Last modified: 2014-04-26 18:32:00 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T62833, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 60833 - serve a cert chain with dynamic proxy SSL certificate
serve a cert chain with dynamic proxy SSL certificate
Status: RESOLVED FIXED
Product: Wikimedia Labs
Classification: Unclassified
Infrastructure (Other open bugs)
unspecified
All All
: Unprioritized normal
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-04 16:12 UTC by Daniel Schwen
Modified: 2014-04-26 18:32 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Daniel Schwen 2014-02-04 16:12:25 UTC 
While Bug#52630 was fixed and 
http://www.sslshopper.com/ssl-checker.html#hostname=tools.wmflabs.org
has an all green result

http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org
gives a warning ("The certificate is not trusted in all web browsers.")

The latter goes through a different server (the Instance Proxy).
Comment 1 Yuvi Panda 2014-02-04 21:14:49 UTC 
It is the dynamic proxy, which uses the star.wmflabs.org certificate, which I presume needs to be fixed.
Comment 2 Gerrit Notification Bot 2014-02-04 22:04:51 UTC 
Change 111342 had a related patch set uploaded by Tim Landscheidt:
Dynamic proxy: Serve SSL certificate chain

https://gerrit.wikimedia.org/r/111342
Comment 3 Gerrit Notification Bot 2014-02-04 23:59:49 UTC 
Change 111342 merged by coren:
Dynamic proxy: Serve SSL certificate chain

https://gerrit.wikimedia.org/r/111342
Comment 4 Gerrit Notification Bot 2014-02-05 00:41:33 UTC 
Change 111386 had a related patch set uploaded by Jeremyb:
Dynamic proxy: Serve SSL certificate chain. v2

https://gerrit.wikimedia.org/r/111386
Comment 5 Tim Landscheidt 2014-02-05 00:54:28 UTC 
Close, but no cigar.  While using .chained.pem in the Nginx configuration is apparently The Right Thing(TM), the problem lies deeper: manifests/certs.pp's install_certificate creates the chained certificate for star.wmflabs.org with wmf-labs.pem, while the certificate is actually signed by RapidSSL_CA.pem.  The patch by jeremyb should fix this.
Comment 6 FunPika 2014-03-30 13:56:55 UTC 
I've noticed that in Firefox with a fresh profile this will lead to users getting the scary looking "This connection is untrusted" message. For something like accounts.wmflabs.org that routinely deals with new users to the project who may not be very tech savvy, this could be a problem.
Comment 7 Gerrit Notification Bot 2014-04-15 15:43:34 UTC 
Change 111386 merged by Andrew Bogott:
star.wmflabs.org: fix intermediate CA

https://gerrit.wikimedia.org/r/111386
Comment 8 Daniel Zahn 2014-04-16 10:21:08 UTC 
https://gerrit.wikimedia.org/r/#/c/126008/1
Comment 9 Daniel Zahn 2014-04-16 10:21:44 UTC 
can you try again and report results please?
Comment 10 FunPika 2014-04-26 18:32:00 UTC 
Firefox isn't showing it as invalid now with a fresh profile, and http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org is showing all green.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links