Closed Bug 973080 Opened 11 years ago Closed 11 years ago

SSL Cert on blog.mozilla.org is possibly the wrong one.

Categories

(Infrastructure & Operations :: IT-Managed Tools, task)

Product:
Infrastructure & Operations
Component:
IT-Managed Tools
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pmac, Assigned: cturra)

References

Details

Attachments

(1 file)

screen shot
686.99 KB, image/png
Details
Attached image screen shot
When visiting https://blog.mozilla.org I do not get the usual green lock in the URL bar. I see a grey lock, and upon looking at the cert info I see that the common name is "generic-san.mozilla.org".
:pmac - that's the expected result. the green bar is only reserved for ssl certificates which have received extended verification (EV). in this case, the ssl certificate on blog.mo is on a shared ssl certificate listed as a subject alternative name (san). since this "generic-san" has more than one domain associated to it, we did not get EV for it.
Assignee: server-ops-webops → cturra
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
:cturra cool. I reported this because it was reported to me on IRC that a user got an "invalid cert" warning on blog.m.o, seemingly because of this. Could this cause such a warning?
Flags: needinfo?(cturra)
(In reply to Paul McLanahan [:pmac] from comment #2) > :cturra cool. I reported this because it was reported to me on IRC that a > user got an "invalid cert" warning on blog.m.o, seemingly because of this. > Could this cause such a warning? nope, it shouldn't. this is a standard way of serving multiple sub domains without from a single ssl certificate.
Flags: needinfo?(cturra)
Looks like it might be possible that the issue with the error is bug 972882 (that :kohei just duped). This apparently doesn't show up in Nightly as other CAs were added. User experienced this in Fx 25.0.1. Thanks for the quick response :cturra!
(In reply to Paul McLanahan [:pmac] from comment #5) > Looks like it might be possible that the issue with the error is bug 972882 > (that :kohei just duped). This apparently doesn't show up in Nightly as > other CAs were added. User experienced this in Fx 25.0.1. > > Thanks for the quick response :cturra! That error is only thrown when NSS does not have the certificate chain and is not presented one by the server. Quickfix is visiting the CA website which serves the chain with the certificate. After NSS fetches the intermediate Firefox wont throw error, but this will affect products (unless user actually is presented the chain somewhere).
it looks like the intermediate was missing in the load balancer config, which was likely the root cause here. Pontus - can you please give it another test for me now that this has been updated?
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
It's resolved now, tested via https://sslanalyzer.comodoca.com/?url=https%3A%2F%2Fwiki.mozilla.org Got full chain and validated fine. Great job :cturra
thnx for the update Pontus. i will mark this as r/fixed now.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Woo-hoo! Thanks for the quick fix guys! This was driving me crazy trying to troubleshoot the problem. I was the guy from irc. ;) https://blog.mozilla.org was working for people on nightly for some unexplainable reason. I guess nightly already had the intermediates in its cert db. But on Fx 25.0.1 and lower, I couldn't get https://blog.mozilla.org to load with out getting the following error: blog.mozilla.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) Anyway, I can't reproduce it anymore so whatever you did, did the trick. :D Thanks Pontus & Chris for finding out what was going on here.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: