On Mon, Mar 23, 2020 at 4:00 PM Elmar Stellnberger wrote: > The only site which is still making problems is cdimage.debian.org. > Could any good Christ from the Debian community have a look at this > issue. The server maintainers would need to complain about the rogue cert!
I've forwarded this to the Debian sysadmins IRC channel. I think it is related to the fact that the cdimage.d.o server is not managed by the Debian sysadmins, so the UMU ACC admins probably used Lets Encrypt to get certs, and then of course the TLSA records got outdated after the renewal. For other debian.org domains that are not managed by the Debian sysadmins, we centrally create the certs and propagate them to external services (like the CDNs for deb.d.o). The cdimage.d.o server isn't a CDN and probably doesn't have cert APIs but we can probably use the same approach to fix this. -- bye, pabs https://wiki.debian.org/PaulWise