Closed
Bug 777812
Opened 12 years ago
Closed 12 years ago
ringring's SSL certificate is no longer valid
Categories
(Infrastructure & Operations :: Telecom, task, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: justdave, Assigned: justdave)
References
Details
(Whiteboard: [triaged 20120824])
"The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure." This started with yesterday's Aurora update.
Updated•12 years ago
|
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: phong → cshields
Comment 1•12 years ago
|
||
What's the URL / domain name for this?
Assignee | ||
Comment 2•12 years ago
|
||
ringring.mv.mozilla.com with a SAN for ringring.office.mozilla.org
Assignee: server-ops-webops → server-ops
Component: Server Operations: Web Operations → Server Operations
QA Contact: cshields → jdow
Assignee | ||
Comment 3•12 years ago
|
||
/me needs to shift-reload before commenting on bugs in restored tabs
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: jdow → cshields
Assignee | ||
Comment 4•12 years ago
|
||
This is a MozillaCA cert, fwiw.
Comment 5•12 years ago
|
||
From: http://www.mozilla.org/en-US/firefox/16.0a2/auroranotes/ I found: https://bugzilla.mozilla.org/show_bug.cgi?id=650355 If I'm not mistaken, the only way for us to fix this is to generate a new Mozilla CA cert. This would also mean that every cert we have that Firefox might in some way reach is going to have this problem.
Comment 6•12 years ago
|
||
This bug is now about replacing ringring's SSL cert with one signed by a new Mozilla CA... which I will open a new bug about creating. I don't see a good way around this, apart from simply purchasing certs and abandoning the concept of an internal CA.
Updated•12 years ago
|
Whiteboard: [waiting][Mozilla CA Cert]
Updated•12 years ago
|
Group: infra
Updated•12 years ago
|
Severity: minor → normal
Priority: -- → P3
Whiteboard: [waiting][Mozilla CA Cert] → [triaged 20120824][waiting][Mozilla CA Cert]
Comment 7•12 years ago
|
||
As far as I can tell this in fact does not have any SAN records on it... however since I'm replacing it anyway, the new one will. :) * common name: ringring.office.mozilla.org (does not match 'ringring.mv.mozilla.com')
Whiteboard: [triaged 20120824][waiting][Mozilla CA Cert] → [triaged 20120824]
Comment 8•12 years ago
|
||
The new cert/key is generated and signed. I don't know how to install it on this device/service however... is that something you can do? If so, you can fetch the cert/key from ssl1.private.phx1: /root/root-ca/ringring.office.mozilla.org.crt /root/root-ca/ringring.office.mozilla.org.key Moving this to Server Operations: Telecom... seems like the logical next step.
Assignee: server-ops-webops → server-ops-telecom
Component: Server Operations: Web Operations → Server Operations: Telecom
QA Contact: cshields → jdow
Assignee | ||
Comment 9•12 years ago
|
||
And soon it'll be pbx1.voip.mtv1.mozilla.com... but we're stalling on using that name for the new hardware to be put in place. For the record, it's just apache. Installs the same way it does on every other apache. :) Certificate has been replaced and tested, all looks good.
Assignee: server-ops-telecom → justdave
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Product: mozilla.org → Infrastructure & Operations
You need to log in
before you can comment on or make changes to this bug.
Description
•