Closed Bug 1258123 Opened 8 years ago Closed 8 years ago

Certificate error on https://download.cdn.mozilla.net/

Categories

(Release Engineering :: Release Requests, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: pederick, Unassigned)

References

Details

(Keywords: reproducible)

Attachments

(1 file)

Attached file mozcdn_err.txt
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160303134406

Steps to reproduce:

1. Visit https://www.mozilla.org/thunderbird/
2. Click the big green download button.
3. Receive error message

Given that it's a CDN and so geographical issues are a possibility, it may or may not be relevant that I'm in Australia.


Actual results:

(Firefox's error message...)
The owner of download.cdn.mozilla.net has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

download.cdn.mozilla.net uses an invalid security certificate. The certificate is only valid for the following names: a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net, *.akamaized.net, *.akamaized-staging.net Error code: SSL_ERROR_BAD_CERT_DOMAIN

(Details from that last link are in the attached file. Chrome reports much the same, although it will let me proceed, HSTS be damned...)
This server could not prove that it is download.cdn.mozilla.net; its security certificate is from a248.e.akamai.net. This may be caused by a misconfiguration or an attacker intercepting your connection.


Expected results:

Not having a certificate error.
I should have mentioned the actual URLs resulting in each of the "steps to reproduce"...
1. This step redirects to https://www.mozilla.org/en-US/thunderbird/
2. The button URL is https://download.mozilla.org/?product=thunderbird-38.7.0&os=win&lang=en-US
3. The ultimate destination is https://download.cdn.mozilla.net/pub/thunderbird/releases/38.7.0/win32/en-US/Thunderbird%20Setup%2038.7.0.exe

Same result if I just go to https://download.cdn.mozilla.net/, though.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2729]
Assignee: server-ops-webops → jthomas
Component: WebOps: SSL and Domain Names → Operations: Product Delivery
Product: Infrastructure & Operations → Cloud Services
QA Contact: smani → oremj
Assignee: jthomas → oremj
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2729]
I'm intermittently hitting this error (and got reports from other people).

Now it's working again for me, 5 minutes ago Firefox was displaying an HSTS error, while Chrome said ERR_CERT_COMMON_NAME_INVALID
i hit this 100% (also in australia).

the cn i'm seeing is a248.e.akamai.net instead of download.cdn.mozilla.net

~$ openssl s_client -connect download.cdn.mozilla.net:443
CONNECTED(00000003)
depth=2 /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
   i:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1
 1 s:/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
 2 s:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFvDCCBKSgAwIBAgIUA7867y+ifJa4yo+5Wc0zLJ1QETgwDQYJKoZIhvcNAQEF
BQAwgY0xCzAJBgNVBAYTAk5MMRIwEAYDVQQHEwlBbXN0ZXJkYW0xJTAjBgNVBAoT
HFZlcml6b24gRW50ZXJwcmlzZSBTb2x1dGlvbnMxEzARBgNVBAsTCkN5YmVydHJ1
c3QxLjAsBgNVBAMTJVZlcml6b24gQWthbWFpIFN1cmVTZXJ2ZXIgQ0EgRzE0LVNI
QTEwHhcNMTUwNjE5MTY1MjA3WhcNMTYwNjE5MTY1MjA1WjBtMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNhbWJyaWRnZTEhMB8GA1UEChMYQWth
bWFpIFRlY2hub2xvZ2llcyBJbmMuMRowGAYDVQQDExFhMjQ4LmUuYWthbWFpLm5l
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmixJDgkMZBNJ3z1ZX6
2sOBu+TuCRHkpUVtcyoZ+Togno0UTxe4WtOCPNDV86SwP7c6bLV6OurTFImyrBy2
CG1bQfKEiKcfOsSnqvAaJcsTeAd7+wQvX3Ne7RnSVOz3m+zpFPPKU0YVVIjkH7yP
GMTFNcnMsbZ+i+8hda1V6VIIjEfcSKDHj7a5h8JsRT4gY49RYuQ3mpuPgLnuFwId
ORbJimtp/Osq1ZkXrW0/2ykTwX1LqzlWjVlDu3+BcX4oipqIOwjsvPDYXuhLCU0n
Zge5IN4vkIHM3qjIu3fGJsNeyDg14KKwpakUCBnUyF5zIQutwoSkV8nGWQAkG1Rh
TysCAwEAAaOCAjEwggItMAwGA1UdEwEB/wQCMAAwTAYDVR0gBEUwQzBBBgkrBgEE
AbE+ATIwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly9zZWN1cmUub21uaXJvb3QuY29t
L3JlcG9zaXRvcnkwga8GCCsGAQUFBwEBBIGiMIGfMC0GCCsGAQUFBzABhiFodHRw
Oi8vdmFzc2cxNDEub2NzcC5vbW5pcm9vdC5jb20wNgYIKwYBBQUHMAKGKmh0dHBz
Oi8vY2FjZXJ0LmEub21uaXJvb3QuY29tL3Zhc3NnMTQxLmNydDA2BggrBgEFBQcw
AoYqaHR0cHM6Ly9jYWNlcnQuYS5vbW5pcm9vdC5jb20vdmFzc2cxNDEuZGVyMG4G
A1UdEQRnMGWCEWEyNDguZS5ha2FtYWkubmV0gg4qLmFrYW1haWhkLm5ldIIWKi5h
a2FtYWloZC1zdGFnaW5nLm5ldIIPKi5ha2FtYWl6ZWQubmV0ghcqLmFrYW1haXpl
ZC1zdGFnaW5nLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFN1sgHy6tTIXpYRBQPDSBGYTL6mQMD4G
A1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92YXNzZzE0MS5jcmwub21uaXJvb3QuY29t
L3Zhc3NnMTQxLmNybDAdBgNVHQ4EFgQUA7ZKnIAMYBiICmTNrihiinpswBgwDQYJ
KoZIhvcNAQEFBQADggEBABxkzsN2TYwp/HbRPCSDV44+dyEO1oPxQrkuIZ0UlsFT
SegWIFNA8uUBt98BB3dJbepTEMkABQ+7yCEdOJwHeJwKreGRkYuV+ajkAmTiFQup
fxO4A66VxUVHM/tl3TC8bMyWu8O8Und0A4arndwWbwRJuZ+PPLYeW5fp8Y7pulna
dtR8pnrOL17YZmIG/8EYYPitHjHTuu4GsnUaDwVqqWF6J+umvfd8Bccsu/3/LR60
tbSpz5FbDp7j3pT6lbaZJr7lfCcD6biW+hdrheke7dTjQZ/bvol27eiGhcGGHSkr
F9EsC88HzYpSiZPhcnnFMX3x+jTO2TeUUAtxx0nIass=
-----END CERTIFICATE-----
subject=/C=US/ST=MA/L=Cambridge/O=Akamai Technologies Inc./CN=a248.e.akamai.net
issuer=/C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA1
---
No client certificate CA names sent
---
SSL handshake has read 4004 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 40A2EE0D6329ED5FFC6CD3458AA3A0AD4D7EB43C3DDEF69981D577CDFB768528
    Session-ID-ctx:
    Master-Key: 6AB4F4CC7C3AE3449E27C9B36BF93DD30D6DDE4C9C6C972286CD7ECDAF2F12B3E7DCB46EA4EE54AFCDAAD4032F151C36
    Key-Arg   : None
    Start Time: 1460967034
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
This is expected. download-installer.cdn.mozilla.net has a valid cert and is intended for HTTPs traffic. download.cdn.mozilla.net is intended for HTTP traffic, but I'm looking at options for enabling SSL to fix these edge cases.
We need to keep this domain as is. Please use download-installer.cdn.mozilla.net if SSL is needed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
But at no point did I, the end user, say "wait, I want to use SSL". If I do a Google search for "thunderbird", the first result is *https:*//www.mozilla.org/en-US/thunderbird/. (Of course it is, because Google favours HTTPS nowadays.) If I just type "mozilla.org/thunderbird" (which I think is what I did originally), the server *redirects* me to https://www.mozilla.org/en-US/thunderbird/.

The problem was never actually "this domain isn't doing the right thing". It was "the official Big Green Button points to a domain that isn't doing the right thing, and so I can't download Thunderbird".

On the bright side, it works now, so perhaps "WONTFIX" in this case means "it actually got fixed by something else not discussed here"?
Sorry for the confusion, your bug was valid and was fixed in bug 1228502. I closed this as WONTFIX, since I won't be fixing the certificate on download.cdn.mozilla.net.
Flags: needinfo?(oremj)
See Also: → 1228502
Excuse me, if you have decided to mark this bug as WONTFIX, can you please also have this notation (and the similar ones) rewritten?

http://ftp.mozilla.org/pub/firefox/releases/latest/README.txt

If you use the notation provided in that very document, say

https://download.mozilla.org/?product=firefox-latest&os=win64&lang=it

you will get the SSL_ERROR_BAD_CERT_DOMAIN.
Rail, can you take a look?
Flags: needinfo?(rail)
(In reply to Jeremy Orem [:oremj] from comment #9)
> Rail, can you take a look?

I'm not sure what I can do here. I don't get any issues with any of URLs mentioned above...

I see redirects to http://, so there shouldn't be any bad cert errors. Maybe this is something like HTTPS Everywhere addon replacing http to https?
Flags: needinfo?(rail)
(In reply to Rail Aliiev [:rail] from comment #10)
> I'm not sure what I can do here. I don't get any issues with any of URLs
> mentioned above...

The issue doesn't occur when I am behind the office proxy, but does occur when I am surfing the web using the home connection (or this is what I seem to notice).
Assignee: oremj → nobody
Component: Operations: Product Delivery → Releases
Product: Cloud Services → Release Engineering
QA Contact: oremj → rail
See Also: → 1272909
See Also: → 1276848
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: