Right now, all https://*.momo.com goes thru the same SSL backend, which has client certs authentication enabled, but optionnal. That needs to be split up in 2 separate backends, so it's not optionnal, but required where it's needed. Possibly, split them in 3, anon/optionnal/required, but don't keep them the same. This bit me once I installed my client cert in thunderbird, and all of a sudden, AUS pings prompted me for my client cert.
DNS finally propagated all over, done. # Never ask for client certs $> host aus.mozillamessaging.com aus.mozillamessaging.com is an alias for production.mozillamessaging.com. # Accept client certs optionally $> host build.mozillamessaging.com build.mozillamessaging.com is an alias for ssl-opt-production.mozillamessaging.com. # Require client certs $> host buildbot-admin.mozillamessaging.com buildbot-admin.mozillamessaging.com is an alias for ssl-cert-production.mozillamessaging.com.