfinished; e.g. lacking proper copyright notices) from yesterday's Wayback Machine snapshot and all the "deep" links I can find in search results go to 404 errors. Some kind of site redesign that went "live" by accident?
nekokattt@reddit
Curling that IP with spoofed SNI just results in a TLS failure serverside, so likely just borked infrastructure.
nshire@reddit
Nice of Firefox to include an informative text box there though
SeriousPlankton2000@reddit
The only useful thing is the error code.
nshire@reddit
I said it was informative, not actionable
CafeBagels08@reddit
`SEC_ERROR_UNKNOWN_ISSUER` means that it's likely a self-signed SSL certificate
Dwedit@reddit
Signed by "Caddy Local Authority - ECC Intermediate"
Self-signed public web pages are almost never legit.
spin81@reddit
Nice conspiracy theory but it's probably a misconfiguration rather than a site that's not "legit"
WillieFiddler@reddit
Looks like the website admin did a woopsie. You probably just gotta wait for them to fix it on their end.