If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Status

Infrastructure & Operations
WebOps: Other
--
major
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: clouserw, Assigned: solarce)

Tracking

Details

(Reporter)

Description

6 years ago
Sounds like it's using the cert for another domain occasionally.  See https://forums.mozilla.org/addons/viewtopic.php?f=30&t=8143

Updated

6 years ago
Component: Server Operations → Server Operations: Web Operations
QA Contact: phong → cshields

Comment 1

6 years ago
Well, for me there is nothing occasional or intermittent about it...
I tried logging out and then deleting the tbpl.mozilla.org certificate that was previously offered and accepted in order to allow me access to forums.mozilla.org, but I got the exact same behavior - same invalid certificate notification screen and no forum access until I accepted that certificate.
I'm still wondering if other users are getting access to https://forums.mozilla.org without any certificate, or if they have one and if so, for which site, forums.mozilla.org or tbpl.mozilla.org?
(Assignee)

Comment 2

6 years ago
I am investigating
Assignee: server-ops → bburton
Status: NEW → ASSIGNED
(Assignee)

Comment 3

6 years ago
Previously this was getting SSL due to a wildcard certificate that we're no longer using, per security policies, so when this site was migrated to our PHX DC (as the previous servers are being retired) SSL is defaulting to the base certificate for the cluster this site is one.

I'm opening a bug to get a new certificate for this site purchased.
(Reporter)

Comment 4

6 years ago
(In reply to Brandon Burton [:solarce] from comment #3)
> Previously this was getting SSL due to a wildcard certificate that we're no
> longer using, per security policies, so when this site was migrated to our
> PHX DC (as the previous servers are being retired) SSL is defaulting to the
> base certificate for the cluster this site is one.
> 
> I'm opening a bug to get a new certificate for this site purchased.

I guess I had a cached cert on my other machine - I'm seeing the problem here also now.  Please link to the certificate bug and an ETA once you file it.  Thanks.
(Assignee)

Comment 5

6 years ago
Upon further review, I found https://bugzilla.mozilla.org/show_bug.cgi?id=705095 and confirmed that https://forum(s).addons.mozilla.org just redirects to https://forums.mozilla.org/addons/ , so is there really any reason to not just disable SSL for those two names and let HTTP be the redirect?
(Reporter)

Comment 6

6 years ago
disable SSL would break all the links, right?  Do we know what amount of traffic they get?

The old URL used to be forums.a.m.o so we preserved that link - I assume it gets a decent amount of traffic.
(Assignee)

Comment 7

6 years ago
I don't know about traffic levels and I don't think it's a site we do metrics on. I'll see about getting that name added to the forums.m.o cert to preserve the links
(Assignee)

Updated

6 years ago
Depends on: 746271
(Reporter)

Updated

6 years ago
Duplicate of this bug: 746549
(Assignee)

Comment 9

6 years ago
The certificate should be issued by Monday and we'll get it in place as soon as we have it.
(Assignee)

Comment 10

6 years ago
Ok, the new certificate has been installed and the ZLB updated with both hostnames, curl is happy with both, as shown below

bburton@andesite ~/code/mozilla/ssl$ curl -v https://forums.addons.mozilla.org/                                   ✭master ‹1.9.2-p290›
* About to connect() to forums.addons.mozilla.org port 443 (#0)
*   Trying 63.245.217.86... connected
* Connected to forums.addons.mozilla.org (63.245.217.86) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* 	 subject: serialNumber=X4lTjzgoB7hSLlal5BN2j3zuYsNfjRvM; C=US; ST=California; L=Mountain View; O=Mozilla Foundation; OU=IT; CN=forums.mozilla.org
* 	 start date: 2012-04-18 07:53:26 GMT
* 	 expire date: 2014-04-21 22:50:14 GMT
* 	 subjectAltName: forums.addons.mozilla.org matched
* 	 issuer: C=US; O=GeoTrust, Inc.; CN=GeoTrust SSL CA
* 	 SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: forums.addons.mozilla.org
> Accept: */*
> 
< HTTP/1.1 302 Found
< Server: Apache
< X-Backend-Server: generic1
< Content-Type: text/html; charset=iso-8859-1
< Date: Sat, 21 Apr 2012 00:00:20 GMT
< Location: https://forums.mozilla.org/addons/
< X-Cache-Info: not cacheable; response is 302 without expiry time
< Content-Length: 218
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://forums.mozilla.org/addons/">here</a>.</p>
</body></html>
* Connection #0 to host forums.addons.mozilla.org left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

bburton@andesite ~/code/mozilla/ssl$ curl -v https://forum.addons.mozilla.org/                                    ✭master ‹1.9.2-p290›
* About to connect() to forum.addons.mozilla.org port 443 (#0)
*   Trying 63.245.217.86... connected
* Connected to forum.addons.mozilla.org (63.245.217.86) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* 	 subject: serialNumber=X4lTjzgoB7hSLlal5BN2j3zuYsNfjRvM; C=US; ST=California; L=Mountain View; O=Mozilla Foundation; OU=IT; CN=forums.mozilla.org
* 	 start date: 2012-04-18 07:53:26 GMT
* 	 expire date: 2014-04-21 22:50:14 GMT
* 	 subjectAltName: forum.addons.mozilla.org matched
* 	 issuer: C=US; O=GeoTrust, Inc.; CN=GeoTrust SSL CA
* 	 SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: forum.addons.mozilla.org
> Accept: */*
> 
< HTTP/1.1 302 Found
< Server: Apache
< X-Backend-Server: generic2
< Content-Type: text/html; charset=iso-8859-1
< Date: Sat, 21 Apr 2012 00:00:33 GMT
< Location: https://forums.mozilla.org/addons/
< X-Cache-Info: not cacheable; response is 302 without expiry time
< Content-Length: 218
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://forums.mozilla.org/addons/">here</a>.</p>
</body></html>
* Connection #0 to host forum.addons.mozilla.org left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Blocks: 749273
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.