SSL certificate issue https:://doc.crates.io

[ReinierMaas]

When I as a user of doc.crates.io try to access the website with the following browser, Google Chrome 56.0.2924.87 (Official Build) (64-bit).

The certificate I get is the *.github.io certificate.
Maybe use the certificate of *.crates.io?

I get the following warning:

Your connection is not private

Attackers might be trying to steal your information from doc.crates.io (for example, passwords, 
messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

[ishitatsuyuki]

This is intended and no one told you to use the https version.

The docs are hosted on GitHub pages for now (I've heard they're moving it out of tree and maybe they will switch the hosting too), which doesn't allow SSL for custom domains.

[carols10cents]

Yep, GitHub pages does not support SSL with custom domains at this time. The workaround is to go to http://doc.crates.io.

Our options for fixing this are:

• Host cargo's docs elsewhere. Gitlab pages support SSL, for example. Downsides: more infrastructure
• Instead of having doc.crates.io be a CNAME for rust-lang.github.io/cargo, make it redirect there and use https. Downsides: no pretty URL
• Use a CDN that handles SSL like Cloudflare looks like there's some rust infrastructure in Cloudflare, or at leas was at some point or nelify. Downsides: requires a change in infrastructure

I don't have the permissions to manage any of this infrastructure :)

Pulling the cargo docs out of tree is part of rust-lang/rust#39588, so I suggest we revisit this once that's done.

[elliotekj]

It's perhaps not the right solution for doc.crates but, FWIW, I moved my own site from GitHub pages to Netlify's Pro tier (which is free for open source projects) a few months ago for this very reason and it has served me well.

[michaelfairley]

Google currently has everything on docs.crates.io linked with https:// (e.g. clicking the top result for a search of "rust cargo docs" results in a big scary "Your connection is not private" message for me right now). If https:// isn't going to be supported, it'd be nice to purge the search engined caches for the time being.

[sgrif]

We recently dealt with this issue for Diesel.rs. Cloudflare is a really easy solution. You literally just sign up for an account and change your name servers over. They proxy any additional records over, and basically just do one giant MITM attack to serve the SSL cert.

[ishitatsuyuki]

CloudFlare has lots of criticism (MITM, captchas, data bleed) and I'm against that. There are tons of fast static hosting services with CDN+HTTPS (e.g. Firebase, Netlify). I would prefer them.

Update: GitHub pages is not really for generated things, it's git oriented and has the unnecessary versioning and Jekyll build layer.

[carols10cents]

Oh wait rust-lang/rust#16123 says rust stuff uses CloudFRONT, not CloudFLARE. Going to ask around.

[carols10cents]

edunham is on it!! ❤️

[edunham]

Correct, Rust stuff uses cloudFront. Some of Servo's GitHub Pages stuff is using cloudFlare. I've added this to my todo list :)

[carols10cents]

Update on current progress copied here from #1139:

In the near future, we will be switching to serving cargo docs from https://doc.rust-lang.org/cargo, and we will have SSL configured there. You can track the progress of that effort at rust-lang/rust#44910.

In the meantime, the workaround is to visit http://doc.crates.io instead. Thank you for your patience!

[RalfJung]

The Rust 1.23 announcement links to https://doc.crates.io/, which is why I just hit this.

EDIT: This got fixed.

[carols10cents]

Yes, now that the cargo docs are on https://doc.rust-lang.org/cargo/, we can change http(s)://doc.crates.io to redirect over there. @alexcrichton i think you have to do that?

[alexcrichton]

All moved!