Opened 11 years ago

Last modified 8 years ago

#163 new enhancement

401 page should link users to renew their certificates at https://ca.mit.edu/ca/certgen

Reported by: afarrell Owned by:
Priority: minor Milestone:
Component: web Keywords:
Cc:

Description

Users coming to sites hosted on scripts.mit.edu that require certificates would be helped by a link directing them to where they can renew their certificates

I would suggest just adding

<p> Its possible you just need to <a href="https://ca.mit.edu/ca/certgen">renew your MIT Certificates. </a></p>

to line 42 of /mit/scripts/www/unauthorized.html

Change History (8)

comment:1 follow-up: Changed 11 years ago by andersk

  • Resolution set to invalid
  • Status changed from new to closed

People with expired certificates get an SSL error message from their browser; they will never get as far as unauthorized.html (unless we seriously hack the server).

comment:2 in reply to: ↑ 1 Changed 11 years ago by geofft

  • Resolution invalid deleted
  • Status changed from closed to reopened

Replying to andersk:

People with expired certificates get an SSL error message from their browser; they will never get as far as unauthorized.html (unless we seriously hack the server).

Did you try it?

(I'm getting unauthorized.html from not having certificates at all. My memory is that expired certs are the same.)

comment:3 Changed 11 years ago by andersk

Yes.

comment:4 Changed 11 years ago by ezyang

I did some testing with Chromium, with no MIT CA and not Personal Certificates. First Chromium warns you about the certificate not being trusted, and then it gives you the unauthorized HTML page. So I think there could definitely be some value about this. Is it possible to install a personal certificate signed by the MIT CA w/o the MIT CA?

comment:5 Changed 10 years ago by ezyang

  • Milestone None deleted

Milestone None deleted

comment:6 Changed 10 years ago by ezyang

  • Priority changed from tiny to minor

comment:7 Changed 10 years ago by ezyang

  • Keywords certificates 401 removed

comment:8 Changed 8 years ago by geofft

  • Owner geofft deleted
  • Status changed from reopened to new

Disowning, since (as with the other ticket I disowned) I have no state on this and don't particularly intend to do any work towards it.

For reference, I just tested in Firefox (Iceweasel 10 on wheezy), and you get a browser certificate error screen from an expired cert. I would vaguely be in favor of the server-hacking Anders alluded to, but I'm not volunteering. In any case, it seems worthwhile in case you just don't have a certificate at all and you are seeing unauthorized.html.

To Edward's question: the client and server CAs are different and unrelated (and indeed now, the server CA is all but unused).

Note: See TracTickets for help on using tickets.