Closed Bug 668917 Opened 13 years ago Closed 13 years ago

New DNS: demo.bugzilla.org as CNAME for cg-bugs03.mozilla.org

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mkanat, Assigned: fox2mike)

References

Details

Could I get a DNS name "demo.bugzilla.org" that points to cg-bugs03.mozilla.org?
Also a wildcard for *.demo.bugzilla.org would be appreciated.
And *.*.demo.bugzilla.org would also be good. 

Explanation:

Demo installs are going to be their own domain, to prevent XSS'ing people from other domains, and also they're going to have attachment subdomains as usual, so it will look like:

  bug123.asdf89yuadf.demo.bugzilla.org

When viewing an attachment.
Like Dave's comments on these.

Max, do we need SSL certs too? We don't do wildcard ssl certs anymore (though there could be exceptions), but you can't do *.* on those...
If they are demo instances, what is the need for SSL?
We could sign with Mozilla's CA Root and provide instructions for people how to add it...
  I would be happy to not have a wildcard cert and people would just have to click through the warning that says "this site has identified itself as demo.bugzilla.org" and so on.

  I do need a basic SSL cert for demo.bugzilla.org though--the installations take usernames and passwords.
Assignee: server-ops → justdave
mkanat: can you get me a CSR for demo.bugzilla.org that includes *.demo.bugzilla.org as a subjectAltName attribute?
Toss in cg-bugs03.mozilla.org as another subjectAltName too if you want, for completeness.
DNS CNAMEs are in place, should be live within 10 minutes.
Blocks: 655477
wicked, could you do the CSR generation? I know nothing about generating subjectAltName CSRs, and from what I've been reading it sounds complicated and as though there are lots of options that should be understood and gotten right.
Sure. Are they going to be Mozilla Root CA signed ones or from some public CA?
Here we go, hopefully I got the CSR right. :)

-----BEGIN CERTIFICATE REQUEST-----
MIICDDCCAXUCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAoMEEJ1Z3ppbGxhIFByb2pl
Y3QxGjAYBgNVBAMMEWRlbW8uYnVnemlsbGEub3JnMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCxtDmpsDovKXXs6J8NlKM0lnhH/talQfZ6pC3Ca80TgbvXjiXm
xJjJrHzE/K1SCsj4/FWmDMglPvwB0/91tLsRUzIJfK+Jffm1isK+ozlUc1THen4t
eRMZA2rBVNEoeObDhurLSUJV2cAeb3pGSdVtTBdeM3XvRzJs5u1cPliPXwIDAQAB
oFswWQYJKoZIhvcNAQkOMUwwSjBIBgNVHREEQTA/ghFkZW1vLmJ1Z3ppbGxhLm9y
Z4ITKi5kZW1vLmJ1Z3ppbGxhLm9yZ4IVY2ctYnVnczAzLm1vemlsbGEub3JnMA0G
CSqGSIb3DQEBBQUAA4GBADVy69YTjs/zdSKQYAzPMKFB6jDTv2xmaNhp08VWqprs
sp6QWYvMejvIlbsyl8KUbRjS1aRTdeFYzkNSP2ZjY/+az9KFk0NwQpncXfAYpflR
VKFPqF6cPIBkkJH6eDENsYXJ9OXnQ0lLPuyGDXAiFEzT9Ni02yFSX1q/8AA7oK7C
-----END CERTIFICATE REQUEST-----
(In reply to Teemu Mannermaa (:wicked) from comment #11)
> Sure. Are they going to be Mozilla Root CA signed ones or from some public
> CA?

I was just going to sign them with the Mozilla CA.  It's better than a self-signed, not quite as good as a real one.  Probably good enough for demos.  You can link to the root ca install instructions somewhere.  Wildcards are going to be *really* expensive to get a real cert for.
Mozilla CA is fine with me. We'll just use normal "http" for the site-creation tools, and then people will get the HTTPS warnings only when they try to access their actual demo site, which is fine with me.
Signed by Mozilla CA

-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIBcTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAa
BgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24xNjA0BgNVBAsTLU1vemlsbGEgQ29y
cG9yYXRpb24gUm9vdCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEYMBYGA1UEAxMPTW96
aWxsYSBSb290IENBMSUwIwYJKoZIhvcNAQkBFhZob3N0bWFzdGVyQG1vemlsbGEu
Y29tMB4XDTExMTAyNDE3MzU0MFoXDTE2MTAyMjE3MzU0MFowcTELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
GTAXBgNVBAoMEEJ1Z3ppbGxhIFByb2plY3QxGjAYBgNVBAMMEWRlbW8uYnVnemls
bGEub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxtDmpsDovKXXs6J8N
lKM0lnhH/talQfZ6pC3Ca80TgbvXjiXmxJjJrHzE/K1SCsj4/FWmDMglPvwB0/91
tLsRUzIJfK+Jffm1isK+ozlUc1THen4teRMZA2rBVNEoeObDhurLSUJV2cAeb3pG
SdVtTBdeM3XvRzJs5u1cPliPXwIDAQABo2cwZTAfBgNVHSMEGDAWgBQBzHfN0LM3
1SBJtV6F5FGzR27qZjA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCisG
AQQBgjcKAwMGCWCGSAGG+EIEATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUA
A4GBAC0+9Nk8VS2AscutslFttUndpZJ+frLYsID8m0JX5lGXJXFiNJqziwXHdhDf
SXNTFv5ZMUOEF/AbX70qiltubMIbSNizT4FJOGLSQw3qdX+yGHDJrq//A8I66wp/
7tEJbpbfxByFbqRoMTHNjPtlwROEMAhS+5p5jQ+tvkK+yhMx
-----END CERTIFICATE-----
Hmm, I can't see any SANs on that certificate. Did it get created correctly on the CA end or was there something wrong in my CSR?
(In reply to Teemu Mannermaa (:wicked) from comment #16)
> Hmm, I can't see any SANs on that certificate. Did it get created correctly
> on the CA end or was there something wrong in my CSR?

I do see SANs in the CSR...

Subject: C=US, ST=California, L=Mountain View, O=Bugzilla Project, CN=demo.bugzilla.org

X509v3 Subject Alternative Name: 
DNS:demo.bugzilla.org, DNS:*.demo.bugzilla.org, DNS:cg-bugs03.mozilla.org
the CNAMEs are already setup, so you should be all set here:

demo        IN  CNAME   cg-bugs03.mozilla.org.
*.demo      IN  CNAME   cg-bugs03.mozilla.org.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
(In reply to Shyam Mani [:fox2mike] from comment #17)
> (In reply to Teemu Mannermaa (:wicked) from comment #16)
> > Hmm, I can't see any SANs on that certificate. Did it get created correctly
...
> I do see SANs in the CSR...

Yeah, but I can't see them in the CRT on comment 15 so that's why I'm wondering if openssl just doesn't display them by default for me or if they are indeed missing from the generated certificate.

Also, was there are place to get the Mozilla Root CA to get it saved in the chain? And do you by any chance have any public instructions about adding that root to their browser we could refer poor end users to?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Teemu Mannermaa (:wicked) from comment #19)
> Also, was there are place to get the Mozilla Root CA to get it saved in the
> chain? And do you by any chance have any public instructions about adding
> that root to their browser we could refer poor end users to?

https://wiki.mozilla.org/MozillaRootCertificate

And you don't need to set it up as an intermediary on the webserver, only the client needs it.
Certificate is now live at https://tools.demo.bugzilla.org/create.cgi and like you can see, the SANs that were in the CSR are missing from the generated certificate. :( Can we get a new one or what now?
Status: REOPENED → NEW
This is actually a bug in the signing script, I'll grab this bug.
Assignee: justdave → shyam
I've fixed the script, this is your new cert : 

-----BEGIN CERTIFICATE-----
MIIDbTCCAtagAwIBAgICAIcwDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRww
GgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMTYwNAYDVQQLEy1Nb3ppbGxhIENv
cnBvcmF0aW9uIFJvb3QgQ2VydGlmaWNhdGUgU2VydmljZXMxGDAWBgNVBAMTD01v
emlsbGEgUm9vdCBDQTElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBtb3ppbGxh
LmNvbTAeFw0xMTExMjkwNzEwNTFaFw0xNjExMjcwNzEwNTFaMHExCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
MRkwFwYDVQQKDBBCdWd6aWxsYSBQcm9qZWN0MRowGAYDVQQDDBFkZW1vLmJ1Z3pp
bGxhLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsbQ5qbA6Lyl17Oif
DZSjNJZ4R/7WpUH2eqQtwmvNE4G7144l5sSYyax8xPytUgrI+PxVpgzIJT78AdP/
dbS7EVMyCXyviX35tYrCvqM5VHNUx3p+LXkTGQNqwVTRKHjmw4bqy0lCVdnAHm96
RknVbUwXXjN170cybObtXD5Yj18CAwEAAaOBsjCBrzAfBgNVHSMEGDAWgBQBzHfN
0LM31SBJtV6F5FGzR27qZjA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIG
CisGAQQBgjcKAwMGCWCGSAGG+EIEATAMBgNVHRMBAf8EAjAAMEgGA1UdEQRBMD+C
EWRlbW8uYnVnemlsbGEub3JnghMqLmRlbW8uYnVnemlsbGEub3JnghVjZy1idWdz
MDMubW96aWxsYS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAdnkkCb8Lxn90ZnWQa7Ct
rLZ28gJSkYKmCxVXmxBAdgSPFfUdGa79MLcBO4xlTkOJ0Byj4n4VwDS8hqjkd+G6
tE1iwB5ceytK1BeW2cdvvKK0Ot33bQdvBAs+IeYXI4MQKwyfDNa89qP3SwlXaup4
EWv2FFZOnzGBYC3Gd1iyoMo=
-----END CERTIFICATE-----

Running that through openssl x509 -text says :

X509v3 Subject Alternative Name: 
DNS:demo.bugzilla.org, DNS:*.demo.bugzilla.org, DNS:cg-bugs03.mozilla.org

So you should be fine. Reopen if you have any trouble.
Status: NEW → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Yeah, now the certificate is correct. Thank you!
Status: RESOLVED → VERIFIED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.