Page MenuHomePhabricator
Create Task
Maniphest T62833

serve a cert chain with dynamic proxy SSL certificate
Closed, ResolvedPublic
Actions

Description

Author: daniel

Description:
While Bug#52630 was fixed and
http://www.sslshopper.com/ssl-checker.html#hostname=tools.wmflabs.org
has an all green result

http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org
gives a warning ("The certificate is not trusted in all web browsers.")

The latter goes through a different server (the Instance Proxy).

Version: unspecified
Severity: normal

Details

Reference
bz60833

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:53 AM
bzimport added a project: Cloud-VPS.
bzimport set Reference to bz60833.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Feb 4 2014, 4:12 PM
yuvipanda added a comment.Feb 4 2014, 9:14 PM

It is the dynamic proxy, which uses the star.wmflabs.org certificate, which I presume needs to be fixed.

gerritbot added a comment.Feb 4 2014, 10:04 PM

Change 111342 had a related patch set uploaded by Tim Landscheidt:
Dynamic proxy: Serve SSL certificate chain

https://gerrit.wikimedia.org/r/111342

gerritbot added a comment.Feb 4 2014, 11:59 PM

Change 111342 merged by coren:
Dynamic proxy: Serve SSL certificate chain

https://gerrit.wikimedia.org/r/111342

gerritbot added a comment.Feb 5 2014, 12:41 AM

Change 111386 had a related patch set uploaded by Jeremyb:
Dynamic proxy: Serve SSL certificate chain. v2

https://gerrit.wikimedia.org/r/111386

scfc added a comment.Feb 5 2014, 12:54 AM

Close, but no cigar. While using .chained.pem in the Nginx configuration is apparently The Right Thing(TM), the problem lies deeper: manifests/certs.pp's install_certificate creates the chained certificate for star.wmflabs.org with wmf-labs.pem, while the certificate is actually signed by RapidSSL_CA.pem. The patch by jeremyb should fix this.

FunPika added a comment.Mar 30 2014, 1:56 PM

I've noticed that in Firefox with a fresh profile this will lead to users getting the scary looking "This connection is untrusted" message. For something like accounts.wmflabs.org that routinely deals with new users to the project who may not be very tech savvy, this could be a problem.

gerritbot added a comment.Apr 15 2014, 3:43 PM

Change 111386 merged by Andrew Bogott:
star.wmflabs.org: fix intermediate CA

https://gerrit.wikimedia.org/r/111386

Dzahn added a comment.Apr 16 2014, 10:21 AM

https://gerrit.wikimedia.org/r/#/c/126008/1

Dzahn added a comment.Apr 16 2014, 10:21 AM

can you try again and report results please?

FunPika added a comment.Apr 26 2014, 6:32 PM

Firefox isn't showing it as invalid now with a fresh profile, and http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org is showing all green.

Aklapper added a project: Cloud-Services.Apr 29 2015, 12:20 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 7:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL