Skip to content

Bug: Website SSL certificates invalid for come server IPv6 addresses #2752

@jdye-bs

Description

@jdye-bs

Describe the bug

Unable to view docs.python.org using ipv6 due to incorrect name in ssl certificate. This appears to be an issue with the particular IP address as using a different IPv6 address (obtained via google's public DNS) works.

See also pypi/support#6959 for the same issue with files.pythonhosted.org

To Reproduce

Browse to https://docs.python.org/ returns an invalid certificate.

>  curl -6 -v https://docs.python.org/
* Host docs.python.org:443 was resolved.
* IPv6: 2a04:4e42:d000::223
* IPv4: (none)
*   Trying [2a04:4e42:d000::223]:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
* closing connection #0
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Expected behavior

Website returns the correct certificate. e.g.:

  curl -v https://docs.python.org/ --resolve 'docs.python.org:443:2a04:4e42:200::223'
* Added docs.python.org:443:2a04:4e42:200::223 to DNS cache
* Hostname docs.python.org was found in DNS cache
*   Trying [2a04:4e42:200::223]:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Connected to docs.python.org (2a04:4e42:200::223) port 443
* using HTTP/1.x
> GET / HTTP/1.1
> Host: docs.python.org
> User-Agent: curl/8.11.1
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* Request completely sent off
< HTTP/1.1 302 Moved Temporarily
< Connection: keep-alive
< Content-Length: 138
< server: nginx
< content-type: text/html
< location: https://docs.python.org/3/
< x-clacks-overhead: GNU Terry Pratchett
< strict-transport-security: max-age=315360000; includeSubDomains; preload
< Via: 1.1 varnish, 1.1 varnish
< Accept-Ranges: bytes
< Age: 596713
< Date: Tue, 15 Jul 2025 09:44:55 GMT
< X-Served-By: cache-lga21989-LGA, cache-lhr-egll1980038-LHR
< X-Cache: HIT, HIT
< X-Cache-Hits: 66, 0
< X-Timer: S1752572696.884347,VS0,VE1
<
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host docs.python.org left intact

URL to the issue

No response

Screenshots

Certificate returned (according to Chrome):

Subject: default.ssl.fastly.net

Issuer: GlobalSign RSA OV SSL CA 2018

Expires on: 2 Jun 2026

Current date: 15 Jul 2025

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIGvTCCBaWgAwIBAgIMd09EvXDMOQx/ji/kMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yNTA1MDExNjI2MDhaFw0y
NjA2MDIxNjI2MDdaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxGYXN0bHksIEluYy4x
HzAdBgNVBAMTFmRlZmF1bHQuc3NsLmZhc3RseS5uZXQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDH8Jwi3G6LDp5A27g9xWWXIvWCFOMN8Fk7gIgn9YeQ
S/MXUy9dsL3RyrvG25loyxgumAX2+u7uqSGqfc2MnsOelLEPyyrjin6+cPn7EjL9
lKhMmPQeD5N47WA8RBVW6yN3g2dHYkK/ahEKjKVe4/slhSR/uvhyCkShLV+vM6FQ
xQbdu8YnDTX/wxWA2kv5o/yNBeb5WQQLXUF1hhuXJZXI7pd2cX+i57YETWis8pas
edoYk8sryTt2lLcdtFfsbL7k5EqKrM5cTdvp/LPXUTc8Et7dxcFFGr6JyP6lqU+T
Tg50InwD91nFwdS2zIK3XLnYRSE211BpwwSXVjpjapB1AgMBAAGjggNzMIIDbzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADCBjgYIKwYBBQUHAQEEgYEwfzBE
BggrBgEFBQcwAoY4aHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQv
Z3Nyc2FvdnNzbGNhMjAxOC5jcnQwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmds
b2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIwMTgwVgYDVR0gBE8wTTBBBgkrBgEE
AaAyARQwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20v
cmVwb3NpdG9yeS8wCAYGZ4EMAQICMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9j
cmwuZ2xvYmFsc2lnbi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwQwYDVR0RBDww
OoIWZGVmYXVsdC5zc2wuZmFzdGx5Lm5ldIISKi5ob3N0cy5mYXN0bHkubmV0ggwq
LmZhc3RseS5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1Ud
IwQYMBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1UdDgQWBBTsZ+yYN4exZu4+
6s+MfSQ1eBsaSTCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYAZBHEbKQS7KeJ
HKICLgC8q08oB9QeNSer6v7VA8l9zfAAAAGWjKt/4QAABAMARzBFAiBJF5CYHzDy
wv8fy159pL0GjGOtMUCQQBL8/Q7WpS951QIhAKXTYH2XztRq7njg5Iw5US4Q/cR8
r9g99fGMrTMd0X/lAHYAyzj3FYl8hKFEX1vB3fvJbvKaWc1HCmkFhbDLFMMUWOcA
AAGWjKt/MAAABAMARzBFAiEA7GuZbLGpvtthN+KwFJasc8iWvpwh7bXtWHADUY6X
7DkCIB3O7uoUb9wbh4ygr+ArTZMIwin5QL75qGAfbesTvgNNAHcASZybad4dfOz8
Nt7Nh2SmuFuvCoeAGdFVUvvp6ynd+MMAAAGWjKuACQAABAMASDBGAiEAjfjRmRNZ
V6jI0og4xNuB0njwoyP6jwAblATK1CK0IfUCIQCK4zOtn9U74Z9zaS7se6DJqhEo
xG2oF72axCZRZ3w3EjANBgkqhkiG9w0BAQsFAAOCAQEABrhZzyORjly0OcaxIQqG
FFL1Ftg361cEoe6zIcUVbS1wSdk6MfZBQ8Hp230Qt9BybjKyC0PJ32z7XOR6ej1k
w41DKd2tjKc3SERaiIJZudY7rUOolayH4+k0uoeINv6e9deLxhTYVjqf+/ob7c9h
JYUG3ZWe5RXki95CS+bwKk80RIUaqnTRn78X1M5s71Xe10HPf1XJFfvBMXiSowdt
9/klL8ZdW0ygbTE68m3evgeliu67UH2fWzfOh2jJV7LGNPRofXZCK4ZSftBA3qe9
1/EbihcIQX6wZaCBcsK9NlpoMMKpYVrbYuNkkJKQj8DwooefUYcrOW5Q7v7SprqQ
rg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx
MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52
LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP
UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3
idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM
abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1
lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq
o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA
AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F
JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+
MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz
EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb
0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0
6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw
fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz
hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e
SPY=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
WD9f
-----END CERTIFICATE-----

Browsers

Chrome

Operating System

Windows

Browser Version

138.0.7204.100

Relevant log output

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis is a bug!

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions