Closed
Bug 828981
Opened 12 years ago
Closed 12 years ago
unknown issuer vhost for mozqa.com
Categories
(Mozilla QA Graveyard :: Infrastructure, defect)
Mozilla QA Graveyard
Infrastructure
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: daniela.p98911, Assigned: bburton)
References
Details
(Whiteboard: [blocked by bug 811869])
A self-signed certificate is needed on the mozqa.com site and it should return sec_error_unknown_issuer error.
This is needed in order to re-enable and update the mozmill automation test - testUnknownIssuer.js which used an external site that changed.
This is not the same as not sec_error_untrusted_issuer error that the current https://ssl-selfsigned.mozqa.com site returns.
|
Assignee | |
Comment 2•12 years ago
|
||
(In reply to Daniela Petrovici from comment #0)
> A self-signed certificate is needed on the mozqa.com site and it should
> return sec_error_unknown_issuer error.
>
> This is needed in order to re-enable and update the mozmill automation test
> - testUnknownIssuer.js which used an external site that changed.
>
> This is not the same as not sec_error_untrusted_issuer error that the
> current https://ssl-selfsigned.mozqa.com site returns.
Can you provide some details on the steps to generate this with either certutil or openssl?
Assignee: nobody → bburton
|
||
Comment 3•12 years ago
|
||
Does the following information help? Looks like we should not include the certificate chain file in the apache config.
http://stackoverflow.com/questions/275878/firefox-and-ssl-sec-error-unknown-issuer
|
||
Comment 4•12 years ago
|
||
You don't want a self-signed cert.
You want a cert that is issued by another cert.
Don't publish the signer cert anywhere, to ensure nobody will accidentally fail your new test.
Don't configure the signer as a chain (intermediate) cert.
I will give you certutil commands.
|
|
||
Comment 5•12 years ago
|
||
mkdir /tmp/d
cd /tmp/d
certutil -d . -N # press enter twice
echo testing > noise
certutil -d . -S -n "ca" -s "CN=test ca" -t C,C,C -x -m 0 -v 600 -z noise
certutil -d . -S -n any-nickname -s "CN=your-server-hostname.domain" -c ca -t ,, -m 1 -v 600 -z noise
pk12util -o server.p12 -n any-nickname -d . # press enter twice
openssl pkcs12 -in server.p12 -out server.pem -nodes # press enter once
Now use the contents of file server.pem:
- Create a file server.key that contains only the PRIVATE KEY section.
- Create a file server.crt that contains only one of the BEGIN CERT sections. The one you need is preceeded by subject=/CN=your-server-hostname.domain
- Don't copy the subject=/CN=test ca cert anywhere, because you want an "unknown issuer" error.
The above produces a cert that is valid for 600 months.
|
|
||
Comment 6•12 years ago
|
||
Thanks Kaie for the information!
|
|
Assignee | |
Comment 7•12 years ago
|
||
I've generated the certificate and installed it in Zeus
Initial testing works
-> % curl -v -k https://ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com
* About to connect() to ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com port 443 (#0)
* Trying 63.245.215.92...
* connected
* Connected to ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com (63.245.215.92) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: CN=ssl-selfsigned-unknownissuer.mozqa.com
* start date: 2013-04-12 22:12:28 GMT
* expire date: 2013-04-12 22:12:28 GMT
* common name: ssl-selfsigned-unknownissuer.mozqa.com (does not match 'ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com')
* issuer: CN=unknownissuer ca
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Fri, 12 Apr 2013 22:41:16 GMT
< Server: Apache
< X-Backend-Server: mozqa1.qa.scl3.mozilla.com
< Content-Length: 220
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /error/noindex.html
on this server.</p>
</body></html>
* Connection #0 to host ssl-selfsigned-unknownissuer-mozqa-zlb.vips.scl3.mozilla.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
But final testing will need to wait for mozqa.com to move so we can setup DNS
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•12 years ago
|
||
This is setup, but waiting on the cutover in bug 811869 to get a mozqa.com subdomain and be testable
|
|
Assignee | |
Updated•12 years ago
|
Summary: Generate a self signed certificate for mozqa.com site that can return an error about unknown issuer → unknown issuer vhost for mozqa.com
|
|
Assignee | |
Comment 9•12 years ago
|
||
(In reply to Brandon Burton [:solarce] from comment #8)
> This is setup, but waiting on the cutover in bug 811869 to get a mozqa.com
> subdomain and be testable
This is now live and ready to test at ssl-unknownissuer.mozqa.com
|
|
||
Comment 10•12 years ago
|
||
Works perfect for me. Thanks Brandon! Closing as fixed.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Product: Mozilla QA → Mozilla QA Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•