SSL cert for https://downloads.vscodium.com is signed by invalid authority #2288
Comments
trisweb
changed the title
|
The vscodium.com domain appears to have expired and DNS NS has switched from registrar-servers.com to bodis.com. |
|
Not good at all! I've sent an email to @PalinuroSec. (He has the control on the domain name and he's the team leader of ParrotSec) @bdube Thx for catching the domain name expiration... |
|
|
|
The domain now appears to be blocked by the ADGuard list. |
Not the domain itself, but the |
|
Last year, we had the same issue, it took several days to get it sorted out (#1840) |
|
Oops, I created a kind of duplicate: |
So we can expect one or more repetitions in the future. This bodes well. |
|
still occurs! |
Just a bit curious, but how could this happen? Is automatic domain renewal not activated maybe? |
|
we had an issue with out card that refused all the renewals for our infra, including the vscodium domain. maintaining the domain and the download cdn for this project is a form of donation i'm committed to and a reason to be proud of, but these small incidents have a big impact to the project and i'm very sorry for that. now the domain got renewed correctly and works again for me, please let me know if the new records are working again for you as well. p.s. |
yes, auto-renewal is on. the reason why the payment was declined is to be investigated, as the balance was there and the renewal went well the previous years. also we got no email alert from namecheap except for one message that went to spam for failed domain verification |
|
Thanks @PalinuroSec, it happens. I'd chip in for 5 years if you want to just put some insurance on it for a while. |
|
that would be nice. |
Another one I can recommend is porkbun! It also has the ability to share the access with other users :) ! |
Hi all,
That said I see @trisweb has committed to fund 5 years of domain registration — could you/@VSCodium consider a project/foundation/parent group to actually collect even lower donations and track them so that this never happens again (while VScode is relevant). Maybe even @microsoft would be open to support it? |
|
For those interested, I've made a new repo for Linux. Please read #2296. Thx |
Thats IMO the most logical idea so far to smooth stuff out and security. I see for now only advantages if we don't ask for the price. |
|
Checking back on this. I see vscodium.com is back, and download.vscodium.com now works again as well. Reiterating my offer to contribute to a longer domain renewal, but I'm happy to wait until the domain is in the right home. Or whatever is easiest if there's already a general donation process. Thanks! |
I'm wondering why you created a new repository. It seems that you are part of the vscodium team. IMHO there should be only one trustworthy repository under a trustworthy domain. I mean thanks for your effort, but users can't rely on any random repository that pops up when the main one breaks. Sorry for being so negative. I'm very grateful for all the work behind vscodium, but it seems that the domain ownership is quite chaotic and I'm wondering if we can trust the project, after all we have seen that happened to liblzma / xz. |
|
@sedrubal I understand the problem. But as I said, vscodium.com is owned and controlled by @PalinuroSec which is the team leader of ParrotSec. I don't think there is any security issue there. For me, it has been 4 years that I'm the main maintainer and I'm not hidden behind a false name. I've built the new repository because:
|
|
why don't we let both vscodium.com and vscodium.dev point to github pages and mirror the same content? we might even do the same for the repository by using the gitlab artifacts pages? both github and gitlab already provide their assets through a CDN, so we could avoid paying for an extra layer yet preserving the same domain functionality |
Yep, I was thinking the same.
Currently, the gitlab repo can't include the arm32 version due to the limitation of 1GB for GitLab Pages. All the |
|
Describe the bug
The current SSL certificate for https://downloads.vscodium.com was created on March 29th, 2025, and expires on the same in 2026, however the certificate authority is invalid and untrusted by most clients.
"net::ERR_CERT_AUTHORITY_INVALID"
Please confirm that this problem is VSCodium-specific
Please confirm that the issue/resolution isn't already documented
To Reproduce
Steps to reproduce the behavior:
Alternatively, update from the mirrored debian repository hosted on https://download.vscodium.com/ and see error:
Expected behavior
Self-expanatory
Edit Apr-5: I had "downloads" rather than download above, so when testing still received an invalid cert. Updating for posterity.
The text was updated successfully, but these errors were encountered: