Closed Bug 1156256 Opened 9 years ago Closed 9 years ago

download.mozilla.org:HTTPS - SSL Cert expiration on 05/05/2015 12:00

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Platform:
x86
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pir, Assigned: Atoll)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/974] ) 

Mon 05:22:14 PDT [1063] 
  download.mozilla.org:HTTPS - SSL Cert expiration is WARNING: WARNING - 
  Certificate download.mozilla.org expires in 14 day(s) (05/05/2015 12:00). 
  (http://m.mozilla.org/HTTPS+-+SSL+Cert+expiration)
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/974]
Does this domain require a SHA-1 certificate or have cert pinning requirements?
Flags: needinfo?(bhearsum)
There's no pinning requirements on download.mozilla.org that I'm aware of. Any valid SSL cert should be fine.
Flags: needinfo?(bhearsum)
Assignee: server-ops-webops → rsoderberg
Renewal requested submitted in portal with expiration 29-DEC-2016 and emailed Digicert support to force it as a SHA1 renewal.
I checked with rstrong regarding the stub installer on windows, and it makes an http request to download.m.o so there's no issue there.
This bug does not require infra-lock.
Group: infra
Kamil and Marcia, if either of you can verify that the stub installer still works after this change it would be appreciated. It is my understanding that this will be happening very soon.
Flags: needinfo?(mozillamarcia.knous)
Flags: needinfo?(kjozwiak)
The new certificate is issued and available to install on the server. I'll wait until tomorrow morning before doing this, to try and coordinate testing with Kamil/Marcia.
SHA-1 cert deployed to PHX1 and SCL3 external zeus clusters.
Robert/Richard: Now that I am a QA community manager, I am not actively testing Desktop. Can you please work with Kamil regarding this request? Thanks.
Flags: needinfo?(mozillamarcia.knous)
Sure thing.
- Win XP Pro SP2 x86: PASSED
- Win XP Pro SP3 x86: PASSED
- Win XP Pro SP2 x64: PASSED

Went through the following test cases twice using each of the OS's listed above:

* Using IE8, visited https://download.mozilla.org without getting any certificate issues/warnings
** clicked on "Compatibility View" and the certificate window appeared green without any issues
** I had to use IE6 on SP2 x86 because that VM instance isn't fully update (but the lock appeared at the bottom indicating that the connection is secure without any errors/warnings)

* Downloaded the stub installer via https://download.mozilla.org (re-directed to https://www.mozilla.org/en-US/firefox/new/)
** downloaded and installed FX using the "Firefox Setup Stub 37.0.2.exe" installer without any issues
** launched fx without any issues (visited duckduckgo, facebook, twitter to make sure things were working)

Let me know if this looks good Richard!
Flags: needinfo?(kjozwiak)
That's what I needed to know. Thank you! This is great. IE6 on SP2 x86 is precisely what we needed testing of, so please keep that VM! :)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
This renewal with a date in 2016 means that download.mozilla.org now gives an SSL warning (yellow triangle on the lock icon) in stable Chrome. Is it worth reopening this and getting a new cert for 2015? See also bug 1064387.

Gerv
(In reply to Gervase Markham [:gerv] from comment #13)
> This renewal with a date in 2016 means that download.mozilla.org now gives
> an SSL warning (yellow triangle on the lock icon) in stable Chrome. Is it
> worth reopening this and getting a new cert for 2015? See also bug 1064387.

This needs to be filed as a new bug, but I absolutely agree that we should reconsider the DEC 2016 termination date for SHA-1 support.
You need to log in before you can comment on or make changes to this bug.