Closed
Bug 668917
Opened 13 years ago
Closed 13 years ago
New DNS: demo.bugzilla.org as CNAME for cg-bugs03.mozilla.org
Categories
(mozilla.org Graveyard :: Server Operations, task)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mkanat, Assigned: fox2mike)
References
Details
Could I get a DNS name "demo.bugzilla.org" that points to cg-bugs03.mozilla.org?
Reporter | ||
Comment 1•13 years ago
|
||
Also a wildcard for *.demo.bugzilla.org would be appreciated.
Reporter | ||
Comment 2•13 years ago
|
||
And *.*.demo.bugzilla.org would also be good. Explanation: Demo installs are going to be their own domain, to prevent XSS'ing people from other domains, and also they're going to have attachment subdomains as usual, so it will look like: bug123.asdf89yuadf.demo.bugzilla.org When viewing an attachment.
Assignee | ||
Comment 3•13 years ago
|
||
Like Dave's comments on these. Max, do we need SSL certs too? We don't do wildcard ssl certs anymore (though there could be exceptions), but you can't do *.* on those...
Comment 4•13 years ago
|
||
If they are demo instances, what is the need for SSL?
Comment 5•13 years ago
|
||
We could sign with Mozilla's CA Root and provide instructions for people how to add it...
Reporter | ||
Comment 6•13 years ago
|
||
I would be happy to not have a wildcard cert and people would just have to click through the warning that says "this site has identified itself as demo.bugzilla.org" and so on. I do need a basic SSL cert for demo.bugzilla.org though--the installations take usernames and passwords.
Updated•13 years ago
|
Assignee: server-ops → justdave
Comment 7•13 years ago
|
||
mkanat: can you get me a CSR for demo.bugzilla.org that includes *.demo.bugzilla.org as a subjectAltName attribute?
Comment 8•13 years ago
|
||
Toss in cg-bugs03.mozilla.org as another subjectAltName too if you want, for completeness.
Comment 9•13 years ago
|
||
DNS CNAMEs are in place, should be live within 10 minutes.
Reporter | ||
Comment 10•13 years ago
|
||
wicked, could you do the CSR generation? I know nothing about generating subjectAltName CSRs, and from what I've been reading it sounds complicated and as though there are lots of options that should be understood and gotten right.
Comment 11•13 years ago
|
||
Sure. Are they going to be Mozilla Root CA signed ones or from some public CA?
Comment 12•13 years ago
|
||
Here we go, hopefully I got the CSR right. :) -----BEGIN CERTIFICATE REQUEST----- MIICDDCCAXUCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAoMEEJ1Z3ppbGxhIFByb2pl Y3QxGjAYBgNVBAMMEWRlbW8uYnVnemlsbGEub3JnMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCxtDmpsDovKXXs6J8NlKM0lnhH/talQfZ6pC3Ca80TgbvXjiXm xJjJrHzE/K1SCsj4/FWmDMglPvwB0/91tLsRUzIJfK+Jffm1isK+ozlUc1THen4t eRMZA2rBVNEoeObDhurLSUJV2cAeb3pGSdVtTBdeM3XvRzJs5u1cPliPXwIDAQAB oFswWQYJKoZIhvcNAQkOMUwwSjBIBgNVHREEQTA/ghFkZW1vLmJ1Z3ppbGxhLm9y Z4ITKi5kZW1vLmJ1Z3ppbGxhLm9yZ4IVY2ctYnVnczAzLm1vemlsbGEub3JnMA0G CSqGSIb3DQEBBQUAA4GBADVy69YTjs/zdSKQYAzPMKFB6jDTv2xmaNhp08VWqprs sp6QWYvMejvIlbsyl8KUbRjS1aRTdeFYzkNSP2ZjY/+az9KFk0NwQpncXfAYpflR VKFPqF6cPIBkkJH6eDENsYXJ9OXnQ0lLPuyGDXAiFEzT9Ni02yFSX1q/8AA7oK7C -----END CERTIFICATE REQUEST-----
Comment 13•13 years ago
|
||
(In reply to Teemu Mannermaa (:wicked) from comment #11) > Sure. Are they going to be Mozilla Root CA signed ones or from some public > CA? I was just going to sign them with the Mozilla CA. It's better than a self-signed, not quite as good as a real one. Probably good enough for demos. You can link to the root ca install instructions somewhere. Wildcards are going to be *really* expensive to get a real cert for.
Reporter | ||
Comment 14•13 years ago
|
||
Mozilla CA is fine with me. We'll just use normal "http" for the site-creation tools, and then people will get the HTTPS warnings only when they try to access their actual demo site, which is fine with me.
Comment 15•13 years ago
|
||
Signed by Mozilla CA -----BEGIN CERTIFICATE----- MIIDIDCCAomgAwIBAgIBcTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCVVMx EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAa BgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24xNjA0BgNVBAsTLU1vemlsbGEgQ29y cG9yYXRpb24gUm9vdCBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEYMBYGA1UEAxMPTW96 aWxsYSBSb290IENBMSUwIwYJKoZIhvcNAQkBFhZob3N0bWFzdGVyQG1vemlsbGEu Y29tMB4XDTExMTAyNDE3MzU0MFoXDTE2MTAyMjE3MzU0MFowcTELMAkGA1UEBhMC VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx GTAXBgNVBAoMEEJ1Z3ppbGxhIFByb2plY3QxGjAYBgNVBAMMEWRlbW8uYnVnemls bGEub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxtDmpsDovKXXs6J8N lKM0lnhH/talQfZ6pC3Ca80TgbvXjiXmxJjJrHzE/K1SCsj4/FWmDMglPvwB0/91 tLsRUzIJfK+Jffm1isK+ozlUc1THen4teRMZA2rBVNEoeObDhurLSUJV2cAeb3pG SdVtTBdeM3XvRzJs5u1cPliPXwIDAQABo2cwZTAfBgNVHSMEGDAWgBQBzHfN0LM3 1SBJtV6F5FGzR27qZjA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCisG AQQBgjcKAwMGCWCGSAGG+EIEATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUA A4GBAC0+9Nk8VS2AscutslFttUndpZJ+frLYsID8m0JX5lGXJXFiNJqziwXHdhDf SXNTFv5ZMUOEF/AbX70qiltubMIbSNizT4FJOGLSQw3qdX+yGHDJrq//A8I66wp/ 7tEJbpbfxByFbqRoMTHNjPtlwROEMAhS+5p5jQ+tvkK+yhMx -----END CERTIFICATE-----
Comment 16•13 years ago
|
||
Hmm, I can't see any SANs on that certificate. Did it get created correctly on the CA end or was there something wrong in my CSR?
Assignee | ||
Comment 17•13 years ago
|
||
(In reply to Teemu Mannermaa (:wicked) from comment #16) > Hmm, I can't see any SANs on that certificate. Did it get created correctly > on the CA end or was there something wrong in my CSR? I do see SANs in the CSR... Subject: C=US, ST=California, L=Mountain View, O=Bugzilla Project, CN=demo.bugzilla.org X509v3 Subject Alternative Name: DNS:demo.bugzilla.org, DNS:*.demo.bugzilla.org, DNS:cg-bugs03.mozilla.org
Comment 18•13 years ago
|
||
the CNAMEs are already setup, so you should be all set here: demo IN CNAME cg-bugs03.mozilla.org. *.demo IN CNAME cg-bugs03.mozilla.org.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 19•13 years ago
|
||
(In reply to Shyam Mani [:fox2mike] from comment #17) > (In reply to Teemu Mannermaa (:wicked) from comment #16) > > Hmm, I can't see any SANs on that certificate. Did it get created correctly ... > I do see SANs in the CSR... Yeah, but I can't see them in the CRT on comment 15 so that's why I'm wondering if openssl just doesn't display them by default for me or if they are indeed missing from the generated certificate. Also, was there are place to get the Mozilla Root CA to get it saved in the chain? And do you by any chance have any public instructions about adding that root to their browser we could refer poor end users to?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 20•13 years ago
|
||
(In reply to Teemu Mannermaa (:wicked) from comment #19) > Also, was there are place to get the Mozilla Root CA to get it saved in the > chain? And do you by any chance have any public instructions about adding > that root to their browser we could refer poor end users to? https://wiki.mozilla.org/MozillaRootCertificate And you don't need to set it up as an intermediary on the webserver, only the client needs it.
Comment 21•13 years ago
|
||
Certificate is now live at https://tools.demo.bugzilla.org/create.cgi and like you can see, the SANs that were in the CSR are missing from the generated certificate. :( Can we get a new one or what now?
Status: REOPENED → NEW
Assignee | ||
Comment 22•13 years ago
|
||
This is actually a bug in the signing script, I'll grab this bug.
Assignee: justdave → shyam
Assignee | ||
Comment 23•13 years ago
|
||
I've fixed the script, this is your new cert : -----BEGIN CERTIFICATE----- MIIDbTCCAtagAwIBAgICAIcwDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRww GgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMTYwNAYDVQQLEy1Nb3ppbGxhIENv cnBvcmF0aW9uIFJvb3QgQ2VydGlmaWNhdGUgU2VydmljZXMxGDAWBgNVBAMTD01v emlsbGEgUm9vdCBDQTElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBtb3ppbGxh LmNvbTAeFw0xMTExMjkwNzEwNTFaFw0xNjExMjcwNzEwNTFaMHExCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3 MRkwFwYDVQQKDBBCdWd6aWxsYSBQcm9qZWN0MRowGAYDVQQDDBFkZW1vLmJ1Z3pp bGxhLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsbQ5qbA6Lyl17Oif DZSjNJZ4R/7WpUH2eqQtwmvNE4G7144l5sSYyax8xPytUgrI+PxVpgzIJT78AdP/ dbS7EVMyCXyviX35tYrCvqM5VHNUx3p+LXkTGQNqwVTRKHjmw4bqy0lCVdnAHm96 RknVbUwXXjN170cybObtXD5Yj18CAwEAAaOBsjCBrzAfBgNVHSMEGDAWgBQBzHfN 0LM31SBJtV6F5FGzR27qZjA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIG CisGAQQBgjcKAwMGCWCGSAGG+EIEATAMBgNVHRMBAf8EAjAAMEgGA1UdEQRBMD+C EWRlbW8uYnVnemlsbGEub3JnghMqLmRlbW8uYnVnemlsbGEub3JnghVjZy1idWdz MDMubW96aWxsYS5vcmcwDQYJKoZIhvcNAQEFBQADgYEAdnkkCb8Lxn90ZnWQa7Ct rLZ28gJSkYKmCxVXmxBAdgSPFfUdGa79MLcBO4xlTkOJ0Byj4n4VwDS8hqjkd+G6 tE1iwB5ceytK1BeW2cdvvKK0Ot33bQdvBAs+IeYXI4MQKwyfDNa89qP3SwlXaup4 EWv2FFZOnzGBYC3Gd1iyoMo= -----END CERTIFICATE----- Running that through openssl x509 -text says : X509v3 Subject Alternative Name: DNS:demo.bugzilla.org, DNS:*.demo.bugzilla.org, DNS:cg-bugs03.mozilla.org So you should be fine. Reopen if you have any trouble.
Status: NEW → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
Comment 24•13 years ago
|
||
Yeah, now the certificate is correct. Thank you!
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•