Need multiple wildcard SSL certificates for staging/dev/test sites

RESOLVED FIXED

Status

mozilla.org Graveyard
Server Operations
--
major
RESOLVED FIXED
11 years ago
3 years ago

People

(Reporter: reed, Assigned: mrz)

Tracking

Details

(Reporter)

Description

11 years ago
A wildcard SSL certificate should be purchased for "*.stage.mozilla.com" so that websites one-level underneath the subdomain can use the certificate without being broken on browsers that correctly implement RFC 2818.

http://wiki.cacert.org/wiki/WildcardCertificates explains some of the differences in how browsers treat wildcard certificates. A wildcard certificate for "*.mozilla.com" only works for "www.stage.mozilla.com" because bug 159483 hasn't been fixed yet. Once that bug is (ever) fixed, the SSL certificate will be completely invalid for that hostname.

Note that even a wildcard SSL certificate for *.stage.mozilla.com will not work for en-us.www.stage.mozilla.com or even www.trunk.stage.mozilla.com, so the geocoding in the URL may need to be dropped along with renaming "www.trunk" to "www-trunk" or something.
(Reporter)

Comment 1

11 years ago
If the geocoding is dropped from the hostnames, then _another_ SSL certificate for *.www.mozilla.com wouldn't be needed. If it is kept, then a wildcard SSL certificate for *.www.mozilla.com would need to be purchased to keep https:// sites under that subdomain working.

Comment 2

11 years ago
We are using self-signed certs for stage - one from our root will need to be generated.
(Reporter)

Comment 3

11 years ago
As I mentioned in bug 398934, comment #2, in order to use self-signed SSL certificates with all browsers, you'll need multiple wildcard SSL certificates to match the different variations of sites under the staging environment. My initial list consists of *.stage.mozilla.com, *.www.stage.mozilla.com,
www.trunk.stage.mozilla.com, and *.www.trunk.stage.mozilla.com, though there may easily be more needed depending on how some of the other staging sites work.

Raising this to major since this bug and bug 398935 block all use of staging sites (besides https://www.trunk.stage.mozilla.com, which is pretty useless on its own) currently.
Severity: normal → major
Summary: Need a wildcard SSL certificate for *.stage.mozilla.com → Need multiple wildcard SSL certificates for *.stage.mozilla.com
(Assignee)

Updated

11 years ago
Assignee: server-ops → mrz
(Reporter)

Comment 4

11 years ago
Also need one for *.authstage.mozilla.com.
(Reporter)

Comment 5

11 years ago
Could also do one for *.mozilla-europe.org to actually fix bug 387335. If you don't want to do a wildcard one, you can just do certs for "stage.mozilla-europe.org" and "backoffice.mozilla-europe.org" that are signed by the Mozilla Root Cert.
Summary: Need multiple wildcard SSL certificates for *.stage.mozilla.com → Need multiple wildcard SSL certificates for staging/dev/test sites
(Assignee)

Comment 6

11 years ago
(In reply to comment #3)
> As I mentioned in bug 398934, comment #2, in order to use self-signed SSL
> certificates with all browsers, 

Is this related to self-signed certs or hostname mismatches?  If I bought a cert from someone this wouldn't be an issue?

you'll need multiple wildcard SSL certificates
> to match the different variations of sites under the staging environment. My
> initial list consists of *.stage.mozilla.com, *.www.stage.mozilla.com,
> www.trunk.stage.mozilla.com, and *.www.trunk.stage.mozilla.com, though there
> may easily be more needed depending on how some of the other staging sites
> work.

This is going to eat up gobs of IP addresses - is there some other way the same can be accomplished?
(Reporter)

Comment 7

11 years ago
(In reply to comment #6)
> (In reply to comment #3)
> > As I mentioned in bug 398934, comment #2, in order to use self-signed SSL
> > certificates with all browsers, 
> 
> Is this related to self-signed certs or hostname mismatches?  If I bought a
> cert from someone this wouldn't be an issue?

Hostname mismatches. You would still have the problem if you bought a *.mozilla.com wildcard SSL certificate and tried to use it with en-us.www.stage.mozilla.com. Sorry if I implied it only had to do with self-signed certificates.

> > you'll need multiple wildcard SSL certificates
> > to match the different variations of sites under the staging environment. My
> > initial list consists of *.stage.mozilla.com, *.www.stage.mozilla.com,
> > www.trunk.stage.mozilla.com, and *.www.trunk.stage.mozilla.com, though there
> > may easily be more needed depending on how some of the other staging sites
> > work.
> 
> This is going to eat up gobs of IP addresses - is there some other way the same
> can be accomplished?

If bug 398938 is fixed, you would only need certificates (and therefore IPs) for *.stage.mozilla.com, one for *.authstage.mozilla.com, one for *.php5stage.mozilla.com, and the mozilla-europe ones. You would need to rename "www.trunk.stage.mozilla.com" to "www-trunk.stage.mozilla.com" for this, but that's easy, and it wouldn't cause much trouble (just need to notify people).
(Assignee)

Comment 8

11 years ago
Generated wildcard certs for:

*.stage.mozilla.com
*.php5stage.mozilla.com
*.authstage.mozilla.com 

Resolving.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.