Closed Bug 934140 Opened 12 years ago Closed 12 years ago

Wrong SSL cert for (www.)firefox.com

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jld, Assigned: cturra)

Details

Several problems arise when attempting to load https://firefox.com (as opposed to http://firefox.com): 1. It presents a certificate for www.mozilla.com. 2. If user overrides the certificate error, the response is a challenge for Mozilla LDAP authentication (!). 3. If authentication/authorization succeeds, the result is a 404. 4. None of this works at all over IPv6, because the address in the AAAA record on firefox.com isn't listening on port 443, but the address in the A record is. Those addresses reverse-resolve to static-non-ssl.zlb.phx.mozilla.net and static.zlb.phx.mozilla.net, which might explain why this is the case.
Assignee: nobody → server-ops-webops
Component: Other → WebOps: SSL and Domain Names
OS: Linux → All
Product: Websites → Infrastructure & Operations
QA Contact: nmaul
Hardware: x86_64 → All
Summary: https://firefox.com is broken → Wrong SSL cert for (www.)firefox.com
Version: unspecified → other
as you have pointed out, there is no ssl certificate for {www.}firefox.com and it's configured through our static non ssl load balancer traffic ip group (tig). this said, due to the way we use sni (server name indication) on a similar tig these https requests were failing over to another internal service that required ldap auth. i found where this was happening and added an apache redirect rule to catch these requests and redirect them off the same way as non-ssl requests do. *note: i looked through the logs and there are close to zero requests for this via https so see no value in adding full support for ssl. $ curl -ILk https://www.firefox.com HTTP/1.1 301 Moved Permanently Server: Apache X-Backend-Server: pp-web03 Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Date: Mon, 04 Nov 2013 07:08:51 GMT Location: https://www.mozilla.org/firefox/?utm_source=firefox-com&utm_medium=referral Transfer-Encoding: chunked Connection: Keep-Alive X-Cache-Info: caching HTTP/1.1 301 MOVED PERMANENTLY Server: Apache Vary: Accept-Language, Accept-Encoding X-Backend-Server: bedrock2.webapp.scl3.mozilla.com Cache-Control: max-age=600 Content-Type: text/html; charset=utf-8 Date: Mon, 04 Nov 2013 07:08:52 GMT Location: https://www.mozilla.org/en-US/firefox/?utm_source=firefox-com&utm_medium=referral Expires: Mon, 04 Nov 2013 07:18:52 GMT Transfer-Encoding: chunked X-Robots-Tag: noodp Connection: Keep-Alive X-Frame-Options: DENY X-Cache-Info: caching HTTP/1.1 301 MOVED PERMANENTLY Server: Apache X-Backend-Server: bedrock4.webapp.scl3.mozilla.com Vary: Accept-Encoding Cache-Control: max-age=600 Content-Type: text/html; charset=utf-8 Date: Mon, 04 Nov 2013 07:08:52 GMT Location: https://www.mozilla.org/en-US/firefox/new/?utm_source=firefox-com&utm_medium=referral Expires: Mon, 04 Nov 2013 07:18:52 GMT Transfer-Encoding: chunked X-Robots-Tag: noodp Connection: Keep-Alive X-Frame-Options: DENY X-Cache-Info: caching HTTP/1.1 200 OK Server: Apache X-Backend-Server: bedrock5.webapp.scl3.mozilla.com Vary: Accept-Encoding Cache-Control: max-age=600 Content-Type: text/html; charset=utf-8 Date: Mon, 04 Nov 2013 07:08:52 GMT Expires: Mon, 04 Nov 2013 07:18:52 GMT Transfer-Encoding: chunked X-Robots-Tag: noodp Connection: Keep-Alive X-Frame-Options: DENY X-Cache-Info: caching
Assignee: server-ops-webops → cturra
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.