Thread: Missing Subject Alternative Names in ftp mirrors site certificate
All, not sure if this is the correct mailing list, so please direct me if necessary.
The download.postgresql.org has an incomplete TLS certificate that is missing some Subject Alt Names currently included in the DNS for ftp.mirrors.postgresql.org.
The round-robin DNS occasionally hits a valid name that is listed in the certificate, but many of them fail. Certificate shows SANs for:
SN = ftp.postgresql.org
SAN DNS Name = apt.postgresql.org
SAN DNS Name = download.postgresql.org
SAN DNS Name = fendaus.postgresql.org
SAN DNS Name = ftp.postgresql.org
The IPs listed for download.postgresql.org and ftp.postgresql.org show the following IPs (listing IPv4 only):
Non-authoritative answer:
ftp.postgresql.org canonical name = ftp.mirrors.postgresql.org.
Name: ftp.mirrors.postgresql.org
Address: 147.75.85.69
Name: ftp.mirrors.postgresql.org
Address: 217.196.149.55
Name: ftp.mirrors.postgresql.org
Address: 72.32.157.246
Name: ftp.mirrors.postgresql.org
Address: 87.238.57.227
And the reverse DNS shows the following alternative names being used:
55.48-63.149.196.217.in-addr.arpa name = fabrina.postgresql.org.
246.157.32.72.in-addr.arpa name = faynos.postgresql.org.
69.85.75.147.in-addr.arpa name = fendaus.postgresql.org.
227.226-238.57.238.87.in-addr.arpa name = feris.postgresql.org.
I only see one server that matches (fendaus.postgresql.org) which aligns to me failure rate of TLS certificate errors (edited). Additionally, ftp.mirrors.postgresql.org isn't listed in the SAN either and throws an certificate error.
The download.postgresql.org has an incomplete TLS certificate that is missing some Subject Alt Names currently included in the DNS for ftp.mirrors.postgresql.org.
The round-robin DNS occasionally hits a valid name that is listed in the certificate, but many of them fail. Certificate shows SANs for:
SN = ftp.postgresql.org
SAN DNS Name = apt.postgresql.org
SAN DNS Name = download.postgresql.org
SAN DNS Name = fendaus.postgresql.org
SAN DNS Name = ftp.postgresql.org
The IPs listed for download.postgresql.org and ftp.postgresql.org show the following IPs (listing IPv4 only):
Non-authoritative answer:
ftp.postgresql.org canonical name = ftp.mirrors.postgresql.org.
Name: ftp.mirrors.postgresql.org
Address: 147.75.85.69
Name: ftp.mirrors.postgresql.org
Address: 217.196.149.55
Name: ftp.mirrors.postgresql.org
Address: 72.32.157.246
Name: ftp.mirrors.postgresql.org
Address: 87.238.57.227
And the reverse DNS shows the following alternative names being used:
55.48-63.149.196.217.in-addr.arpa name = fabrina.postgresql.org.
246.157.32.72.in-addr.arpa name = faynos.postgresql.org.
69.85.75.147.in-addr.arpa name = fendaus.postgresql.org.
227.226-238.57.238.87.in-addr.arpa name = feris.postgresql.org.
I only see one server that matches (fendaus.postgresql.org) which aligns to me failure rate of TLS certificate errors (edited). Additionally, ftp.mirrors.postgresql.org isn't listed in the SAN either and throws an certificate error.
For background, I pulled a RHEL 7 repo RPM from here and that's where I first noticed the issues (by failed YUM/curl connections).
https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Thanks,
Ben Buley
buleyb@gmail.com
https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Thanks,
Ben Buley
buleyb@gmail.com
On Wed, Jan 20, 2021 at 11:46 PM Ben Buley <buleyb@gmail.com> wrote: > > All, not sure if this is the correct mailing list, so please direct me if necessary. > > The download.postgresql.org has an incomplete TLS certificate that is missing some Subject Alt Names currently includedin the DNS for ftp.mirrors.postgresql.org. > The round-robin DNS occasionally hits a valid name that is listed in the certificate, but many of them fail. Certificateshows SANs for: > SN = ftp.postgresql.org > SAN DNS Name = apt.postgresql.org > SAN DNS Name = download.postgresql.org > SAN DNS Name = fendaus.postgresql.org > SAN DNS Name = ftp.postgresql.org > > The IPs listed for download.postgresql.org and ftp.postgresql.org show the following IPs (listing IPv4 only): > Non-authoritative answer: > ftp.postgresql.org canonical name = ftp.mirrors.postgresql.org. > Name: ftp.mirrors.postgresql.org > Address: 147.75.85.69 > Name: ftp.mirrors.postgresql.org > Address: 217.196.149.55 > Name: ftp.mirrors.postgresql.org > Address: 72.32.157.246 > Name: ftp.mirrors.postgresql.org > Address: 87.238.57.227 > > And the reverse DNS shows the following alternative names being used: > 55.48-63.149.196.217.in-addr.arpa name = fabrina.postgresql.org. > 246.157.32.72.in-addr.arpa name = faynos.postgresql.org. > 69.85.75.147.in-addr.arpa name = fendaus.postgresql.org. > 227.226-238.57.238.87.in-addr.arpa name = feris.postgresql.org. > > I only see one server that matches (fendaus.postgresql.org) which aligns to me failure rate of TLS certificate errors (edited). Additionally, ftp.mirrors.postgresql.org isn't listed in the SAN either and throws an certificate error. > > For background, I pulled a RHEL 7 repo RPM from here and that's where I first noticed the issues (by failed YUM/curl connections). > https://download.postgresql.org/pub/repos/yum/9.5/redhat/rhel-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm Do you find that reproducible? Did you actually get redirected there somehow? That name is never supposed to show up in an URL, and as long as it doesn't, it shouldn't be relevant to SAN.. I just test-installed that repo rpm and then also tried to install postgres from it and it works fine without any complaints from here... Can you provide the exact commands you used to get the problem? -- Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/