Closed
Bug 799836
Opened 13 years ago
Closed 12 years ago
SSL cert on https://hacks.mozilla.org/ is untrusted
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: joduinn, Assigned: jd)
Details
(Whiteboard: [triaged 20121010] [change - SSL])
Attachments
(1 file)
|
61.98 KB,
image/png
|
Details |
hacks_untrusted.png
(Not sure what is correct components, please reassign as needed.)
Attempting to browse to "https://hacks.mozilla.org/2012/10/creating-the-future-of-mobile-with-firefox-os/", I hit the following error:
This Connection is Untrusted
You have asked Firefox to connect securely to hacks.mozilla.org, but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
Technical Details:
hacks.mozilla.org uses an invalid security certificate.
The certificate is only valid for tbpl.mozilla.org
(Error code: ssl_error_bad_cert_domain)
|
||
Updated•13 years ago
|
Assignee: server-ops → server-ops-webops
Component: Server Operations → Server Operations: Web Operations
QA Contact: jdow → cshields
|
|
||
Comment 1•13 years ago
|
||
What build of Firefox and what OS are you seeing this on? It appears your connection is not respecting http://en.wikipedia.org/wiki/Server_Name_Indication
Priority: -- → P3
Whiteboard: [triaged 20121010]
|
Reporter | |
Comment 2•13 years ago
|
||
(In reply to Brandon Burton [:solarce] from comment #1)
> What build of Firefox and what OS are you seeing this on? It appears your
> connection is not respecting
> http://en.wikipedia.org/wiki/Server_Name_Indication
OSX 10.7.5
Firefox 16.0.0 (release), buildID#20121005155445
|
|
||
Comment 3•13 years ago
|
||
This is a problem with Firefox. I don't know if it affects other browsers.
See bug 540547, which was duped to bug 450280. That's the most relevant thing I've been able to find on this issue. I'm commenting on it now.
We can (and have) considered separate IPs for every site, but that ends up being a much bigger hassle to administrate, and I'm not even sure we have enough IPs to actually do that... especially with plans to multi-home as much as possible in multiple datacenters and use some form of global load balancing.
|
|
||
Comment 4•13 years ago
|
||
:joduinn... I'm assuming this is an intermittent issue, correct? You were generally able to browse hacks.mozilla.org, but then it failed (at least once), and subsequently works again?
If it's hard-down all the time then we might have a different issue at play...
|
|
||
Comment 5•13 years ago
|
||
Also do you have any funny addons installed? Some of them seem to break on SNI.
|
||
Comment 6•13 years ago
|
||
(In reply to Shyam Mani [:fox2mike] from comment #5)
> Some of them seem to break on SNI.
ORLY? Which ones?
|
|
Reporter | |
Comment 7•13 years ago
|
||
(In reply to Jake Maul [:jakem] from comment #4)
> :joduinn... I'm assuming this is an intermittent issue, correct? You were
> generally able to browse hacks.mozilla.org, but then it failed (at least
> once), and subsequently works again?
>
> If it's hard-down all the time then we might have a different issue at
> play...
Nothing intermittent here. I'm consistently unable to access hacks.mozilla.org. Most annoying is that I dont get even the way to click ignore and go ahead to view the site anyway.
|
|
||
Comment 8•13 years ago
|
||
Have you tried closing and re-opening Firefox? Bug 450280 indicates that Firefox has some sort of cache for this particular thing, causing it to be unwilling to retry the failed TLSv1.0 handshake.
Hi!
This has been happening to me to, on hacks.mozilla.org, and on blog.mozilla.org (and a few other sites). My data:
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Firefox v. 16.0.2.
I'm using HTTPS-Everywhere 3.0.3 and HTTPS Finder 0.85 if that is relevant.
|
||
Comment 10•13 years ago
|
||
This looks similar to #791762 and #797881.

BTW, with HTTPS-Everywhere disabled it is still happening.
|
|
Reporter | |
Comment 11•13 years ago
|
||
(In reply to John O'Duinn [:joduinn] from comment #7)
> (In reply to Jake Maul [:jakem] from comment #4)
> > :joduinn... I'm assuming this is an intermittent issue, correct? You were
> > generally able to browse hacks.mozilla.org, but then it failed (at least
> > once), and subsequently works again?
> >
> > If it's hard-down all the time then we might have a different issue at
> > play...
>
> Nothing intermittent here. I'm consistently unable to access
> hacks.mozilla.org. Most annoying is that I dont get even the way to click
> ignore and go ahead to view the site anyway.
ping?
|
|
||
Comment 12•13 years ago
|
||
See http://news.ycombinator.com/item?id=4753967.
We should give up on SNI. The world is just not ready for it. Even if we improve Firefox's implementation, 50% of deployed Android devices cannot handle it, and many IE machines cannot handle it either.
|
||
Updated•12 years ago
|
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
|
|
Assignee | |
Comment 13•12 years ago
|
||
We have changed around how we are handling SSL certs. We are generally moving from single hosted SNI certs to SAN certs. A number of web properties were previously moved to separate IPs in an attempt to alleviate this pain in high traffic areas. While our work on this front is not yet complete the majority of high traffic sites ,and all sites mentioned herein, are now on a SAN cert.
Given this I will close this bug out, however please do not hesitate to reopen if the issue persists.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 14•12 years ago
|
||
Excuse my ignorance, but looking at the comments above I see no patch or resolution and the original reporter has not reported that the issue has been resolved. So why is the issue marked resolved?
I am seeing this problem using Firefox 25.0 on Ubuntu 13.04.
|
|
||
Comment 15•12 years ago
|
||
screenshot of the error
|
|
||
Comment 16•12 years ago
|
||
Ha! Yep, it looks like the new SAN cert does not contain this particular record... probably because the existing cert doesn't expire until 2015, so it wasn't on the radar for the first pass. Reopening until we get it updated... we'll add it.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•12 years ago
|
Whiteboard: [triaged 20121010] → [triaged 20121010] [change - SSL]
|
|
Assignee | |
Updated•12 years ago
|
Assignee: server-ops-webops → jcrowe
|
|
Assignee | |
Comment 17•12 years ago
|
||
I confused this domain with another when I closed this previously. This domain has been added to the san for real now :)
Cheers
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•