Closed
Bug 1852785
Opened 2 years ago
Closed 2 years ago
Renew hg.cdn.mozilla.net, Expires Sep 15 23:59:59 2023 GMT
Categories
(Developer Services :: Mercurial: hg.mozilla.org, task)
Developer Services
Mercurial: hg.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jason, Unassigned)
References
Details
- Server certificate:
- subject: C=US; ST=California; L=Mountain View; O=Mozilla Corporation; CN=hg.cdn.mozilla.net
- start date: Sep 15 00:00:00 2022 GMT
- expire date: Sep 15 23:59:59 2023 GMT
- subjectAltName: host "hg.cdn.mozilla.net" matched cert's "hg.cdn.mozilla.net"
- issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
- SSL certificate verify ok.
|
||
Comment 1•2 years ago
|
||
This certificate has been renewed:
% openssl s_client -connect hg.cdn.mozilla.net:443 -servername hg.cdn.mozilla.net
CONNECTED(00000006)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = hg.cdn.mozilla.net
verify return:1
write W BLOCK
---
Certificate chain
0 s:/CN=hg.cdn.mozilla.net
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE8TCCA9mgAwIBAgISA8ZZ2khHPIKL1aFBbw8uGjJwMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MTIyMTQwMTBaFw0yMzEyMTEyMTQwMDlaMB0xGzAZBgNVBAMT
EmhnLmNkbi5tb3ppbGxhLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALJ609+o5BqRxHogekZuFuKlMbrFsNSWLV6SWDEULv9Lz1LYBzGOPSvMVM8h
UOiLye7l6QdS4xVNSFoFwIFVELXesMPMXrtiIOcD3+CT/1SEmbAaVw241m1J84XC
JawVSs6ABrK2HT9NN76VDhaE8h/yyVIOajA3jCtz1I2sUzWjLe+owtCCrNeXHWwt
Au2meKoi1i+re7jcDiP1VwnM7wOSyawlxeT7ebHjB9f5bmech4E0Ld7OUZfQiLQN
T7TaT5DiqcQdaxZ+PZJicMuH/S0QiFMtR796wD1O0rJ7KSNqXk9LhtWpTEvn1lbm
Ut0NqFtTLByleZyg7d7HXc7S+g0CAwEAAaOCAhQwggIQMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUD411A7dcex5JTPofwpdaw32pQHYwHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wHQYDVR0RBBYwFIISaGcuY2RuLm1vemlsbGEubmV0MBMGA1UdIAQMMAow
CAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAtz77JN+cTbp18jnF
ulj0bF38Qs96nzXEnh0JgSXttJkAAAGKi41YIwAABAMARzBFAiAvVZWlbsB1aH6z
9M4RHE4BHGpp9cjTVeOniq26P5j43wIhAN06p+z08bLVzMymWY37Ny/Tg6TVPLXX
D54STJ9EGXT8AHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGK
i41aIwAABAMARzBFAiBGtPzCt1z8MCAm5eshdCF7R2RYdglEQCDWWn2h7ZYz9gIh
AIrYfUl4OnL3wBZcsYIQN/EpDHW+ISTihFklwV6YAIzBMA0GCSqGSIb3DQEBCwUA
A4IBAQCkcCPHisZGLrEBsw2T44Kh+McFE3RF25nqnQ0Wb/DeQ09N8ftfBNeoOfML
fSAc9ELopSP+u/XXCchBP8N21XLpfyT6sEO8ocmBEGjvPk1T2gNZ4CuZhm7TZDaI
4nETKtvcQC4Gjt32r2NYuT/chFHHUMMyHo7ve/Evzz8rDsNtB58OMsrAVj5+pC4d
MPfAd6023vB6/Nh2v9ZSnZP13Ds+qGSFdCwgtbmhtSZlBbnsxuGSyjkNQnoNpryi
bKYU1fQ0KFRBIF/SAFvqx26i/zhrpL+z9iB08NlZsKLNCs7PXMisShcdX9EJ0264
uOrEpSl1uy2j190aPwOgzJ98dcpm
-----END CERTIFICATE-----
subject=/CN=hg.cdn.mozilla.net
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4509 bytes and written 378 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : AEAD-AES128-GCM-SHA256
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1694558843
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
read R BLOCK
DONE
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
|
|
||
Comment 2•2 years ago
|
||
I rolled this deployment back because it was breaking CI. My best working guess is that maybe it was barfing on the inclusion of the ISRG Root X1 CA in the certificate chain. I will try deploying this tomorrow w/o that in the certificate chain
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 4•2 years ago
|
||
We tried deploying the Lets Encrypt certificate without the ISRG Root X1 in the certificate chain but workers still failed to clone from hg.cdn.mozilla.net with the same error. I've requested a Digicert certificate Order #509098479 and I'll switch to that once it's been issued
|
|
||
Comment 5•2 years ago
|
||
Certificate has been rotated
Status: REOPENED → RESOLVED
Closed: 2 years ago → 2 years ago
Resolution: --- → FIXED
| Comment hidden (Intermittent Failures Robot) |
You need to log in
before you can comment on or make changes to this bug.
Description
•