Closed Bug 398923 Opened 17 years ago Closed 15 years ago

https://mozilla.com and https://mozilla.org display SSL certificate mismatch errors

Categories

(mozilla.org Graveyard :: Server Operations: Projects, task, P5)

Product:
mozilla.org Graveyard
Component:
Server Operations: Projects
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: reed, Unassigned)

References

(
URL
)

Details

https://mozilla.com and https://mozilla.org are giving certificate mismatch errors because the SSL certificates are actually for *.mozilla.com and *.mozilla.com, which doesn't match mozilla.com and mozilla.org. See bug 398915 for more details.

Since the patch in bug 327181 landed (for Firefox 3), SSL certificate mismatch errors are not going to be very easy to bypass anymore, so it's not just some error you can easily "get around". The easily fix would probably be to just get two simple SSL certificates for mozilla.com and mozilla.org.
or in other words, https://site.tld/
should match SSL certificate issued for "*.site.tld"



(In reply to comment #0)
>  The easily fix would probably be to just get
> two simple SSL certificates for mozilla.com and mozilla.org.

That would seem to suggest that everyone's going to have at least two certs for their sites, one for www.domain.com and one for domain.com (and eat two IP addresses at the same time).  

That can't possibly be the right fix, can it? 

Nobody should be using mozilla.org or mozilla.com.  That's why everywhere we link to it uses the www. in front.  In fact, there's very few places we link the https version at all.  It's there as a courtesy to people who want to make sure they've got the right site (and also to allow css and images on that site to be used from other https sites without a broken lock icon).
Depends on: 398949
wontfix'ing per comment #3
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Why don't we redirect from https://mozilla.org/ to https://www.mozilla.org and from https://mozilla.com/ to https://www.mozilla.com/?
Would that fix the cert mismatch errors?
No because SSL negotiation happens first, before the redirect - you'd get a cert warning (or failure to connect) and then a redirect.
The new cert for *.mozilla.com will fix https://mozilla.com. https://mozilla.org will still be broken until a new certificate has been generated in a year or two.
Status: RESOLVED → REOPENED
Component: Server Operations → Server Operations: Projects
Resolution: WONTFIX → ---
Assignee: server-ops → nobody
Status: REOPENED → NEW
Changing QA Contact.
QA Contact: justin → mrz
Priority: -- → P5
(In reply to comment #7)
> The new cert for *.mozilla.com will fix https://mozilla.com.
> https://mozilla.org will still be broken until a new certificate has been
> generated in a year or two.

Doesn't look like we got the new cert with SAN support so that's not the case.  That one has a year or so before it expires.

mozilla.org expires in December and we'll get it like that.  Guess we'll sit on this bug until then.
Status: NEW → RESOLVED
Closed: 17 years ago15 years ago
Resolution: --- → FIXED
Resolution: FIXED → WONTFIX
Why is bug this marked WONTFIX when comment #7 suggests it will be fixed?
Whoops, I meant comment #9.
Because it wasn't an easy product offering I was able to get through GeoTrust at that time and I still agree with comment #3.
The SSL cert for *.mozilla.org issued in december 2009 doesn't have a SAN extension so doesn't fix this problem (no SAN extension also means it's broken WRT the 5280 RFC).

What could be the procedure to make sure you don't forget to ask for a SAN the next time ?
(In reply to comment #14)
> (no SAN extension also means it's broken WRT the 5280 RFC).

That is bug 553749.  This bug was considered a WONTFIX on its own merits (comment #3) but is likely to be fixed along with bug 553749.
The problem is still present on https://mozilla.org
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.