Create TLS cert and CNAME entry for tiles-cloudfront.cdn.mozilla.net

RESOLVED FIXED

Status

Content Services Graveyard
Tiles: Ops
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: mostlygeek, Assigned: mostlygeek)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

2 years ago
Download of Tiles assets are limited to the mozilla.net domain name. To fix this: 

- request a new TLS cert (does not have to be EV) for tiles-cloudfront.cdn.mozilla.net and install in AWS for cloudfront
- CNAME tiles-cloudfront.cdn.mozilla.net => d1zcd8sq4oecon.cloudfront.net
(Assignee)

Updated

2 years ago
Assignee: nobody → jthomas
(Assignee)

Comment 1

2 years ago
Note: after the switch over yesterday this seems to be affecting: Nightly, Aurora and Beta users. Release users do not have the new code yet: 

blame line: 

fb98b283 browser/modules/DirectoryLinksProvider.jsm (Ed Lee 2015-05-14 16:46:39 -0700 74) const ALLOWED_URL_BASE = new Set(["mozilla.net", ""]);
Added tiles-cloudfront.cdn.mozilla.net to inventory. It will take a few minutes to be live.
(Assignee)

Comment 3

2 years ago
There is a wildcard.cdn.mozilla.net that already exists in cloudformation. We'll be reusing that one.
(Assignee)

Updated

2 years ago
Assignee: jthomas → bwong
(Assignee)

Comment 4

2 years ago
For migration it actually makes more sense to create a new distribution as changing the TLS settings on the current distribution will cause laggard clients requests to break. 

:json could you update the name so: 

- CNAME tiles-cloudfront.cdn.mozilla.net => dcky6u1m8u6el.cloudfront.net
Done.
(Assignee)

Comment 6

2 years ago
Confirmed that new CDN is in place: 

$ curl -s https://tiles-cloudfront.cdn.mozilla.net/desktop-prerelease_tile_index_v3.json | shasum
a32f8ad481f0986f3d265a1ce71c6b4c7c59de4f  -

$ curl -s https://s3-us-west-2.amazonaws.com/tiles-resources-prod-tiless3-qbv71djahz3b/desktop-prerelease_tile_index_v3.json | shasum
a32f8ad481f0986f3d265a1ce71c6b4c7c59de4f  -

Making splice changes to deploy new distribution.
(Assignee)

Comment 7

2 years ago
New splice tiles deployed and now being served from the new CDN: 

$ curl -vL https://tiles.services.mozilla.com/v2/links/fetch/en-US
* Adding handle: conn: 0x7fa1f1004000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fa1f1004000) send_pipe: 1, recv_pipe: 0
* About to connect() to tiles.services.mozilla.com port 443 (#0)
*   Trying 52.25.98.110...
* Connected to tiles.services.mozilla.com (52.25.98.110) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: *.services.mozilla.com
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /v2/links/fetch/en-US HTTP/1.1
> User-Agent: curl/7.30.0
> Host: tiles.services.mozilla.com
> Accept: */*
>
< HTTP/1.1 303 SEE OTHER
< Content-Type: text/html; charset=utf-8
< Date: Thu, 17 Sep 2015 19:10:15 GMT
< Location: https://tiles-cloudfront.cdn.mozilla.net/desktop/CA/en-US.7731e06be249b34597bcd0f9a152fdfda5a3b7a5.json
< Content-Length: 0
< Connection: keep-alive
<
* Connection #0 to host tiles.services.mozilla.com left intact
* Issue another request to this URL: 'https://tiles-cloudfront.cdn.mozilla.net/desktop/CA/en-US.7731e06be249b34597bcd0f9a152fdfda5a3b7a5.json'
* Adding handle: conn: 0x7fa1f1804400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 1 (0x7fa1f1804400) send_pipe: 1, recv_pipe: 0
* About to connect() to tiles-cloudfront.cdn.mozilla.net port 443 (#1)
*   Trying 54.192.70.246...
* Connected to tiles-cloudfront.cdn.mozilla.net (54.192.70.246) port 443 (#1)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: *.cdn.mozilla.net
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /desktop/CA/en-US.7731e06be249b34597bcd0f9a152fdfda5a3b7a5.json HTTP/1.1
> User-Agent: curl/7.30.0
> Host: tiles-cloudfront.cdn.mozilla.net
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Content-Length: 4610
< Connection: keep-alive
< Date: Thu, 17 Sep 2015 19:09:38 GMT
< Content-Disposition: inline
< Cache-Control: public, max-age=31536000
< Last-Modified: Thu, 17 Sep 2015 19:07:25 GMT
< ETag: "c64dde7b38ebcf3dc1f24ab5e301b003"
< Accept-Ranges: bytes
* Server AmazonS3 is not blacklisted
< Server: AmazonS3
< Age: 38
< X-Cache: Hit from cloudfront
< Via: 1.1 f676e086f6450666463e6ae1e902b82c.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: xfi8xcBCltImU6n_cdNk4aWoNLVM-T0ThGBh7aA_uo8_GQ1ccYy_-A==

(snip snip)
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.