ringring's SSL certificate is no longer valid

RESOLVED FIXED

Status

Infrastructure & Operations
Telecom
P3
normal
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: justdave, Assigned: justdave)

Tracking

Details

(Whiteboard: [triaged 20120824])

"The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure."

This started with yesterday's Aurora update.
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: phong → cshields

Comment 1

6 years ago
What's the URL / domain name for this?
ringring.mv.mozilla.com with a SAN for ringring.office.mozilla.org
Assignee: server-ops-webops → server-ops
Component: Server Operations: Web Operations → Server Operations
QA Contact: cshields → jdow
/me needs to shift-reload before commenting on bugs in restored tabs
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: jdow → cshields
This is a MozillaCA cert, fwiw.

Comment 5

6 years ago
From:

http://www.mozilla.org/en-US/firefox/16.0a2/auroranotes/

I found:

https://bugzilla.mozilla.org/show_bug.cgi?id=650355


If I'm not mistaken, the only way for us to fix this is to generate a new Mozilla CA cert.

This would also mean that every cert we have that Firefox might in some way reach is going to have this problem.

Comment 6

6 years ago
This bug is now about replacing ringring's SSL cert with one signed by a new Mozilla CA... which I will open a new bug about creating. I don't see a good way around this, apart from simply purchasing certs and abandoning the concept of an internal CA.

Updated

6 years ago
Depends on: 780316

Updated

6 years ago
Whiteboard: [waiting][Mozilla CA Cert]

Updated

6 years ago
Group: infra

Updated

6 years ago
Severity: minor → normal
Priority: -- → P3
Whiteboard: [waiting][Mozilla CA Cert] → [triaged 20120824][waiting][Mozilla CA Cert]

Comment 7

6 years ago
As far as I can tell this in fact does not have any SAN records on it... however since I'm replacing it anyway, the new one will. :)

* common name: ringring.office.mozilla.org (does not match 'ringring.mv.mozilla.com')
Whiteboard: [triaged 20120824][waiting][Mozilla CA Cert] → [triaged 20120824]

Comment 8

6 years ago
The new cert/key is generated and signed. I don't know how to install it on this device/service however... is that something you can do?

If so, you can fetch the cert/key from ssl1.private.phx1:

/root/root-ca/ringring.office.mozilla.org.crt
/root/root-ca/ringring.office.mozilla.org.key


Moving this to Server Operations: Telecom... seems like the logical next step.
Assignee: server-ops-webops → server-ops-telecom
Component: Server Operations: Web Operations → Server Operations: Telecom
QA Contact: cshields → jdow
And soon it'll be pbx1.voip.mtv1.mozilla.com...  but we're stalling on using that name for the new hardware to be put in place.

For the record, it's just apache.  Installs the same way it does on every other apache. :)

Certificate has been replaced and tested, all looks good.
Assignee: server-ops-telecom → justdave
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.