Support https for badge

[garyburd]

The badge cannot be used on an https page without triggering the browser's insecure content warning.

There's no warning on GitHub pages because GitHub proxies and caches the badge. This is a problem if we ever want to change the badge on fly.

[nathany]

It looks like the https img src's were removed in the move from status.html -> tools.html in this commit: 22e5783.

[nathany]

There is the future possibility of shields.io hosting the badge image and taking care of HTTPS. badges/shields#66

Sheilds.io would contact GoDoc.org to determine the badge status. If that API doesn't require SSL, then godoc wouldn't need the certificate.

[nathany]

HTTPS was added back in as of Dec 20.

Note: It's not absolutely necessary to have the link be HTTPS such that people navigate around the site in SSL. Just the image src needs to be HTTPS for cache busting.

[speter]

Thanks, it works in Chrome but Firefox refuses to fetch the badge with
https. The problem seems to be missing intermediate certificates which can
be installed on the server.

https://sslcheck.globalsign.com/en_US/sslcheck?host=godoc.org#108.59.81.57
https://sslcheck.globalsign.com/en_US/help/89716664?testTime=1388802971937&ipAddress=108.59.81.57&serverSignature=nginx%2F1.2.1&dlCertsQueryString=host%3Dgodoc.org%26endpoint_id%3D8C35079BB5CF0CB588C7A7AE9D8793D058297F3C%26id%3D8C35079BB5CF0CB588C7A7AE9D8793D058297F3C&isSet=true&severity=1&hmac=86cf7ffebdff36aed39d372e9a23e5237c096a12
https://sslcheck.globalsign.com/en_US/certificates?host=godoc.org&endpoint_id=8C35079BB5CF0CB588C7A7AE9D8793D058297F3C&id=8C35079BB5CF0CB588C7A7AE9D8793D058297F3C

On Sat, Jan 4, 2014 at 11:00 AM, Nathan Youngman
notifications@git.luolix.topwrote:

HTTPS was added back in as of Dec 202be0522
.

Note: It's not absolutely necessary to have the link be HTTPS such that
people navigate around the site in SSL. Just the image src needs to be
HTTPS for cache busting.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/134#issuecomment-31568570
.

[nathany]

Thanks for the SSL check links. It does look like it could be setup a bit better.

Yet I'm not seeing an issue in Firefox 26 (OS X) with my badge on Looper.

Can you give more specifics, such as:

• what url you are viewing when seeing the error
• browser version and OS
• perhaps a screenshot showing the issue

[speter]

Thanks for taking the time to check. I have attached screenshots with the
badge not being displayed, and the https error for the image, using the
Looper repo. (The one I'd like to get it to work for is
https://code.google.com/p/gcfg but I switched it back to use http for the
badge for now.) I'm using Firefox 26.0 on Ubuntu/i386 12.04. (Perhaps the
intermediate certificate is installed by default on OSX?) For the record,
curl also complains:

$ curl 'https://godoc.org/github.com/gophertown/looper?status.png'
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
More details here: http://curl.haxx.se/docs/sslcerts.html
...

On Sat, Jan 4, 2014 at 11:54 AM, Nathan Youngman
notifications@git.luolix.topwrote:

Thanks for the SSL check links. It does look like it could be setup a bit
better.

Yet I'm not seeing an issue in Firefox 26 (OS X) with my badge on Looperhttps://github.com/gophertown/looper
.

Can you give more specifics, such as:

• what url you are viewing when seeing the error
• browser version and OS
• perhaps a screenshot showing the issue

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/134#issuecomment-31569728
.

[speter]

Here are the screenshots:


(it seems github quietly drops reply attachments :( )

[nathany]

@speter Thanks for following up.

Of note, HTTPS is only necessary to break GitHub's caching of the status badge. However, the status badge image is completely static right now (it always says "Reference" in green), so HTTP works perfectly fine.

As far as fixing the certificate chain, that's something I don't have the knowledge or access to do, so I'll have to leave to @garyburd when he finds some time.

Longterm we may use shields.io as a secure badge server for GoDoc, see badges/shields#81. Just getting started on that project now.

[speter]

@garyburd Thanks for the prompt fix! FWIW it seems that it is better to include intermediate certificates for reduced load time even if it doesn't cause an error. https://www.wormly.com/help/ssl-tests/intermediate-cert-chain (bottom part "But my browser accepts the certificate!") Perhaps Firefox not fetching it from a remote site is meant to discourage the bad practice of not including it.

@nathany My primary concern was not the cache issue, or that the image is currently static, but the first one mentioned in the initial description: "The badge cannot be used on an https page without triggering the browser's insecure content warning." (This affects all browsers, not just Firefox, when the badge is referenced via http from an https site other than github.) From my point of view, this specific aspect is resolved for now.

[nathany]

Another reason to be glad we're using HTTPS: badges/buckler#27