Closed
Bug 1257214
Opened 8 years ago
Closed 5 years ago
Thunderbird Bouncer links go to download.cdn.mozilla.net, showing cert error page
Categories
(Cloud Services :: Operations: Product Delivery, task)
Cloud Services
Operations: Product Delivery
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kohei, Unassigned)
References
Details
Click one of the links on https://www.mozilla.org/en-US/thunderbird/ or https://www.mozilla.org/en-US/thunderbird/all/ and you'll be redirected to https://download.cdn.mozilla.net/ that shows the insecure connection error. Please fix it ASAP.
|
||
Updated•8 years ago
|
Component: Releases → Operations: Product Delivery
Product: Release Engineering → Cloud Services
QA Contact: rail → oremj
|
|
||
Comment 1•8 years ago
|
||
this is what I get: curl -IL https://download.mozilla.org/\?product\=thunderbird-38.7.0\&os\=linux64\&lang\=en-US HTTP/1.1 302 Found Cache-Control: max-age=60 Content-Length: 132 Content-Type: text/html; charset=utf-8 Date: Wed, 16 Mar 2016 16:36:43 GMT Location: http://download.cdn.mozilla.net/pub/thunderbird/releases/38.7.0/linux-x86_64/en-US/thunderbird-38.7.0.tar.bz2 Connection: keep-alive HTTP/1.1 200 OK Content-Type: application/x-bzip2 Content-Length: 40804098 Connection: keep-alive Date: Wed, 16 Mar 2016 16:36:44 GMT x-amz-replication-status: COMPLETED x-amz-version-id: HBC0JoUcOHRE7E0XF2ryRHbUROWdZJkk Last-Modified: Sun, 13 Mar 2016 23:45:48 GMT ETag: "8fffff6de0b9655fd164820040a0d356" Accept-Ranges: bytes Server: AmazonS3 Via: 1.1 c274b14065f0d653675570ea1c144eb2.cloudfront.net (CloudFront), 1.1 b04a4cffa8fb4f524ff7edcab1b5ae31.cloudfront.net (CloudFront) X-Cache: Miss from cloudfront X-Amz-Cf-Id: FHpee5x8V6e4F5c2l5litmn70e3Qtx8WQ5QCEx8Ix_2n4g3kWT37Aw== No https://download.cdn.mozilla.net/ in the redirects...
|
||
Comment 2•8 years ago
|
||
I've also verified that bouncer has no references to https://download.cdn. Do you have an addon that is forcing https?
|
Reporter | |
Comment 3•8 years ago
|
||
The error page says "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate." The error is gone once the NoScript extension is disabled.
|
||
Comment 4•8 years ago
|
||
The http downgrade is also reported in bug 1228502.
|
|
||
Comment 5•8 years ago
|
||
download.cdn.mozilla.net wasn't intended as a HTTPS endpoint. I've added a cert for now, since it seems the thunderbird builds are not going to download-installer and a fair number of people are forcing SSL.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•8 years ago
|
||
I had to roll this back, because of some weirdness in our akamai control panel around this endpoint. No traffic was affected. Let's keep this closed in favor of bug 1228502
|
|
Reporter | |
Comment 9•8 years ago
|
||
Bug 1228502 is fixed today.
|
||
Comment 11•8 years ago
|
||
can we reopen this for those duplicated Firefox download error bugs? Or we need to reopen those bugs for Firefox download endpoint in bug 1232305, bug 1258291, bug 1258275.
|
|
||
Comment 12•8 years ago
|
||
oops, I mean bug 1262305, bug 1258291 and bug 1258275
|
|
Reporter | |
Comment 13•8 years ago
|
||
I think this should be solved anyway. Can you please fix the firefox-latest and thunderbird-latest products, currently leading to the problematic download.cdn.mozilla.net endpoint? This is blocking Bug 937865.
|
|
||
Comment 14•8 years ago
|
||
Rail, it looks like firefox-latest and thunderbird-latest point at HTTP endpoints. Should they be sent over SSL instead? We also have firefox-latest-SSL and thunderbird-latest-SSL products for this case. Is this only an issue for people who are forcing SSL everywhere?
Flags: needinfo?(rail)
|
|
Reporter | |
Comment 15•8 years ago
|
||
Looks like the most of -latest products are broken. See: https://docs.google.com/spreadsheets/d/1F8PeBWiR5LP3xnWU1Jlp59gvDMOzFX4wBiHVHXZCXDc The -latest-SSL products are 404: https://download.mozilla.org/?product=firefox-latest-SSL&os=win&lang=en-US https://download.mozilla.org/?product=thunderbird-latest-SSL&os=win&lang=en-US
|
|
||
Comment 16•8 years ago
|
||
Looking at this now...
|
|
||
Comment 17•8 years ago
|
||
(In reply to Kohei Yoshino [:kohei] from comment #15) > Looks like the most of -latest products are broken. See: > https://docs.google.com/spreadsheets/d/ > 1F8PeBWiR5LP3xnWU1Jlp59gvDMOzFX4wBiHVHXZCXDc > > The -latest-SSL products are 404: > https://download.mozilla.org/?product=firefox-latest-SSL&os=win&lang=en-US > https://download.mozilla.org/?product=thunderbird-latest-SSL&os=win&lang=en- > US I don't think we add latest-SSL aliases, see https://dxr.mozilla.org/mozilla-central/search?q=path%3Atesting%2Fmozharness%2Fconfigs%2Freleases%2Fbouncer+alias&redirect=false&case=false
|
|
||
Comment 18•8 years ago
|
||
(In reply to Jeremy Orem [:oremj] from comment #14) > Rail, it looks like firefox-latest and thunderbird-latest point at HTTP > endpoints. Should they be sent over SSL instead? I think was intentional to be backward compatible with something (stub installer? web site?). So I'm not sure. I'd keep them as is. > We also have firefox-latest-SSL and thunderbird-latest-SSL products for this > case. Is this only an issue for people who are forcing SSL everywhere? I think you mean "we can add" ;) I just checked bouncer admin for aliases we have and don't see anything with SSL in name. It shouldn't be hard to add these aliases and use them on the website instead of firefox-latest.
Flags: needinfo?(rail)
|
||
Comment 22•5 years ago
|
||
@Rail, checking on the health of this bug. Is this still needed?
Flags: needinfo?(rail)
|
|
||
Comment 23•5 years ago
|
||
I'm going to close this as FIXED, n omore http://:
curl -IL https://download.mozilla.org/\?product\=thunderbird-38.7.0\&os\=linux64\&lang\=en-US
HTTP/1.1 302 Found
Cache-Control: max-age=60
Content-Length: 143
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Aug 2019 19:45:50 GMT
Location: https://download-installer.cdn.mozilla.net/pub/thunderbird/releases/38.7.0/linux-x86_64/en-US/thunderbird-38.7.0.tar.bz2
Connection: keep-alive
HTTP/2 200
content-type: application/x-bzip2
content-length: 40804098
x-amz-replication-status: COMPLETED
last-modified: Sun, 13 Mar 2016 23:45:48 GMT
x-amz-version-id: HBC0JoUcOHRE7E0XF2ryRHbUROWdZJkk
accept-ranges: bytes
server: AmazonS3
via: 1.1 7d5b81244bd8116fcbcfa4c6fef02f93.cloudfront.net (CloudFront), 1.1 6d4ee90b03b8194eed74421e603ee2a8.cloudfront.net (CloudFront)
date: Thu, 29 Aug 2019 08:49:04 GMT
etag: "8fffff6de0b9655fd164820040a0d356"
age: 61001
x-cache: Hit from cloudfront
x-amz-cf-pop: IAD89-C2
x-amz-cf-id: aZnxG2jHIZj4ptyWmCFjGx6MLy-IxThmlgizipj6r4ImPRwUcXcHzg==
Status: REOPENED → RESOLVED
Closed: 8 years ago → 5 years ago
Flags: needinfo?(rail)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•