398934 - https://www.trunk.stage.mozilla.com cannot be viewed using Firefox 3 due to self-signed SSL certificate

Status: RESOLVED WORKSFORME

(mozilla.org Graveyard :: Server Operations, task)

Description

[Reed Loden [:reed]]

When going to https://www.trunk.stage.mozilla.com in one of the recent Firefox 3 builds, one is presented with this error:

An error occurred during a connection to www.trunk.stage.mozilla.com:443 because it uses an invalid security certificate.
The certificate is not trusted or its issuer certificate is invalid.
 (sec_error_unknown_issuer)

There is no way to bypass this error without installing the Mozilla Root Certificate. If you install the Mozilla Root Certificate, sure it would work, but there's no way to find out where this cert might be or how to do it.

Note that this is _not_ a *bug* in Firefox 3. This change has been purposely done for security reasons. See bug 327181 for more information.

Comment 1

[Justin Fitzhugh]

This is expected as we are using a self signed cert (and we have been over this numerous times in other bugs) - install the root cert if you need ssl on stage.  It's publicly available.

Comment 2

[Reed Loden [:reed]]

Where's the documentation on how people can get the certificate and install it (should explain how to do it for multiple browsers, not just Firefox)? The cert isn't available under www.mozilla.com/certs/ yet, so it seems the only place to get the cert is in bug 394364 (attachment 283371 [details]) and in Subversion.

Have people been notified of this change? This is going to all localizers of mozilla.com and anybody that uses the staging environment. This is a major change, so definite notices need to be sent out to warn people of this change.

For self-signed SSL certificates to work correctly, you will need proper SSL certificates for all the staging sites, which means multiple wildcard SSL certificates (*.stage.mozilla.com, *.www.stage.mozilla.com, www.trunk.stage.mozilla.com, *.www.trunk.stage.mozilla.com, etc.). I will update bug 398936 with this list.

Comment 3

[matthew zeier [:mrz]]

(In reply to comment #2)
> Where's the documentation on how people can get the certificate and install it
> (should explain how to do it for multiple browsers, not just Firefox)? The cert
> isn't available under www.mozilla.com/certs/ yet, so it seems the only place to
> get the cert is in bug 394364 (attachment 283371 [details]) and in Subversion.

Yes, you're right - a good example of the cart before the horse.  I have documentation on how to import root certificates for all browsers and on all operating systems but I'm stuck on getting the certificates somewhere public folks can grab it from (you pushed back on my initial request and I've been working through the "process" to get it there).  

To close out the first but I just attached it and am working on docs.

Comment 4

[Reed Loden [:reed]]

(In reply to comment #3)
> I have documentation on how to import root certificates for all browsers and
> on all operating systems but I'm stuck on getting the certificates somewhere > public folks can grab it from (you pushed back on my initial request and
> I've been working through the "process" to get it there).  

I apologize for pushing back on the upload of the cert to mozilla.com, as I had the mistaken idea that you wanted to put the cert there along with documentation. Having the cert on mozilla.com is fine, but any documentation needs to go on http://wiki.mozilla.org or somewhere similar and not on the website itself, as www.mozilla.com isn't the place for that type of documentation.

I have tagged the cert changes for production, so the next time www.mozilla.com is svn up'd, the cert will be available via http://www.mozilla.com/certs/mozilla-root.crt.

Sending        production
Sending        production/.htaccess
Transmitting file data .
Committed revision 7280.

Thank you for working with the process and not against it.