Closed Bug 663801 Opened 13 years ago Closed 13 years ago

Firefox 7.0a1 20110606030709 win32 build autoupdate is broken due aus3.mozilla.org certificate chain error

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
All
Windows 7
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: unghost, Assigned: oremj)

References

Details

Attachments

(2 files)

Screenshot of the bug
72.77 KB, image/png
Details
Traceroute to aus3.mozilla.org
2.13 KB, text/plain
Details
Attached image Screenshot of the bug 
Firefox 7.0a1 20110606030709 win32 build doesn't update to last nightly build. Looks like it happens due aus3.mozilla.org certificate chain error, see screenshot.

Update log in Error console:

AUS:SVC getLocale - getting locale from file: C:\Program Files\Nightly\update.locale, locale: ru

AUS:SVC Checker:getUpdateURL - update URL: https://aus3.mozilla.org/update/3/Firefox/7.0a1/20110606030709/WINNT_x86-msvc/ru/nightly/Windows_NT%206.1/default/default/update.xml?force=1

AUS:SVC gCanCheckForUpdates - able to check for updates

AUS:SVC Checker:checkForUpdates - sending request to: https://aus3.mozilla.org/update/3/Firefox/7.0a1/20110606030709/WINNT_x86-msvc/ru/nightly/Windows_NT%206.1/default/default/update.xml?force=1

Attempt to use JS function on a different thread calling nsIPrivateBrowsingService.privateBrowsingEnabled. JS objects may not be shared across threads.

AUS:SVC Checker:onError - request.status: 2153390067

AUS:SVC getStatusTextFromCode - transfer error: XML-файл обновления повреждён (200), default code: 200
OpenSSL connection to aus3.mozilla.org:

OpenSSL> s_client -connect aus3.mozilla.org:443

Loading 'screen' into random state - done

CONNECTED(00000190)

depth=0 /C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System

/CN=aus3.mozilla.org

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 /C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System

/CN=aus3.mozilla.org

verify error:num=27:certificate not trusted

verify return:1

depth=0 /C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System

/CN=aus3.mozilla.org

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

 0 s:/C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System/CN

=aus3.mozilla.org

   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA

---

Server certificate

-----BEGIN CERTIFICATE-----

MIID8DCCAtigAwIBAgIPHo0PQBH+rUi2pI5wWXilMA0GCSqGSIb3DQEBBQUAMDwx

CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxUaGF3dGUsIEluYy4xFjAUBgNVBAMTDVRo

YXd0ZSBTU0wgQ0EwHhcNMTEwNTE5MDAwMDAwWhcNMTIwODEwMjM1OTU5WjCBiTEL

MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcUDU1vdW50

YWluIFZpZXcxEDAOBgNVBAoUB01vemlsbGExIDAeBgNVBAsUF0F1dG9tYXRpYyBV

cGRhdGUgU3lzdGVtMRkwFwYDVQQDFBBhdXMzLm1vemlsbGEub3JnMIIBIjANBgkq

hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7EJOsW+hiviPXPa+FlGYC8AQAEY5+DJ9

2M1AfGbBk5trjNhxMFpIW8qlsTsLHWrWjBFA5Wx9uad+O8GWuLUvhzeP6hq8NyGm

mT6oBc85zMcSru/gVo3H+TbZSsWaTDi0zyQSY6nByLiFbabB02zqQCBDZg26V5ME

uOIVdzV5IJ1s38tC/urddv7qXHqovOc7jejxafGzLqNxry0/QUf45IrtUbFslApV

xPt9lZBbO3SYEzFpEC+ZW5PjnDeRmeq8wxRj0TH9Yr2j0cEhyHzT5wqtM228Wt5x

4dc9UzZQq2O6rjWw2q9lxuMSYvKLTM4Llme5/HUoyXwuFV3BgF/h5wIDAQABo4Gg

MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v

di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH

AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov

L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAZildECw0IfMrAs4t

ZqIomeAyo0T+JQj1O1M9vq0p5rcyhhuOiG3DjuKbTWREaT9nCGE4IdAiSVejNPRI

7WYACjFd/YVsKuEr7F6by003yeFfgDJ/oSeSUv2vk4K/gReEDV0P5fAC9YzHeirq

EXxpXzygG1eofguWeqlHhYX1uAfmvyeQr3qgMQZwbaEqkOiP6BmNnsVq2xUJNezh

TJWhbaeZr0sN8y68GU97YXayKrutIN88biHeYv9nh8Mr9PctpWwOFRqxmfHN8a31

iwd63Xg1VeUwnSY2doozDbVNgC+w3mPUh4zLYPY4GrJPpBaOAA9Nj4KygAYcgMgf

PQ/zUA==

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System

/CN=aus3.mozilla.org

issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA

---

No client certificate CA names sent

---

SSL handshake has read 1186 bytes and written 460 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : SSLv3

    Cipher    : RC4-SHA

    Session-ID: 6E4AF031391F782B4534C6F1C0EEEF341C898BF2C660B4B836AF453B574163CC



    Session-ID-ctx:

    Master-Key: D2C62902C4A25E8466DF9146092417704CBB601F0392D0521FE2582C2B91153E

3FF0C315CAEF24B7D2DEF7F7CDE2B22D

    Key-Arg   : None

    Start Time: 1307972110

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

read:errno=0

    
    

    
  
If this is indeed the case, it's probably a ServerOps bug, and pretty serious. I can reproduce, too:
OpenSSL> s_client -connect aus3.mozilla.org:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System/CN=aus3.mozilla.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System/CN=aus3.mozilla.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System/CN=aus3.mozilla.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System/CN=aus3.mozilla.org
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIPHo0PQBH+rUi2pI5wWXilMA0GCSqGSIb3DQEBBQUAMDwx
CzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxUaGF3dGUsIEluYy4xFjAUBgNVBAMTDVRo
YXd0ZSBTU0wgQ0EwHhcNMTEwNTE5MDAwMDAwWhcNMTIwODEwMjM1OTU5WjCBiTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcUDU1vdW50
YWluIFZpZXcxEDAOBgNVBAoUB01vemlsbGExIDAeBgNVBAsUF0F1dG9tYXRpYyBV
cGRhdGUgU3lzdGVtMRkwFwYDVQQDFBBhdXMzLm1vemlsbGEub3JnMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7EJOsW+hiviPXPa+FlGYC8AQAEY5+DJ9
2M1AfGbBk5trjNhxMFpIW8qlsTsLHWrWjBFA5Wx9uad+O8GWuLUvhzeP6hq8NyGm
mT6oBc85zMcSru/gVo3H+TbZSsWaTDi0zyQSY6nByLiFbabB02zqQCBDZg26V5ME
uOIVdzV5IJ1s38tC/urddv7qXHqovOc7jejxafGzLqNxry0/QUf45IrtUbFslApV
xPt9lZBbO3SYEzFpEC+ZW5PjnDeRmeq8wxRj0TH9Yr2j0cEhyHzT5wqtM228Wt5x
4dc9UzZQq2O6rjWw2q9lxuMSYvKLTM4Llme5/HUoyXwuFV3BgF/h5wIDAQABo4Gg
MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v
di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAZildECw0IfMrAs4t
ZqIomeAyo0T+JQj1O1M9vq0p5rcyhhuOiG3DjuKbTWREaT9nCGE4IdAiSVejNPRI
7WYACjFd/YVsKuEr7F6by003yeFfgDJ/oSeSUv2vk4K/gReEDV0P5fAC9YzHeirq
EXxpXzygG1eofguWeqlHhYX1uAfmvyeQr3qgMQZwbaEqkOiP6BmNnsVq2xUJNezh
TJWhbaeZr0sN8y68GU97YXayKrutIN88biHeYv9nh8Mr9PctpWwOFRqxmfHN8a31
iwd63Xg1VeUwnSY2doozDbVNgC+w3mPUh4zLYPY4GrJPpBaOAA9Nj4KygAYcgMgf
PQ/zUA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Mozilla/OU=Automatic Update System/CN=aus3.mozilla.org
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1169 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: B6F131B3018C5C4B127EA162622EFF68E0C496C0C88928284E20DCFE51B65ED2
    Session-ID-ctx: 
    Master-Key: 276B6379DD30047686CF42223E07160502C43E68933C68D2D69F65B70978EB38C0BB5E1634324073B310D0E8D59DF940
    Key-Arg   : None
    Start Time: 1307973764
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
Assignee: nobody → server-ops
Severity: normal → critical
Component: Release Engineering → Server Operations
QA Contact: release → mrz

    
    

    
  
Bug 663792 is dup of this bug (or vice versa)

    
    

    
  
I think I know why this is happening, fixing.
Assignee: server-ops → shyam

    
  
Assignee: shyam → jeremy.orem+bugs

    
    

    
  
Looks like we were missing an intermediate. Should be fixed now.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
Verified.
Status: RESOLVED → VERIFIED
Product: mozilla.org → mozilla.org Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: