Closed
Bug 398936
Opened 17 years ago
Closed 17 years ago
Need multiple wildcard SSL certificates for staging/dev/test sites
Categories
(mozilla.org Graveyard :: Server Operations, task)
mozilla.org Graveyard
Server Operations
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: reed, Assigned: mrz)
Details
A wildcard SSL certificate should be purchased for "*.stage.mozilla.com" so that websites one-level underneath the subdomain can use the certificate without being broken on browsers that correctly implement RFC 2818. http://wiki.cacert.org/wiki/WildcardCertificates explains some of the differences in how browsers treat wildcard certificates. A wildcard certificate for "*.mozilla.com" only works for "www.stage.mozilla.com" because bug 159483 hasn't been fixed yet. Once that bug is (ever) fixed, the SSL certificate will be completely invalid for that hostname. Note that even a wildcard SSL certificate for *.stage.mozilla.com will not work for en-us.www.stage.mozilla.com or even www.trunk.stage.mozilla.com, so the geocoding in the URL may need to be dropped along with renaming "www.trunk" to "www-trunk" or something.
|
Reporter | |
Comment 1•17 years ago
|
||
If the geocoding is dropped from the hostnames, then _another_ SSL certificate for *.www.mozilla.com wouldn't be needed. If it is kept, then a wildcard SSL certificate for *.www.mozilla.com would need to be purchased to keep https:// sites under that subdomain working.
|
||
Comment 2•17 years ago
|
||
We are using self-signed certs for stage - one from our root will need to be generated.
|
|
Reporter | |
Comment 3•17 years ago
|
||
As I mentioned in bug 398934, comment #2, in order to use self-signed SSL certificates with all browsers, you'll need multiple wildcard SSL certificates to match the different variations of sites under the staging environment. My initial list consists of *.stage.mozilla.com, *.www.stage.mozilla.com, www.trunk.stage.mozilla.com, and *.www.trunk.stage.mozilla.com, though there may easily be more needed depending on how some of the other staging sites work. Raising this to major since this bug and bug 398935 block all use of staging sites (besides https://www.trunk.stage.mozilla.com, which is pretty useless on its own) currently.
Severity: normal → major
Summary: Need a wildcard SSL certificate for *.stage.mozilla.com → Need multiple wildcard SSL certificates for *.stage.mozilla.com
|
Assignee | |
Updated•17 years ago
|
Assignee: server-ops → mrz
|
|
Reporter | |
Comment 4•17 years ago
|
||
Also need one for *.authstage.mozilla.com.
|
|
Reporter | |
Comment 5•17 years ago
|
||
Could also do one for *.mozilla-europe.org to actually fix bug 387335. If you don't want to do a wildcard one, you can just do certs for "stage.mozilla-europe.org" and "backoffice.mozilla-europe.org" that are signed by the Mozilla Root Cert.
Summary: Need multiple wildcard SSL certificates for *.stage.mozilla.com → Need multiple wildcard SSL certificates for staging/dev/test sites
|
|
Assignee | |
Comment 6•17 years ago
|
||
(In reply to comment #3) > As I mentioned in bug 398934, comment #2, in order to use self-signed SSL > certificates with all browsers, Is this related to self-signed certs or hostname mismatches? If I bought a cert from someone this wouldn't be an issue? you'll need multiple wildcard SSL certificates > to match the different variations of sites under the staging environment. My > initial list consists of *.stage.mozilla.com, *.www.stage.mozilla.com, > www.trunk.stage.mozilla.com, and *.www.trunk.stage.mozilla.com, though there > may easily be more needed depending on how some of the other staging sites > work. This is going to eat up gobs of IP addresses - is there some other way the same can be accomplished?
|
|
Reporter | |
Comment 7•17 years ago
|
||
(In reply to comment #6) > (In reply to comment #3) > > As I mentioned in bug 398934, comment #2, in order to use self-signed SSL > > certificates with all browsers, > > Is this related to self-signed certs or hostname mismatches? If I bought a > cert from someone this wouldn't be an issue? Hostname mismatches. You would still have the problem if you bought a *.mozilla.com wildcard SSL certificate and tried to use it with en-us.www.stage.mozilla.com. Sorry if I implied it only had to do with self-signed certificates. > > you'll need multiple wildcard SSL certificates > > to match the different variations of sites under the staging environment. My > > initial list consists of *.stage.mozilla.com, *.www.stage.mozilla.com, > > www.trunk.stage.mozilla.com, and *.www.trunk.stage.mozilla.com, though there > > may easily be more needed depending on how some of the other staging sites > > work. > > This is going to eat up gobs of IP addresses - is there some other way the same > can be accomplished? If bug 398938 is fixed, you would only need certificates (and therefore IPs) for *.stage.mozilla.com, one for *.authstage.mozilla.com, one for *.php5stage.mozilla.com, and the mozilla-europe ones. You would need to rename "www.trunk.stage.mozilla.com" to "www-trunk.stage.mozilla.com" for this, but that's easy, and it wouldn't cause much trouble (just need to notify people).
|
|
Assignee | |
Comment 8•17 years ago
|
||
Generated wildcard certs for: *.stage.mozilla.com *.php5stage.mozilla.com *.authstage.mozilla.com Resolving.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•