Closed
Bug 1155525
Opened 9 years ago
Closed 9 years ago
SAN SSL certificate for bzr.bugzilla.org; lists.bugzilla.org
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: justdave, Assigned: Atoll)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/962] )
Attachments
(2 files)
We have an existing SSL certificate for lists.bugzilla.org. bzr.bugzilla.org now lives on the same server with it, and being unsure whether the bzr client can do SNI or not, it's safer to go with a SAN certificate that works with both domains. The key we're using was originally generated by webops and placed into puppet for mailman4.mail.corp.phx1.mozilla.com. If it still exists, feel free to use that to generate the new csr/certificate. If not, I don't mind installing a new key. Thanks!
Emailed Digicert asking if we can upgrade this to a SAN certificate, since it's a 3-year expiry.
Flags: needinfo?(rsoderberg)
Reporter | ||
Comment 2•9 years ago
|
||
Been checking through docs, and as of bzr version 2.5, it does support SNI, so we could do separate certs. Versions of bzr prior to 2.5 didn't support SNI but also didn't bother to validate the SSL cert, so they won't care anyway. On the other hand, if Digicert will let you upgrade the existing cert that would likely be cheaper than getting a new one...
If you make the bzr cert the primary cert on the server, and use SNI for lists.bugzilla.org, then that would serve your needs as well (and we wouldn't need to issue any new certs, so no additional cost at all), since the browsers all support SNI and bzr wouldn't need to. It sounds like we can do SNI here, with the existing separate certs, and reissuing the bzr cert will change its fingerprint (which is a hassle for users), so I'm voting for the SNI strategy here. If that's acceptable, you can RESO WFM this bug; otherwise, let me know and I'll proceed with issuing a new SAN cert and coordinate a swap with you so we can issue a refund.
Flags: needinfo?(rsoderberg) → needinfo?(justdave)
Reporter | ||
Comment 4•9 years ago
|
||
Except that we don't have a cert for bzr.bugzilla.org at all, so we'd still need to purchase a cert for that. So we do need one of two things, either 1) A new cert for bzr.bugzilla.org by itself, or 2) a SAN cert that includes both domain names.
Flags: needinfo?(justdave)
Ooh. Hm. You're right, I searched for the wrong domain, I'm sorry. Okay. A SAN cert will be *slightly* (~$20) more expensive for 2 domains, but comes with 4 slots in case you think there will be further domains hosted on this server someday. That cost is fine for us if you think it best,a nd it sounds like SNI adds unneeded complexity here, so I'm inclined towards SAN and will proceed tomorrow with that.
Comment 6•9 years ago
|
||
No longer blocking decommissioning of bzr.m.o; adding directly to the bugzilla infra tracker.
Order #00674058 to replace Order #0045154, waiting for Digicert to issue.
This chained root must be installed alongside the signed server certificate for it to validate.
This certificate, along with its intermediate in attachment 8598392 [details], is associated with the .key file at the usual root-ca location.
Assignee | ||
Comment 10•9 years ago
|
||
Apologies for the delays here - please reopen if you encounter any issues.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 11•9 years ago
|
||
key and cert deployed. the intermediate matches the one we already had. Looks good! Thanks!
Comment 12•9 years ago
|
||
I still get: # bzr pull --remember https://bzr.bugzilla.org/bugzilla/trunk bzr: ERROR: Certificate error: hostname 'bzr.bugzilla.org' doesn't match 'lists.bugzilla.org'
Comment 13•9 years ago
|
||
And even if I use http instead of https, I get: # bzr pull --remember http://bzr.bugzilla.org/bugzilla/trunk http://bzr.bugzilla.org/bugzilla/trunk is permanently redirected to http://bzr.bugzilla.org/bugzilla/trunk/ bzr: ERROR: Cannot lock LockDir(filtered-46246096:///bugzilla/trunk/.bzr/branch/lock): Transport operation not possible: readonly transport
Assignee | ||
Comment 14•9 years ago
|
||
What version of bzr are you using? If you open https://bzr.bugzilla.org in a browser on that same computer, and view the certificate details, does it show: commonName bzr.bugzilla.org serialNumber 02 05 FC 70 86 05 27 D7 9E 9D AF 52 03 53 61 41 ?
Comment 15•9 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #14) > What version of bzr are you using? bzr --version Bazaar (bzr) 2.6.0 > commonName bzr.bugzilla.org > serialNumber 02 05 FC 70 86 05 27 D7 9E 9D AF 52 03 53 61 41 Yes, I see that too.
Comment 16•9 years ago
|
||
This could be because of SNI and the bzr client failing on SNI. Note the difference between the following : shyam@katniss ~ $ openssl s_client -connect bzr.bugzilla.org:443 --- Certificate chain 0 s:/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=lists.bugzilla.org i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA --- and shyam@katniss ~ $ openssl s_client -connect 63.245.223.42:443 -servername bzr.bugzilla.org --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Mozilla Foundation/CN=bzr.bugzilla.org i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA --- So if this is a requirement, then we'll need to issue a new SSL certificate I guess.
Comment 17•9 years ago
|
||
We can either issue a new SSL cert, or we can tell people to pass "-Ossl.cert_reqs=none" to bzr, which suppresses checking. Given that people are (hopefully) only using this server as a crutch to enable them to make the switch to git, that might be OK. But if we are going to get the cert redone, can we get it done? :-) It's been 3 months... Gerv
Assignee | ||
Comment 18•9 years ago
|
||
We are not planning to redo this cert. SNI was added in TLS 1.0. Any client that doesn't support it will need to use the workaround. I assume later versions of bzr repair SNI support. However as this server is, as you state, "a crutch to enable them to make the switch to git", this is an acceptable state of affairs for the server to operate in.
You need to log in
before you can comment on or make changes to this bug.
Description
•