SSL certificate with incorrect domain used for https://www.flatpak.org URL

[ellenfieldn]

Summary

If rather than https://flatpak.org, a user visits https://www.flatpack.org, an SSL cert for *.apps.openshift.gnome.org will be used rather than the expected flatpak.org domain.

I tried a few variants and included a quick breakdown of valid vs. invalid certificates by URL.

• As far as I can tell, errors occur with all https://www. variants.
• Additionally, errors occur at https://flatpak.org/, but only for that specific URL with a slash at the end.
• Aside from the above, https://flatpak.org and all its subpages appear to use the correct certificate.

I also included a full breakdown of the URLs i tried below the screenshots in the details.

Details

I stumbled on this accidentally while clicking a link to https://www.flatpak.org from documentation elsewhere:

Inspecting the certificate shows a wildcard cert of *.apps.openshift.gnome.org

Full breakdown

• ✅ https://flatpak.org - Correct cert for the flatpak.org domain.
• ❌ https://flatpak.org/ - wildcard openshift cert.
  Note: Your browser may strip the slash off the end of the URL when you click the link, but manually entering it into the address bar cause the issue.
• ❌ https://www.flatpak.org - wildcard openshift cert
• ❌ https://www.flatpak.org/ - wildcard openshift cert

Given the case with the / at the end of the domain, I also checked a few URLs in addition the base URL:

• ✅ https://flatpak.org/about (redirects to /about/)
• ✅ https://flatpak.org/about/
• ❌ https://www.flatpak.org/about/
• ✅ https://flatpak.org/setup (redirects to /setup/)
• ✅ https://flatpak.org/setup/
• ❌ https://www.flatpak.org/setup/
• ✅ https://flatpak.org/setup/Manjaro
• ✅ https://flatpak.org/setup/Manjaro/ (redirects to /setup/Manjaro)
• ❌ https://www.flatpak.org/setup/Manjaro

[AsciiWolf]

I can confirm this issue. Some of the pages indeed seem to use a certificate for *.apps.openshift.gnome.org. Probably a CDN issue?

/cc @barthalion