Closed Bug 522864 Opened 16 years ago Closed 16 years ago

bad cert on public site?

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 505031

People

(Reporter: samuel.sidler+old, Assigned: chizu)

References

(
URL
)

Details

A couple of people have reported this link when discussing the blocklist that we added recently: https://en-gb.www.mozilla.com/en-GB/blocklist/ I'm not sure how they get there (just check the blocklist from an en-GB build?), but the page currently shows the following error: Secure Connection Failed en-gb.www.mozilla.com uses an invalid security certificate. The certificate is only valid for *.mozilla.com (Error code: ssl_error_bad_cert_domain) It shouldn't do that, especially since we're pointing users there. I consider this critical because we're actively sending users to this site and it's not allowing them to see important information. (Note: This likely applies to many, if not all, locales.)
here a "me too" for de-DE locale: - get a 3.6 beta1 build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6b1-candidates/build1/win32/ (same for l10n trunk/MC builds) - extras/addons/plugins + hit the "update" button to get above mentioned message btw, shouldn't the button rather point to https://www.mozilla.com/(locale)/plugincheck/? that's what the button does in en-US builds.
Sam, When did this site go live? It's because en-gb.www.mozilla.com != *.mozilla.com..so..this probably needs a new SSL certificate for *.www.mozilla.com
Also, this is just a 302... trinity:~ shyam$ curl -I https://en-gb.www.mozilla.com/en-GB/blocklist/ HTTP/1.0 302 Found Date: Sat, 17 Oct 2009 14:22:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 Location: https://www.mozilla.com/en-US/blocklist/ Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: NSC_npa-dpn-ttm=4451663b3660;expires=Sat, 17-Oct-09 14:24:56 GMT;path=/ I'm wondering why we're doing en-gb.www.mozilla.com/en-GB/... Skip the first en-GB and make www.mozilla.com/en-GB/destination redirect to https://www.mozilla.com/en-US/destination? And for the record, I'm just throwing out some ideas..I don't know the design of these URLs and what they're doing...so someone more knowledgeable should chip in :)
Bug 522877 comment #6. Bug 468526 - http://hg.mozilla.org/releases/mozilla-1.9.1/rev/273b9ecef4b7 - that pushed out the change to HTTPS but the server side (www.mozilla.com) still does the LOCALE redirect. This change doesn't appear to have been tested correctly and nobody in Operations was aware of this (SSL is costly cpu, requires some scalability planning). Short term fix, buy new certificate, setup new vserver, change DNS. In the short term this will have to go on the Netscaler since *.www.mozilla.com behind Zeus has never been through QA or Metrics signoff.
(and make sure logging works - shouldn't change where logs go)
So, the original url is https://www.mozilla.com/LOCALE/blocklist/, and if I look at wget with all redirects, it seems that some redirect from www.mozilla.com to en-gb.www.mozilla.com is bad. That might be somewhere in the path of language fallback for 404s. Note that the same redirects happens for plain http:, too. I understood the plan to be to drop the ab-cd.www.mozilla.com urls alltogether, so not redirecting there looks like the right thing to do. workbook:tmp axelhecht$ wget --no-check-certificate https://www.mozilla.com/en-GB/blocklist/ --2009-10-17 20:04:01-- https://www.mozilla.com/en-GB/blocklist/ Auflösen des Hostnamen »www.mozilla.com«.... 93.184.220.20 Verbindungsaufbau zu www.mozilla.com|93.184.220.20|:443... verbunden. WARNUNG: Kann das Zertifikat von »www.mozilla.com« nicht prüfen, ausgestellt von »/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA«:. Die Authorität des Ausstellers des Zertifikates kann lokal nicht geprüft werden. WARNUNG: Der Common Name »edgecastcdn.net« des Zertifikates entspricht nicht dem angeforderten Hostname »www.mozilla.com«. HTTP Anforderung gesendet, warte auf Antwort... 302 Found Platz: https://en-GB.www.mozilla.com/en-GB/blocklist/[folge] --2009-10-17 20:04:03-- https://en-gb.www.mozilla.com/en-GB/blocklist/ Auflösen des Hostnamen »en-gb.www.mozilla.com«.... 63.245.209.10 Verbindungsaufbau zu en-gb.www.mozilla.com|63.245.209.10|:443... verbunden. WARNUNG: Kann das Zertifikat von »en-gb.www.mozilla.com« nicht prüfen, ausgestellt von »/C=US/O=Equifax/OU=Equifax Secure Certificate Authority«:. Die Authorität des Ausstellers des Zertifikates kann lokal nicht geprüft werden. WARNUNG: Der Common Name »*.mozilla.com« des Zertifikates entspricht nicht dem angeforderten Hostname »en-gb.www.mozilla.com«. HTTP Anforderung gesendet, warte auf Antwort... 302 Found Platz: https://www.mozilla.com/en-US/blocklist/[folge] --2009-10-17 20:04:04-- https://www.mozilla.com/en-US/blocklist/ Wiederverwendung der bestehenden Verbindung zu www.mozilla.com:443. HTTP Anforderung gesendet, warte auf Antwort... 200 OK Länge: 18908 (18K) [text/html] In »index.html« speichern.
The correct, quickest, and cheapest solution to this problem is just to fix bug 454299.
I agree with reed here and am hesitant to push out changes to prod load balancers over the weekend, assuming I can even get an SSL cert before Monday anyways.
Assignee: server-ops → thardcastle
Waiting on bug 454299 unless we can get a cert earlier.
Depends on: 454299
Isn't this a dup on bug 505031 ?
Dup or related, yes.
Status: NEW → RESOLVED
Closed: 16 years ago
No longer depends on: 454299
Resolution: --- → DUPLICATE
Verified duplicate
Status: RESOLVED → VERIFIED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.