[11:23] <Mikaela> Hi, is it known issue that Launchpad cannot import repositories through CloudFlare (SSL)?
[11:23] <Mikaela> https://code.launchpad.net/~progval/limnoria/testing imports from https://git.mikaela.info/Limnoria.git and import fails with error "bzrlib.errors.CertificateError: Certificate error: hostname 'git.mikaela.info' doesn't match either of 'ssl2000.cloudflare.com', 'cloudflare.com', '*.cloudflare.com'" while the ceritifcate is valid for *.mikaela.info https://paste.mikaela.info/view/b70bcadd#L56 (in Finnish
[11:23] <Mikaela> sorry)
[11:31] <wgrant_> Mikaela: That error is correct; you can reproduce it in a browser.
[11:32] <wgrant> Mikaela: The certificate presented by CloudFlare doesn't match the hostname.
[11:32] <Mikaela> wgrant: I am unable to reproduce it in browser while CloudFlare is enabled, it's currently temporarily disabled
[11:32] <Mikaela> enabled again, should start going through cloudflare in 5 minutes
[11:33] <Mikaela> wgrant: paste.mikaela.info should have same certificate, are you able to reproduce this error there?
[11:37] <wgrant> Mikaela: paste.mikaela.info works.
[11:37] <Mikaela> git.mikaela.info should have no issues either and Chrome here doesn't complain. I can also try other browser
[11:37] <wgrant> Ah, works now.
[11:38] <wgrant> I suspect CloudFlare replication latency.
[11:39] <Mikaela> https://launchpadlibrarian.net/193888435/progval-limnoria-testing.log is still failing though
[11:39] <Mikaela> bzrlib.errors.CertificateError: Certificate error: hostname 'git.mikaela.info' doesn't match either of 'ssl2000.cloudflare.com', 'cloudflare.com', '*.cloudflare.com'
[11:39] <wgrant> Sure, it works from a node in what looks like Sydney.
[11:39] <wgrant> I presume they document the worst-case certificate replication times somewhere.
[11:39] <Mikaela> So it should start working after that certificate is replicated?
[11:40] <wgrant> Remember that CloudFlare has numerous frontends all over the world, and they won't all update instantly when you change the configuration.
[11:40] <wgrant> Hm, where did that branch go?
[11:40] <Mikaela> I am just wondering why that error message doesn't list all domains, it looks like it has the same certificate
[11:41] <wgrant> The certificate that was presented by CloudFlare was for just those three domains.
[11:41] <Mikaela> Launchpad https://code.launchpad.net/~progval/limnoria/testing and it goes to https://git.mikaela.info/Limnoria.git/
[11:41] <wgrant> That would have been from a CloudFlare node in London somewhere, which presumably doesn't have the certificate yet.
[11:41] <Mikaela> weird, you should see more certificates in the web browser
[11:41] <wgrant> *I* do.
[11:41] <wgrant> I'm not in Launchpad's datacentre.
[11:41] <wgrant> You need to wait for the certificate to replicate throughout CloudFlare's infrastructure.
[11:42] <Mikaela> From what I see in my web browser, that certificate was issued in 2014-10-02 and expires 2015-10-01
[11:42] <Mikaela> it's now using http
[11:43] <Mikaela> and now it cannot find the branch
[11:47] <wgrant> When did you create that vhost on CloudFlare?
[11:47] <Mikaela> 13:15+0200
[11:48] <Mikaela> and now I disabled it again as it's using http and I don't have valid certificate.
[11:48] <wgrant> What does CloudFlare say about normal replication delays?
[11:48] <Mikaela> or if you mean mikaela.info (the certificate is valid for *.mikaela.info), that was probably early 2014
[11:48] <wgrant> Anyway, this isn't a Launchpad problem. Once CloudFlare becomes consistent it will all work.
[11:49] <wgrant> The creation date of the certificate isn't relevant. What matters is when the configuration for that vhost on CloudFlare changed.
[11:49] <Mikaela> I am unable to find any delays documented
[11:49] <Mikaela> even if the certificate is for *.mikaela.info not git.mikaela.info?
[11:49] <wgrant> If a CloudFlare server in London doesn't know that git.mikaela.info exists, it's not going to know to return that certificate for it.
[11:50] <Mikaela> I actually happen to have VPS in London and I can check whaat it returns
[11:52] <Mikaela> it reports self signed certificate so disabling cloudflare probably has propagated or if it's what you think it was never enabled there
[11:53] <wgrant> Enabling/disabling CloudFlare would presumably incur DNS cache timeouts.
[11:53] <Mikaela> This current error is even more unclear to me https://launchpadlibrarian.net/193889024/progval-limnoria-testing.log
[11:53] <Mikaela> https://www.whatsmydns.net/#A/git.mikaela.info appears to say that London nameserver finds nothing
[11:53] <wgrant> That's *probably* a 404, but it's difficult to say.
[11:54] <Mikaela> but as that nameserver doesn't find google.fi either, I wouldn't rely on it
[11:54] <wgrant> I'd configure CloudFlare how you wantit, wait an hour or so, and try the HTTPS URL again.
[11:54] <Mikaela> Thanks, I will try that now
[11:54] <wgrant> Always remember that services like CloudFlare are eventually consistent
[11:54] <wgrant> You can't atomically update servers across the world like that.
[11:55] <Mikaela> It has been surprisingly fast around the world and Launchpad is the only place where I have had any issues using it
[11:55] <wgrant> Perhaps certificates replicate more slowly.
[11:56] <Mikaela> probably possible, I am trying again in hour
[11:56] <Mikaela> which seems to be 15+0200
[11:57] <Mikaela> in case you are interested, diral.mikaela.info which is VPS on DigitalOcean London 1 datacenter is currently receiving valid certificate
[11:58] <Mikaela> when curling git.mikaela.info
[11:59] <wgrant> None of my London hosts on unrelated networks are seeing a valid cert yet.
[12:01] <wgrant> Mikaela: Oh, the "No branch found at location" is because there's no git smart HTTP server at that URL.
[12:01] <wgrant> Only the long-deprecated dumb HTTP protocol.
[12:02] <wgrant> http://git-scm.com/book/be/v2/Git-on-the-Server-Smart-HTTP
[12:02] <wgrant> We removed support for git over dumb HTTP several years ago.
[12:03] <Mikaela> I see, I will now also start invitigating that
[12:03] <wgrant> (it's deprecated for a reason, too -- pulls over the dumb protocols are terrifyingly slow)
[12:04] <Mikaela> I hope this also exists for nginx as I am not going to learn Apach
[12:04] <Mikaela> it does
[16:45] <candrea> hey there -- this user https://bugs.launchpad.net/~gamal-m-oha-med122000 has started creating some bug reports containing spam, could you please stop him?