[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

Daniel Schwen dan...@schwen.de changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|FIXED   |---

--- Comment #8 from Daniel Schwen dan...@schwen.de ---
The error still keeps reoccurring intermittently. I've sent since sent two
emails to the labs list. As soon as the bug was closed I tried it on my Android
phone and it worked fine. A few hours later I tried it on my tablet and it
didn't work. Early this morning it worked, and just now it failed again (this
seems to be device independent and only depending on time).

Could there be multiple hosts that need the fix (round robin)?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

--- Comment #9 from Daniel Schwen dan...@schwen.de ---
While 
http://www.sslshopper.com/ssl-checker.html#hostname=tools.wmflabs.org
has an all green result

http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org
gives a warning (The certificate is not trusted in all web browsers.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

--- Comment #10 from Tim Landscheidt t...@tim-landscheidt.de ---
(In reply to comment #8)
 The error still keeps reoccurring intermittently. I've sent since sent two
 emails to the labs list. As soon as the bug was closed I tried it on my
 Android
 phone and it worked fine. A few hours later I tried it on my tablet and it
 didn't work. Early this morning it worked, and just now it failed again (this
 seems to be device independent and only depending on time).

 Could there be multiple hosts that need the fix (round robin)?

No, there is only one host (tools-webproxy) that handles SSL and then relays
via plain http to tools-webserver-0[1-3]/tools-webgrid-01.

I can't reproduce your problems; I've tried three online checks
(http://www.sslshopper.com/ssl-checker.html, http://www.digicert.com/help/,
https://www.ssllabs.com/ssltest/analyze.html) and all succeed (while they
failed previously).

Are you directly accessing https://tools.wmflabs.org/ (vs. CORS in your tool)
and seeing the issue?  Which phone/tablet and software are you using?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

Tim Landscheidt t...@tim-landscheidt.de changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution|--- |FIXED

--- Comment #11 from Tim Landscheidt t...@tim-landscheidt.de ---
(In reply to comment #9)
 While 
 http://www.sslshopper.com/ssl-checker.html#hostname=tools.wmflabs.org
 has an all green result

 http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org
 gives a warning (The certificate is not trusted in all web browsers.)

(That was a mid-air collision :-).)  I fixed *only* tools.wmflabs.org (as per
the title of this bug :-)).  So I'm closing this bug again.

I assume you use [[wikitech:Help:Proxy]] for fastcci1?  Could you open another
bug for that as it is a totally unrelated system?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

jeremyb bugzilla+org.wikime...@tuxmachine.com changed:

   What|Removed |Added

 CC||danmichaelo+wikipedia@gmail
   ||.com

--- Comment #12 from jeremyb bugzilla+org.wikime...@tuxmachine.com ---
*** Bug 58284 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

Tim Landscheidt t...@tim-landscheidt.de changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #6 from Tim Landscheidt t...@tim-landscheidt.de ---
I fixed this with step-by-step instructions from jeremyb, inspired by bug
#23631:

- Point SSLCertificateFile to tools.wmflabs.org.pem, and
- point SSLCertificateChainFile to RapidSSL_CA.pem.

Yeah, that's right, not to some chained certificate or whatever, just to the
missing intermediate certificate :-).

Thanks again to jeremyb for his help.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

--- Comment #7 from Marc A. Pelletier m...@uberbox.org ---
Wait, so SSLCertificateChainFile should specifically /not/ be a certificate
chain file?  That's...  so sane.

*groan*

Thanks for debugging this Tim.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

Daniel Schwen dan...@schwen.de changed:

   What|Removed |Added

 CC||dan...@schwen.de

--- Comment #4 from Daniel Schwen dan...@schwen.de ---
This still exists. I get the certificate error (intermediate missing) on my
Android phone and Tablet. For me it causes tool breakage, as my tool depends on
a CORS connection to labs, which is refused for hosts with broken certs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

--- Comment #5 from Tim Landscheidt t...@tim-landscheidt.de ---
I played around with it a bit yesterday, but any attempt appeared futile.

On tools-webproxy, I made sure RapidSSL_CA.pem was in /etc/ssl/certs, up to
date and had a symlink.  I've set SSLCACertificatePath to /etc/ssl/certs, shut
down and started up Apache, and still only the server certificate was served
either to online test sites or echo | openssl s_client -connect
tools.wmflabs.org:443 | less.

I set SSLCertificateChainFile to tools.wmflabs.org.chained.pem which I created
by cat tools.wmflabs.org.pem RapidSSL_CA.pem GeoTrust_Global_CA.pem 
tools.wmflabs.org.chained.pem, yet: Nada.

I've renamed tools.wmflabs.org.chained.pem to tools.wmflabs.org.pem to have
Apache read the chained certificate as its only SSLCertificateFile option, and
still only the server certificate was served; and in all cases, after a proper
shutdown  start.

So, Coren, after this experience and recently watching RobH fiddle with
wikitech's certificate for hours to get it right, a checklist: File x should
have one -- CERTIFICATE -- session, Directive y should point to file Z, etc.
would be greatly appreciated :-).

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

Krinkle krinklem...@gmail.com changed:

   What|Removed |Added

 Depends on||55957

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

Bug 52630 depends on bug 55957, which changed state.

Bug 55957 Summary: Get SSL certificates for wmflabs.org (tracking)
https://bugzilla.wikimedia.org/show_bug.cgi?id=55957

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |INVALID

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

Ryan Lane rlan...@gmail.com changed:

   What|Removed |Added

 Depends on|55957   |

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

Sumana Harihareswara suma...@wikimedia.org changed:

   What|Removed |Added

   Priority|Unprioritized   |Normal
 CC||suma...@wikimedia.org
   Severity|normal  |major

--- Comment #3 from Sumana Harihareswara suma...@wikimedia.org ---
If this is still a problem, I'd say it's at least normal priority.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

jeremyb bugzilla+org.wikime...@tuxmachine.com changed:

   What|Removed |Added

 CC||bugzilla+org.wikimedia@tuxm
   ||achine.com

--- Comment #1 from jeremyb bugzilla+org.wikime...@tuxmachine.com ---
To be clear, this is not just about doing things right; the service
inaccessible to some users (e.g. my phone) in its current state.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 52630] Fix certificate chain issue for tools.wmflabs.org

[bugzilla-daemon]

https://bugzilla.wikimedia.org/show_bug.cgi?id=52630

--- Comment #2 from jeremyb bugzilla+org.wikime...@tuxmachine.com ---
Also, should copy the nginx conf for cipher prefs, etc. from prod.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l