Closed
Bug 828981
Opened 11 years ago
Closed 11 years ago
unknown issuer vhost for mozqa.com
Categories
(Mozilla QA Graveyard :: Infrastructure, defect)
Mozilla QA Graveyard
Infrastructure
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: daniela.p98911, Assigned: bburton)
References
Details
(Whiteboard: [blocked by bug 811869])
A self-signed certificate is needed on the mozqa.com site and it should return sec_error_unknown_issuer error. This is needed in order to re-enable and update the mozmill automation test - testUnknownIssuer.js which used an external site that changed. This is not the same as not sec_error_untrusted_issuer error that the current https://ssl-selfsigned.mozqa.com site returns.
|
Assignee | |
Comment 2•11 years ago
|
||
(In reply to Daniela Petrovici from comment #0) > A self-signed certificate is needed on the mozqa.com site and it should > return sec_error_unknown_issuer error. > > This is needed in order to re-enable and update the mozmill automation test > - testUnknownIssuer.js which used an external site that changed. > > This is not the same as not sec_error_untrusted_issuer error that the > current https://ssl-selfsigned.mozqa.com site returns. Can you provide some details on the steps to generate this with either certutil or openssl?
Assignee: nobody → bburton
|
||
Comment 3•11 years ago
|
||
Does the following information help? Looks like we should not include the certificate chain file in the apache config. http://stackoverflow.com/questions/275878/firefox-and-ssl-sec-error-unknown-issuer
|
||
Comment 4•11 years ago
|
||
You don't want a self-signed cert. You want a cert that is issued by another cert. Don't publish the signer cert anywhere, to ensure nobody will accidentally fail your new test. Don't configure the signer as a chain (intermediate) cert. I will give you certutil commands.
|
|
||
Comment 5•11 years ago
|
||
mkdir /tmp/d cd /tmp/d certutil -d . -N # press enter twice echo testing > noise certutil -d . -S -n "ca" -s "CN=test ca" -t C,C,C -x -m 0 -v 600 -z noise certutil -d . -S -n any-nickname -s "CN=your-server-hostname.domain" -c ca -t ,, -m 1 -v 600 -z noise pk12util -o server.p12 -n any-nickname -d . # press enter twice openssl pkcs12 -in server.p12 -out server.pem -nodes # press enter once Now use the contents of file server.pem: - Create a file server.key that contains only the PRIVATE KEY section. - Create a file server.crt that contains only one of the BEGIN CERT sections. The one you need is preceeded by subject=/CN=your-server-hostname.domain - Don't copy the subject=/CN=test ca cert anywhere, because you want an "unknown issuer" error. The above produces a cert that is valid for 600 months.
|
|
||
Comment 6•11 years ago
|
||
Thanks Kaie for the information!
|
|
Assignee | |
Comment 7•11 years ago
|
||
I've generated the certificate and installed it in Zeus Initial testing works -> % curl -v -k https://ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com * About to connect() to ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com port 443 (#0) * Trying 63.245.215.92... * connected * Connected to ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com (63.245.215.92) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-SHA * Server certificate: * subject: CN=ssl-selfsigned-unknownissuer.mozqa.com * start date: 2013-04-12 22:12:28 GMT * expire date: 2013-04-12 22:12:28 GMT * common name: ssl-selfsigned-unknownissuer.mozqa.com (does not match 'ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com') * issuer: CN=unknownissuer ca * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > GET / HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com > Accept: */* > < HTTP/1.1 403 Forbidden < Date: Fri, 12 Apr 2013 22:41:16 GMT < Server: Apache < X-Backend-Server: mozqa1.qa.scl3.mozilla.com < Content-Length: 220 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /error/noindex.html on this server.</p> </body></html> * Connection #0 to host ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): But final testing will need to wait for mozqa.com to move so we can setup DNS
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•11 years ago
|
||
This is setup, but waiting on the cutover in bug 811869 to get a mozqa.com subdomain and be testable
|
|
Assignee | |
Updated•11 years ago
|
Summary: Generate a self signed certificate for mozqa.com site that can return an error about unknown issuer → unknown issuer vhost for mozqa.com
|
|
Assignee | |
Comment 9•11 years ago
|
||
(In reply to Brandon Burton [:solarce] from comment #8) > This is setup, but waiting on the cutover in bug 811869 to get a mozqa.com > subdomain and be testable This is now live and ready to test at ssl-unknownissuer.mozqa.com
|
|
||
Comment 10•11 years ago
|
||
Works perfect for me. Thanks Brandon! Closing as fixed.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Product: Mozilla QA → Mozilla QA Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•