Just out of curiosity, as I’ve been working with IPFire for some time but never stumbled upon ping.ipfire.org, how did you end up there?
As for @bonnietwin; @stinga is not connecting to an IPFire instance, but to a public service on the ipfire.org domain.
To prove the cert error I performed an nmap to retrieve the cert info (as it’s not a page I can visit with the browser).
$ nmap -p 443 --script ssl-cert ping.ipfire.org
Warning: Nmap may not work correctly on Windows Subsystem for Linux.
For best performance and accuracy, use the native Windows build from https://nmap.org/download.html#windows.
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-09 10:16 CEST
Nmap scan report for ping.ipfire.org (18.104.22.168)
Host is up (0.018s latency).
Other addresses for ping.ipfire.org (not scanned): 2001:678:b28::
rDNS record for 22.214.171.124: fw01.ipfire.org
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=as204867.net
| Subject Alternative Name: DNS:as204867.net, DNS:www.as204867.net
| Issuer: commonName=R3/organizationName=Let's Encrypt/countryName=US
| Public Key type: ec
| Public Key bits: 384
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-06-30T22:26:54
| Not valid after: 2021-09-28T22:26:53
| MD5: c0b5 34bc 50ec a952 1527 4243 9efd 6b50
|_SHA-1: fbb3 fb3d 6a5a fe0b 4cc7 6cd6 36c5 dbf7 afd6 f7fe
Nmap done: 1 IP address (1 host up) scanned in 5.98 seconds
So the CN points to as204867.net and reverse lookup translates to fw01.ipfire.org; the names don’t add up.
I still wonder:
- What does ping.ipfire.org do? Just a ping-back to check internet connectivity from within the system?
- Maybe the team can update the cert to include the ping sub-domain (or use a wildcard if it’s used for several services, this will impact SNI checks though).