Closed Bug 1271129 Opened 9 years ago Closed 9 years ago

Bad Certificate for download.cdn.mozilla.net

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1257214

People

(Reporter: douglasgodfrey, Assigned: ericz)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2957] )

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Steps to reproduce: download latest version of Seamonkey at <https://download.cdn.mozilla.net/pub/seamonkey/releases/2.40/mac/en-US/SeaMonkey%202.40.dmg> Actual results: Your connection is not secure The owner of download.cdn.mozilla.net has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. download.cdn.mozilla.net uses an invalid security certificate. The certificate is only valid for the following names: a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net, *.akamaized.net, *.akamaized-staging.net Error code: SSL_ERROR_BAD_CERT_DOMAIN Expected results: Either the certificate should have been for download.cdn.mozilla.net or the download link should have been for akami.net
Assignee: nobody → server-ops-webops
Component: Untriaged → WebOps: SSL and Domain Names
Product: Firefox → Infrastructure & Operations
QA Contact: smani
Version: 43 Branch → unspecified
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2957]
I think that is the incorrect link you have. Try https://download.mozilla.org/?product=seamonkey-2.40&os=osx&lang=en-US
Assignee: server-ops-webops → eziegenhorn
(In reply to Eric Ziegenhorn :ericz from comment #1) > I think that is the incorrect link you have. Try I don't have actual steps to reproduce yet, but I know few people who have tried to download Firefox from that server and got the same error message. https://community.mozilla.org.il/viewtopic.php?f=9&t=12469
If you are working inside the Mozilla development domain you may have already accepted the certificate and you will not get the error. I have a policy of never permanently accepting any certificates. I also delete any root certificate that is revoked by Mozilla or Microsoft or is reported to be selling bogus certificates. i.e. DigiNotar, and the dodgy symantic root used for bogus google certs.
https://download.mozilla.org/?product=seamonkey-2.40&os=osx&lang=en-US redirects to a HTTP link, not HTTPS so you should not be seeing those SSL errors: $ curl -v "https://download.mozilla.org/?product=seamonkey-2.40&os=osx&lang=en-US" * Trying 52.0.158.250... * Connected to download.mozilla.org (52.0.158.250) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: download.mozilla.org * Server certificate: DigiCert Secure Server CA * Server certificate: DigiCert Global Root CA > GET /?product=seamonkey-2.40&os=osx&lang=en-US HTTP/1.1 > Host: download.mozilla.org > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 302 Found < Cache-Control: max-age=60 < Content-Type: text/html; charset=utf-8 < Date: Tue, 17 May 2016 21:50:21 GMT < Location: http://download.cdn.mozilla.net/pub/seamonkey/releases/2.40/mac/en-US/SeaMonkey%202.40.dmg < Content-Length: 113 < Connection: keep-alive < <a href="http://download.cdn.mozilla.net/pub/seamonkey/releases/2.40/mac/en-US/SeaMonkey%202.40.dmg">Found</a>. * Connection #0 to host download.mozilla.org left intact Additionally, for the HTTPS site, the cert is only valid for these domains: a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net, *.akamaized.net, *.akamaized-staging.net so I don't think it's an issue of having a particular root certificate in your store. The domains just do not match up. So it seems to me the only issue here is where you are getting the HTTPS url from (https://download.cdn.mozilla.net/pub/seamonkey/releases/2.40/mac/en-US/SeaMonkey%202.40.dmg) as the HTTP links I see on the sites should work fine.
Is it possible that this problem is triggered by users that have the ForceTLS or a similar addon installed, that redirect non-secure traffic to white listed domain to the secured equivalent domain. I can't reproduce the problem from here (could be a geographical load balancer?) but I was able to reproduce it recently at least once.
I use HTTPS-Everywhere
Ah good call :tomer, I suspect HTTPS-Everywhere is the problem here because that doesn't redirect to HTTPS.
There are two solutions, either notify the EFF to put download.cdn.mozilla.net on the HTTPS-Everywhere exclude list or fix the certificates on download.cdn.mozilla.net so they are valid. Report Bugs: <https://www.eff.org/https-everywhere/development> A large percentage of Firefox users also use HTTPS-Everywhere. More so than users of any other browser. There probably is no security implication to downloading SeaMonkey but if www.mozilla.org supports HTTPS then all connected web servers should also support HTTPS.
Given that there is free TLS certificates authority that is co-sponsored by Mozilla as well as Akamai, is there any good reason not to enable valid HTTPS certificate on the CDN?
There are technical reasons for it to be like it is, and bug looks to be where they are being addressed so I'm going to resolve this as a duplicate of that bug.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.