Closed
Bug 934140
Opened 11 years ago
Closed 11 years ago
Wrong SSL cert for (www.)firefox.com
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jld, Assigned: cturra)
Details
Several problems arise when attempting to load https://firefox.com (as opposed to http://firefox.com): 1. It presents a certificate for www.mozilla.com. 2. If user overrides the certificate error, the response is a challenge for Mozilla LDAP authentication (!). 3. If authentication/authorization succeeds, the result is a 404. 4. None of this works at all over IPv6, because the address in the AAAA record on firefox.com isn't listening on port 443, but the address in the A record is. Those addresses reverse-resolve to static-non-ssl.zlb.phx.mozilla.net and static.zlb.phx.mozilla.net, which might explain why this is the case.
|
||
Updated•11 years ago
|
Assignee: nobody → server-ops-webops
Component: Other → WebOps: SSL and Domain Names
OS: Linux → All
Product: Websites → Infrastructure & Operations
QA Contact: nmaul
Hardware: x86_64 → All
Summary: https://firefox.com is broken → Wrong SSL cert for (www.)firefox.com
Version: unspecified → other
|
Assignee | |
Comment 1•11 years ago
|
||
as you have pointed out, there is no ssl certificate for {www.}firefox.com and it's configured through our static non ssl load balancer traffic ip group (tig). this said, due to the way we use sni (server name indication) on a similar tig these https requests were failing over to another internal service that required ldap auth.
i found where this was happening and added an apache redirect rule to catch these requests and redirect them off the same way as non-ssl requests do. *note: i looked through the logs and there are close to zero requests for this via https so see no value in adding full support for ssl.
$ curl -ILk https://www.firefox.com
HTTP/1.1 301 Moved Permanently
Server: Apache
X-Backend-Server: pp-web03
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 04 Nov 2013 07:08:51 GMT
Location: https://www.mozilla.org/firefox/?utm_source=firefox-com&utm_medium=referral
Transfer-Encoding: chunked
Connection: Keep-Alive
X-Cache-Info: caching
HTTP/1.1 301 MOVED PERMANENTLY
Server: Apache
Vary: Accept-Language, Accept-Encoding
X-Backend-Server: bedrock2.webapp.scl3.mozilla.com
Cache-Control: max-age=600
Content-Type: text/html; charset=utf-8
Date: Mon, 04 Nov 2013 07:08:52 GMT
Location: https://www.mozilla.org/en-US/firefox/?utm_source=firefox-com&utm_medium=referral
Expires: Mon, 04 Nov 2013 07:18:52 GMT
Transfer-Encoding: chunked
X-Robots-Tag: noodp
Connection: Keep-Alive
X-Frame-Options: DENY
X-Cache-Info: caching
HTTP/1.1 301 MOVED PERMANENTLY
Server: Apache
X-Backend-Server: bedrock4.webapp.scl3.mozilla.com
Vary: Accept-Encoding
Cache-Control: max-age=600
Content-Type: text/html; charset=utf-8
Date: Mon, 04 Nov 2013 07:08:52 GMT
Location: https://www.mozilla.org/en-US/firefox/new/?utm_source=firefox-com&utm_medium=referral
Expires: Mon, 04 Nov 2013 07:18:52 GMT
Transfer-Encoding: chunked
X-Robots-Tag: noodp
Connection: Keep-Alive
X-Frame-Options: DENY
X-Cache-Info: caching
HTTP/1.1 200 OK
Server: Apache
X-Backend-Server: bedrock5.webapp.scl3.mozilla.com
Vary: Accept-Encoding
Cache-Control: max-age=600
Content-Type: text/html; charset=utf-8
Date: Mon, 04 Nov 2013 07:08:52 GMT
Expires: Mon, 04 Nov 2013 07:18:52 GMT
Transfer-Encoding: chunked
X-Robots-Tag: noodp
Connection: Keep-Alive
X-Frame-Options: DENY
X-Cache-Info: cachingAssignee: server-ops-webops → cturra
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•