Closed Bug 693104 Opened 14 years ago Closed 14 years ago

gravel missing intermediate certificate for GeoTrust

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: reed, Assigned: justdave)

Details

gravel is missing the intermediate certificate for GeoTrust that both sand and concrete have. It's causing IRC clients to throw verification failures for gravel SSL.
Actually, I think all three servers have different certificate chains... Just take a look: $ openssl s_client -connect gravel.mozilla.org:6697 CONNECTED(00000003) depth=0 /serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA --- Server certificate -----BEGIN CERTIFICATE----- MIIEkzCCA3ugAwIBAgIDAJmsMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM IENBMB4XDTExMDUxMzA4MDQzOFoXDTEzMDgxNDA4MzYwMVowgbIxKTAnBgNVBAUT IGpKTm9EZUFqMlhydWdnT0NDLzlPem5wTkMvTW9SZFZ1MQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEcMBoG A1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjETMBEGA1UECxMKTW96aWxsYSBJVDEY MBYGA1UEAxMPaXJjLm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAwQNhImeXdTEWrzcusqRAgRW+uFdFCaawSNddtBctNyVfNn5gkhrd rxiO2px5jCUvIB0ZCZkoUUohTczoVnoUxkGEVpbIC6H5JDKIrEiUuu2jtea7XjEm BQSq4fOQA+HDAYVo1JuX2aXqvhVw9/YCm5OuCQswlzXxllyxnPg/ue9PpyrayOzS DTQKWHIhPatqCOAncfMo7Fi2uvJOdfOe2QecIgVdUex/9pFJdRAh08v1LjU2WABc 8iOYgF86kq5pgRK2PkfERT+uVsnp9aRJcJS0ALNvcDWjeG+P7oU860iDLW6PByRW +MGe+GJuRd2VmV3QrYB6g+hfk7BNYig9aQIDAQABo4IBITCCAR0wHwYDVR0jBBgw FoAUQnlUG2HNVSs+Y9U8SFf1n/tFzkowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAaBgNVHREEEzARgg9pcmMubW96aWxsYS5v cmcwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2d0c3NsLWNybC5nZW90cnVzdC5j b20vY3Jscy9ndHNzbC5jcmwwHQYDVR0OBBYEFLf3HUUhDn0bKexpqUaB7w09sUS+ MAwGA1UdEwEB/wQCMAAwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzAChidodHRw Oi8vZ3Rzc2wtYWlhLmdlb3RydXN0LmNvbS9ndHNzbC5jcnQwDQYJKoZIhvcNAQEF BQADggEBAAMnZ3u87KbJqpnrMNCc7EwTNlkJad/Uhd2yQEwJ6qkY/OhlKA6BZfCz j/6J23wUdVKZtKKZUGFrMIx0RwCpgxf2Y4DP0qCZ7uqXAldD6MZ8wlcTlgMXPXnK P9roYxUYLQI+TD96eRNsgt1DoKz0hNiONPlH15SOzbFYDijCWZ6cY6VljCDYZaCY V0eJc4VX4pJqYDScwCL8Cv6ytWkmQvLA+REOaI8HEKNoxxkdgBBOxgT7ia8tzfUE XQeQljr6wcoj73H3Au4LFoyAQURoq8BV1Cp0xxkXZGWMhp5hiOTEP5GzZrA70enq XpPObss8UbxP9iPmcFTagwDofzZxtPM= -----END CERTIFICATE----- subject=/serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA $ openssl s_client -connect sand.mozilla.org:6697 CONNECTED(00000003) depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIEkzCCA3ugAwIBAgIDAJmsMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM IENBMB4XDTExMDUxMzA4MDQzOFoXDTEzMDgxNDA4MzYwMVowgbIxKTAnBgNVBAUT IGpKTm9EZUFqMlhydWdnT0NDLzlPem5wTkMvTW9SZFZ1MQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEcMBoG A1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjETMBEGA1UECxMKTW96aWxsYSBJVDEY MBYGA1UEAxMPaXJjLm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAwQNhImeXdTEWrzcusqRAgRW+uFdFCaawSNddtBctNyVfNn5gkhrd rxiO2px5jCUvIB0ZCZkoUUohTczoVnoUxkGEVpbIC6H5JDKIrEiUuu2jtea7XjEm BQSq4fOQA+HDAYVo1JuX2aXqvhVw9/YCm5OuCQswlzXxllyxnPg/ue9PpyrayOzS DTQKWHIhPatqCOAncfMo7Fi2uvJOdfOe2QecIgVdUex/9pFJdRAh08v1LjU2WABc 8iOYgF86kq5pgRK2PkfERT+uVsnp9aRJcJS0ALNvcDWjeG+P7oU860iDLW6PByRW +MGe+GJuRd2VmV3QrYB6g+hfk7BNYig9aQIDAQABo4IBITCCAR0wHwYDVR0jBBgw FoAUQnlUG2HNVSs+Y9U8SFf1n/tFzkowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAaBgNVHREEEzARgg9pcmMubW96aWxsYS5v cmcwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2d0c3NsLWNybC5nZW90cnVzdC5j b20vY3Jscy9ndHNzbC5jcmwwHQYDVR0OBBYEFLf3HUUhDn0bKexpqUaB7w09sUS+ MAwGA1UdEwEB/wQCMAAwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzAChidodHRw Oi8vZ3Rzc2wtYWlhLmdlb3RydXN0LmNvbS9ndHNzbC5jcnQwDQYJKoZIhvcNAQEF BQADggEBAAMnZ3u87KbJqpnrMNCc7EwTNlkJad/Uhd2yQEwJ6qkY/OhlKA6BZfCz j/6J23wUdVKZtKKZUGFrMIx0RwCpgxf2Y4DP0qCZ7uqXAldD6MZ8wlcTlgMXPXnK P9roYxUYLQI+TD96eRNsgt1DoKz0hNiONPlH15SOzbFYDijCWZ6cY6VljCDYZaCY V0eJc4VX4pJqYDScwCL8Cv6ytWkmQvLA+REOaI8HEKNoxxkdgBBOxgT7ia8tzfUE XQeQljr6wcoj73H3Au4LFoyAQURoq8BV1Cp0xxkXZGWMhp5hiOTEP5GzZrA70enq XpPObss8UbxP9iPmcFTagwDofzZxtPM= -----END CERTIFICATE----- subject=/serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA $ openssl s_client -connect concrete.mozilla.org:6697 CONNECTED(00000003) depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIEkzCCA3ugAwIBAgIDAJmsMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM IENBMB4XDTExMDUxMzA4MDQzOFoXDTEzMDgxNDA4MzYwMVowgbIxKTAnBgNVBAUT IGpKTm9EZUFqMlhydWdnT0NDLzlPem5wTkMvTW9SZFZ1MQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEcMBoG A1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjETMBEGA1UECxMKTW96aWxsYSBJVDEY MBYGA1UEAxMPaXJjLm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAwQNhImeXdTEWrzcusqRAgRW+uFdFCaawSNddtBctNyVfNn5gkhrd rxiO2px5jCUvIB0ZCZkoUUohTczoVnoUxkGEVpbIC6H5JDKIrEiUuu2jtea7XjEm BQSq4fOQA+HDAYVo1JuX2aXqvhVw9/YCm5OuCQswlzXxllyxnPg/ue9PpyrayOzS DTQKWHIhPatqCOAncfMo7Fi2uvJOdfOe2QecIgVdUex/9pFJdRAh08v1LjU2WABc 8iOYgF86kq5pgRK2PkfERT+uVsnp9aRJcJS0ALNvcDWjeG+P7oU860iDLW6PByRW +MGe+GJuRd2VmV3QrYB6g+hfk7BNYig9aQIDAQABo4IBITCCAR0wHwYDVR0jBBgw FoAUQnlUG2HNVSs+Y9U8SFf1n/tFzkowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAaBgNVHREEEzARgg9pcmMubW96aWxsYS5v cmcwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2d0c3NsLWNybC5nZW90cnVzdC5j b20vY3Jscy9ndHNzbC5jcmwwHQYDVR0OBBYEFLf3HUUhDn0bKexpqUaB7w09sUS+ MAwGA1UdEwEB/wQCMAAwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzAChidodHRw Oi8vZ3Rzc2wtYWlhLmdlb3RydXN0LmNvbS9ndHNzbC5jcnQwDQYJKoZIhvcNAQEF BQADggEBAAMnZ3u87KbJqpnrMNCc7EwTNlkJad/Uhd2yQEwJ6qkY/OhlKA6BZfCz j/6J23wUdVKZtKKZUGFrMIx0RwCpgxf2Y4DP0qCZ7uqXAldD6MZ8wlcTlgMXPXnK P9roYxUYLQI+TD96eRNsgt1DoKz0hNiONPlH15SOzbFYDijCWZ6cY6VljCDYZaCY V0eJc4VX4pJqYDScwCL8Cv6ytWkmQvLA+REOaI8HEKNoxxkdgBBOxgT7ia8tzfUE XQeQljr6wcoj73H3Au4LFoyAQURoq8BV1Cp0xxkXZGWMhp5hiOTEP5GzZrA70enq XpPObss8UbxP9iPmcFTagwDofzZxtPM= -----END CERTIFICATE----- subject=/serialNumber=jJNoDeAj2XruggOCC/9OznpNC/MoRdVu/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla IT/CN=irc.mozilla.org issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
No, right the first time. gravel is just broken.
OK, so I copied over the cert file from sand to gravel... 19:47:15 [gravel] !gravel.mozilla.org *** Notice -- [SSL rehash] Failed to load SSL certificate server.cert.pem it's got the identical ownership and permissions, and I verified that the m5sum of the file matches on both servers. reloading on sand works just fine. I'm clueless?
Assignee: server-ops → justdave
I just did a full restart of gravel (rather than a rehash) and it successfully picked up the new certificate. I don't know why it wouldn't rehash.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.