User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20160303134406 Steps to reproduce: 1. Visit https://www.mozilla.org/thunderbird/ 2. Click the big green download button. 3. Receive error message Given that it's a CDN and so geographical issues are a possibility, it may or may not be relevant that I'm in Australia. Actual results: (Firefox's error message...) The owner of download.cdn.mozilla.net has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. download.cdn.mozilla.net uses an invalid security certificate. The certificate is only valid for the following names: a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net, *.akamaized.net, *.akamaized-staging.net Error code: SSL_ERROR_BAD_CERT_DOMAIN (Details from that last link are in the attached file. Chrome reports much the same, although it will let me proceed, HSTS be damned...) This server could not prove that it is download.cdn.mozilla.net; its security certificate is from a248.e.akamai.net. This may be caused by a misconfiguration or an attacker intercepting your connection. Expected results: Not having a certificate error.

I should have mentioned the actual URLs resulting in each of the "steps to reproduce"... 1. This step redirects to https://www.mozilla.org/en-US/thunderbird/ 2. The button URL is https://download.mozilla.org/?product=thunderbird-38.7.0&os=win&lang=en-US 3. The ultimate destination is https://download.cdn.mozilla.net/pub/thunderbird/releases/38.7.0/win32/en-US/Thunderbird%20Setup%2038.7.0.exe Same result if I just go to https://download.cdn.mozilla.net/, though.

I'm intermittently hitting this error (and got reports from other people). Now it's working again for me, 5 minutes ago Firefox was displaying an HSTS error, while Chrome said ERR_CERT_COMMON_NAME_INVALID

i hit this 100% (also in australia). the cn i'm seeing is a248.e.akamai.net instead of download.cdn.mozilla.net ~$ openssl s_client -connect download.cdn.mozilla.net:443 CONNECTED(00000003) depth=2 /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1 i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFvDCCBKSgAwIBAgIUA7867y+ifJa4yo+5Wc0zLJ1QETgwDQYJKoZIhvcNAQEF BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1 c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI QTEwHhcNMTUwNjE5MTY1MjA3WhcNMTYwNjE5MTY1MjA1WjBtMQswCQYDVQQGEwJV UzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNhbWJyaWRnZTEhMB8GA1UEChMYQWth bWFpIFRlY2hub2xvZ2llcyBJbmMuMRowGAYDVQQDExFhMjQ4LmUuYWthbWFpLm5l dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmixJDgkMZBNJ3z1ZX6 2sOBu+TuCRHkpUVtcyoZ+Togno0UTxe4WtOCPNDV86SwP7c6bLV6OurTFImyrBy2 CG1bQfKEiKcfOsSnqvAaJcsTeAd7+wQvX3Ne7RnSVOz3m+zpFPPKU0YVVIjkH7yP GMTFNcnMsbZ+i+8hda1V6VIIjEfcSKDHj7a5h8JsRT4gY49RYuQ3mpuPgLnuFwId ORbJimtp/Osq1ZkXrW0/2ykTwX1LqzlWjVlDu3+BcX4oipqIOwjsvPDYXuhLCU0n Zge5IN4vkIHM3qjIu3fGJsNeyDg14KKwpakUCBnUyF5zIQutwoSkV8nGWQAkG1Rh TysCAwEAAaOCAjEwggItMAwGA1UdEwEB/wQCMAAwTAYDVR0gBEUwQzBBBgkrBgEE AbE+ATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly9zZWN1cmUub21uaXJvb3QuY29t L3JlcG9zaXRvcnkwga8GCCsGAQUFBwEBBIGiMIGfMC0GCCsGAQUFBzABhiFodHRw Oi8vdmFzc2cxNDEub2NzcC5vbW5pcm9vdC5jb20wNgYIKwYBBQUHMAKGKmh0dHBz Oi8vY2FjZXJ0LmEub21uaXJvb3QuY29tL3Zhc3NnMTQxLmNydDA2BggrBgEFBQcw AoYqaHR0cHM6Ly9jYWNlcnQuYS5vbW5pcm9vdC5jb20vdmFzc2cxNDEuZGVyMG4G A1UdEQRnMGWCEWEyNDguZS5ha2FtYWkubmV0gg4qLmFrYW1haWhkLm5ldIIWKi5h a2FtYWloZC1zdGFnaW5nLm5ldIIPKi5ha2FtYWl6ZWQubmV0ghcqLmFrYW1haXpl ZC1zdGFnaW5nLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFN1sgHy6tTIXpYRBQPDSBGYTL6mQMD4G A1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92YXNzZzE0MS5jcmwub21uaXJvb3QuY29t L3Zhc3NnMTQxLmNybDAdBgNVHQ4EFgQUA7ZKnIAMYBiICmTNrihiinpswBgwDQYJ KoZIhvcNAQEFBQADggEBABxkzsN2TYwp/HbRPCSDV44+dyEO1oPxQrkuIZ0UlsFT SegWIFNA8uUBt98BB3dJbepTEMkABQ+7yCEdOJwHeJwKreGRkYuV+ajkAmTiFQup fxO4A66VxUVHM/tl3TC8bMyWu8O8Und0A4arndwWbwRJuZ+PPLYeW5fp8Y7pulna dtR8pnrOL17YZmIG/8EYYPitHjHTuu4GsnUaDwVqqWF6J+umvfd8Bccsu/3/LR60 tbSpz5FbDp7j3pT6lbaZJr7lfCcD6biW+hdrheke7dTjQZ/bvol27eiGhcGGHSkr F9EsC88HzYpSiZPhcnnFMX3x+jTO2TeUUAtxx0nIass= -----END CERTIFICATE----- subject=/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1 --- No client certificate CA names sent --- SSL handshake has read 4004 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 40A2EE0D6329ED5FFC6CD3458AA3A0AD4D7EB43C3DDEF69981D577CDFB768528 Session-ID-ctx: Master-Key: 6AB4F4CC7C3AE3449E27C9B36BF93DD30D6DDE4C9C6C972286CD7ECDAF2F12B3E7DCB46EA4EE54AFCDAAD4032F151C36 Key-Arg : None Start Time: 1460967034 Timeout : 300 (sec) Verify return code: 0 (ok) ---

This is expected. download-installer.cdn.mozilla.net has a valid cert and is intended for HTTPs traffic. download.cdn.mozilla.net is intended for HTTP traffic, but I'm looking at options for enabling SSL to fix these edge cases.

We need to keep this domain as is. Please use download-installer.cdn.mozilla.net if SSL is needed.

But at no point did I, the end user, say "wait, I want to use SSL". If I do a Google search for "thunderbird", the first result is *https:*//www.mozilla.org/en-US/thunderbird/. (Of course it is, because Google favours HTTPS nowadays.) If I just type "mozilla.org/thunderbird" (which I think is what I did originally), the server *redirects* me to https://www.mozilla.org/en-US/thunderbird/. The problem was never actually "this domain isn't doing the right thing". It was "the official Big Green Button points to a domain that isn't doing the right thing, and so I can't download Thunderbird". On the bright side, it works now, so perhaps "WONTFIX" in this case means "it actually got fixed by something else not discussed here"?

Sorry for the confusion, your bug was valid and was fixed in bug 1228502. I closed this as WONTFIX, since I won't be fixing the certificate on download.cdn.mozilla.net.

Excuse me, if you have decided to mark this bug as WONTFIX, can you please also have this notation (and the similar ones) rewritten? http://ftp.mozilla.org/pub/firefox/releases/latest/README.txt If you use the notation provided in that very document, say https://download.mozilla.org/?product=firefox-latest&os=win64&lang=it you will get the SSL_ERROR_BAD_CERT_DOMAIN.

Rail, can you take a look?

(In reply to Jeremy Orem [:oremj] from comment #9) > Rail, can you take a look? I'm not sure what I can do here. I don't get any issues with any of URLs mentioned above... I see redirects to http://, so there shouldn't be any bad cert errors. Maybe this is something like HTTPS Everywhere addon replacing http to https?

(In reply to Rail Aliiev [:rail] from comment #10) > I'm not sure what I can do here. I don't get any issues with any of URLs > mentioned above... The issue doesn't occur when I am behind the office proxy, but does occur when I am surfing the web using the home connection (or this is what I seem to notice).