Closed
Bug 671424
Opened 13 years ago
Closed 11 years ago
Wrong certificate presented for ringring.mv.mozilla.com and others
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kang, Assigned: justdave)
References
Details
Links taken from: https://intranet.mozilla.org/Voicemail_access The certificate should match the URL, currently https://ringring.mv.mozilla.com presents you with the certificate for https://ringring.office.mozilla.org which of course will display a certificate warning in Firefox. It's also possible that those URLs are deprecated, in such case they should probably either redirect or be deleted (also from the intranet wiki) This website has the same issue: https://caadm01.ca.mozilla.com/ I couldn't test the Paris and China ones because they're not currently reachable
|
||
Comment 1•13 years ago
|
||
Shyam, can you get new CSRs generated for these?
Assignee: server-ops → shyam
|
Assignee | |
Comment 2•13 years ago
|
||
ok, These hosts are all only for internal use, so they "should" have certificates signed with the Mozilla CA (https://wiki.mozilla.org/MozillaRootCertificate) China is reachable for me. It appears to have a CA-signed cert from Equifax for mail.cn.mozilla.com on it currently, which is wrong. We'll need to fix that one. mail.cn.mozilla.com hasn't been on that box in ages. The hostnames are all in a state of flux at the moment. I'm not sure what the official designated ones should be. Probably our best bet for now is to redo the MozillaCA-signed certs and put SubjectAltNames in them to match all of the domain names commonly in use for them.
Assignee: shyam → justdave
|
|
Assignee | |
Comment 3•13 years ago
|
||
Paris: asterisk1.par1.mozilla.com ringring.par1.mozilla.com Beijing: asterisk1.pek2.mozilla.com ringring.pek2.mozilla.com cn-adminoffice01.cn.mozilla.com cn-adminoffice01.office.mozilla.org Toronto: asterisk1.tor1.mozilla.com ringring.tor1.mozilla.com caadm01.ca.mozilla.com caadm01.office.mozilla.org Mountain View: asterisk1.mtv1.mozilla.com ringring.mtv1.mozilla.com ringring.mv.mozilla.com ringring.office.mozilla.org
|
|
Assignee | |
Comment 4•13 years ago
|
||
Shyam, can we get certs made from the MozillaCA with the above combinations of cn and subjectAltName on them? Thanks. Even if we redirect the old domains, we should probably have them as valid in the cert to avoid domain mismatches on the route through the redirects...
Assignee: justdave → shyam
|
||
Comment 5•13 years ago
|
||
Dave, What are the current domains? (so I can include those too in the certs) Punt back when that list is ready? Ravi, Can you wet the list of names in comment #3 and confirm that it matches our convention?
Assignee: shyam → justdave
|
||
Comment 6•13 years ago
|
||
Moving forward the only hosts that should exist are: asterisk1.SITE.mozilla.com ringring.SITE.mozilla.com (CNAME to asterisk1) All others will eventually be deprecated.
|
||
Updated•13 years ago
|
Assignee: justdave → shyam
|
|
||
Comment 7•13 years ago
|
||
Don't hate me, but check out bug 679959 comment 1.
|
|
||
Comment 8•13 years ago
|
||
Yeah, it's one of the reasons I've left this open and haven't done anything :) Also, if we're doing self signed certificates, anyone can get them. I'm in the loop in case we need to get GeoTrust Certificates. What are we doing here? GeoTrust or Self Signed?
|
|
||
Comment 9•13 years ago
|
||
Back to Dave, re-assign as needed. Instructions for self signed (by the mozilla root cert) are on the wiki - https://mana.mozilla.org/wiki/display/SYSADMIN/SSL+Certificates If you want GeoTrust certs, please file bugs with CSRs and I'll get the certs for you.
Assignee: shyam → justdave
|
|
Assignee | |
Comment 10•13 years ago
|
||
ok, no ringring except for mountainview for backward compatibility. pbx1.voip.SITE.mozilla.com pbx1.SITE.mozilla.com I just generated one for paris using that scheme, signed with Mozilla CA and deployed. The cert there was for froffice01 and expired two months ago.
|
|
Assignee | |
Comment 11•13 years ago
|
||
How are we doing "one true hostname" for these boxes? People have to be able to put a domain name into their softphone clients and have it work whether they're in the office or not. Right now we have pbx1.par1.mozilla.com which resolves to 64.213.97.197 even inside the office, and pbx1.voip.par1.mozilla.com which resolves to 10.243.40.4. Is 64.213.97.197 going to be routable from inside the office (or can it be made to be)? [root@pbx1 ~]# traceroute 64.213.97.197 traceroute to 64.213.97.197 (64.213.97.197), 30 hops max, 40 byte packets 1 10.243.40.1 (10.243.40.1) 0.296 ms 0.273 ms 0.412 ms 2 * * *
|
||
Comment 12•12 years ago
|
||
What is the next action to move this forward? Were the certs ever installed?
|
|
Assignee | |
Comment 13•12 years ago
|
||
They all need to be done over because of the Mozilla CA getting re-created. I'll file individual bugs.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 14•12 years ago
|
||
I'll leave this here as a tracker and file blockers.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Updated•12 years ago
|
Status: REOPENED → NEW
|
|
||
Updated•12 years ago
|
Component: Server Operations → Server Operations: Web Operations
QA Contact: mrz → cshields
|
||
Comment 15•11 years ago
|
||
All dependent bugs resolved, closing this too.
Status: NEW → RESOLVED
Closed: 12 years ago → 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
|
||
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•