Last modified: 2014-04-26 18:32:00 UTC
While Bug#52630 was fixed and http://www.sslshopper.com/ssl-checker.html#hostname=tools.wmflabs.org has an all green result http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org gives a warning ("The certificate is not trusted in all web browsers.") The latter goes through a different server (the Instance Proxy).
It is the dynamic proxy, which uses the star.wmflabs.org certificate, which I presume needs to be fixed.
Change 111342 had a related patch set uploaded by Tim Landscheidt: Dynamic proxy: Serve SSL certificate chain https://gerrit.wikimedia.org/r/111342
Change 111342 merged by coren: Dynamic proxy: Serve SSL certificate chain https://gerrit.wikimedia.org/r/111342
Change 111386 had a related patch set uploaded by Jeremyb: Dynamic proxy: Serve SSL certificate chain. v2 https://gerrit.wikimedia.org/r/111386
Close, but no cigar. While using .chained.pem in the Nginx configuration is apparently The Right Thing(TM), the problem lies deeper: manifests/certs.pp's install_certificate creates the chained certificate for star.wmflabs.org with wmf-labs.pem, while the certificate is actually signed by RapidSSL_CA.pem. The patch by jeremyb should fix this.
I've noticed that in Firefox with a fresh profile this will lead to users getting the scary looking "This connection is untrusted" message. For something like accounts.wmflabs.org that routinely deals with new users to the project who may not be very tech savvy, this could be a problem.
Change 111386 merged by Andrew Bogott: star.wmflabs.org: fix intermediate CA https://gerrit.wikimedia.org/r/111386
https://gerrit.wikimedia.org/r/#/c/126008/1
can you try again and report results please?
Firefox isn't showing it as invalid now with a fresh profile, and http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org is showing all green.