Closed Bug 1258133 Opened 9 years ago Closed 9 years ago

Certificate error on aus5.external.zlb.scl3.mozilla.com

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: iiiiikolor, Assigned: nmaul)

References

Details

(Keywords: reproducible, Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2730] )

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160319030558 Steps to reproduce: Hi during update Nightly is connect with not secure website .Mozilla should know about it. aus5.external.zlb.scl3.mozilla.com Actual results: aus5.external.zlb.scl3.mozilla.com Your connection is not secure Expected results: The owner of aus5.external.zlb.scl3.mozilla.com has configured their website improperly. To protect your information from being stolen, Nightly has not connected to this website.
Assignee: nobody → server-ops-webops
Status: UNCONFIRMED → NEW
Has Regression Range: --- → irrelevant
Has STR: --- → yes
Component: Untriaged → WebOps: SSL and Domain Names
Ever confirmed: true
Keywords: reproducible
Product: Firefox → Infrastructure & Operations
QA Contact: smani
Version: 48 Branch → unspecified
See Also: → 1258123
Summary: update Nightly → Certificate error on aus5.external.zlb.scl3.mozilla.com
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2730]
Mozilla team is update Nightly by not secure connection https://aus5.external.zlb.scl3.mozilla.com/ 63.245.213.47 NICE !!!
Assignee: server-ops-webops → jthomas
Assignee: jthomas → server-ops-webops
This is expected behavior... that's not the URL that Firefox/Nightly is supposed to be using. Investigating...
Check your about:config... app.update.url should look like this one here: https://github.com/mozilla/gecko-dev/blob/master/browser/app/profile/firefox.js#L164 It sounds like yours has been changed away from the default.
Assignee: server-ops-webops → nmaul
Yeah...this is very strange. My first thought is there's a proxy doing something funny or something. More information would be helpful. If you can do the following, it would be great: * Open "about:config" and set "app.update.log" to true * Open the Browser Console and clear it * Open the About window to check for an update and hopefully reproduce the error * Paste the output from the Browser Console here
The correct URL to use here is https://aus5.mozilla.org/ - you're seeing a name mismatch because your profile is broken somehow. Please create a new profile on Nightly and provide the default value of about:config "app.update.url" from that new profile. Temporarily resolving this bug as WORKSFORME, but please feel free to reopen if your "app.update.url" on a *fresh profile only* is anything other than http://aus4 or aus5.mozilla.org. This bug will not qualify for a security bounty, as the cert name mismatch is due to accessing the aus5.mozilla.org endpoint using an unsupported hostname.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(kolor33)
Resolution: --- → WORKSFORME
I do not change nothing is is a clear installation. The about:config... app.update.url is bottom !!! https://aus5.mozilla.org/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
Flags: needinfo?(kolor33)
look how Nighty is connect. http://postimg.org/image/3qc2u3p05/
The remote hostname shown by that tool is derived from the reverse DNS of the IP address the browser is connecting to. The target hostname your browser connects to - aus5.mozilla.org, correctly, as shown in your comment 6 and our various comments - resolves to the IP: aus5.mozilla.org is an alias for aus5.external.zlb.scl3.mozilla.com. aus5.external.zlb.scl3.mozilla.com has address 63.245.213.49 aus5.external.zlb.scl3.mozilla.com has address 63.245.213.47 aus5.external.zlb.scl3.mozilla.com has address 63.245.213.48 Each of these IPs reverse-resolve to the hostname you see in your tool: 47.213.245.63.in-addr.arpa domain name pointer aus5.external.zlb.scl3.mozilla.com. 48.213.245.63.in-addr.arpa domain name pointer aus5.external.zlb.scl3.mozilla.com. 49.213.245.63.in-addr.arpa domain name pointer aus5.external.zlb.scl3.mozilla.com. And as you've observed, that hostname resolves *as well*: aus5.external.zlb.scl3.mozilla.com has address 63.245.213.48 aus5.external.zlb.scl3.mozilla.com has address 63.245.213.49 aus5.external.zlb.scl3.mozilla.com has address 63.245.213.47 However, the certificate provisioned for those three IP addresses is only for "aus5.mozilla.org", which is correct and behaving as expected. While you were able to find another hostname that resolves to those same IPs, that hostname is not used by our product and thus you will receive a CN (hostname) mismatch warning when accessing it.
You need to log in before you can comment on or make changes to this bug.