Readthedocs.org: Current SSL cert is not valid for "rtfd.org" domain

+1. This affects e.g. "Short URLs" section in project page (example: https://readthedocs.org/projects/write-the-docs-2013-notes/ - accessing second "Short URL" issues a security warning).

This still seems to be an issue today. Are there any plans on extending the SSL certificate to *.rtfd.org and rtfd.org?

We mainly don't have them because it's expensive, and the redirect domains
are less valuable than the main domain. If someone wanted to donate/sponsor
more SSL certs, we would happily host them.

On Sun, May 10, 2015 at 11:05 AM, Kyle Thompson [email protected]
wrote:

This still seems to be an issue today. Are there any plans on extending
the SSL certificate to *.rtfd.org and rtfd.org?

—
Reply to this email directly or view it on GitHub
https://github.com/rtfd/readthedocs.org/issues/328#issuecomment-100675939
.

Eric Holscher
Maker of the internet residing in Portland, Oregon
http://ericholscher.com

let's encrypt is now an easy to use and free alternative to the commercial CAs. it should be fairly easy to set that up to fix this bug, but i can't sponsor/donate those without access to the server hosting rtfd.org.

The issue is that we need a wildcard cert, which letsencrypt doesn't
support.

On Tue, Jan 5, 2016 at 9:40 AM, anarcat [email protected] wrote:

let's encrypt is now an easy to use and free alternative to the commercial
CAs. it should be fairly easy to set that up to fix this bug, but i can't
sponsor/donate those without access to the server hosting rtfd.org.

—
Reply to this email directly or view it on GitHub
https://github.com/rtfd/readthedocs.org/issues/328#issuecomment-169076560
.

Eric Holscher
Maker of the internet residing in Portland, Oregon
http://ericholscher.com

true that. but since it's automated, you could actually generate one cert per vhost...

in fact, some webservers actually do that on the fly, like caddy

Also affected by this:

If someone wanted to donate/sponsor more SSL certs, we would happily host them.

Now that Let's Encrypt is a thing, could this be used to cut the costs here?

As stated above, let's encrypt does not support wildcard certs, as per letsencrypt/letsencrypt#66.

I would pay for ssl +custom domain using letsencrypt.

@anarcat, the number of subdomains and requests/time that letsencrypt honours is limited and probably not enough for the number of sites hosted on RTD.

@gwillem those are not hard limits - they can be modified as needed if you talk with them. see this comment for example.

how many sites are we talking about anyways?

@anarcat here you have the stats from last year: http://blog.readthedocs.com/read-the-docs-2016-stats/

definitely above 20 certs/week of course :p you'd have about 200k certs per year, so about 4k per week... but i guess it's something that could be discussed.

now of course, LE will support wildcard certs starting in January 2018, so those numbers would become irrelevant if a wildcard is acceptable: https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

So, it's seems that's a matter of time. I think we should wait until Jan 2018 :D

FYI: Wildcard support by LE delay: https://community.letsencrypt.org/t/acmev2-and-wildcard-launch-delay/53654

Feb 27 Update: There are no known major issues with the ACMEv2/wildcard test endpoint. ACMEv2 and wildcard support quality assurance is continuing. No release date to announce yet.

Some good news, https://twitter.com/letsencrypt/status/973607502188195840

As of today, we have an SSL certificate for rtfd.io. We don't really advertise rtfd.org anymore but I will probably still try to add a certificate for it. It's lower priority though.

There is a cert for *.rtfd.org as well now.