[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 Daniel Schwen dan...@schwen.de changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED |--- --- Comment #8 from Daniel Schwen dan...@schwen.de --- The error still keeps reoccurring intermittently. I've sent since sent two emails to the labs list. As soon as the bug was closed I tried it on my Android phone and it worked fine. A few hours later I tried it on my tablet and it didn't work. Early this morning it worked, and just now it failed again (this seems to be device independent and only depending on time). Could there be multiple hosts that need the fix (round robin)? -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 --- Comment #9 from Daniel Schwen dan...@schwen.de --- While http://www.sslshopper.com/ssl-checker.html#hostname=tools.wmflabs.org has an all green result http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org gives a warning (The certificate is not trusted in all web browsers.) -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 --- Comment #10 from Tim Landscheidt t...@tim-landscheidt.de --- (In reply to comment #8) The error still keeps reoccurring intermittently. I've sent since sent two emails to the labs list. As soon as the bug was closed I tried it on my Android phone and it worked fine. A few hours later I tried it on my tablet and it didn't work. Early this morning it worked, and just now it failed again (this seems to be device independent and only depending on time). Could there be multiple hosts that need the fix (round robin)? No, there is only one host (tools-webproxy) that handles SSL and then relays via plain http to tools-webserver-0[1-3]/tools-webgrid-01. I can't reproduce your problems; I've tried three online checks (http://www.sslshopper.com/ssl-checker.html, http://www.digicert.com/help/, https://www.ssllabs.com/ssltest/analyze.html) and all succeed (while they failed previously). Are you directly accessing https://tools.wmflabs.org/ (vs. CORS in your tool) and seeing the issue? Which phone/tablet and software are you using? -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 Tim Landscheidt t...@tim-landscheidt.de changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #11 from Tim Landscheidt t...@tim-landscheidt.de --- (In reply to comment #9) While http://www.sslshopper.com/ssl-checker.html#hostname=tools.wmflabs.org has an all green result http://www.sslshopper.com/ssl-checker.html#hostname=fastcci1.wmflabs.org gives a warning (The certificate is not trusted in all web browsers.) (That was a mid-air collision :-).) I fixed *only* tools.wmflabs.org (as per the title of this bug :-)). So I'm closing this bug again. I assume you use [[wikitech:Help:Proxy]] for fastcci1? Could you open another bug for that as it is a totally unrelated system? -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 jeremyb bugzilla+org.wikime...@tuxmachine.com changed: What|Removed |Added CC||danmichaelo+wikipedia@gmail ||.com --- Comment #12 from jeremyb bugzilla+org.wikime...@tuxmachine.com --- *** Bug 58284 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 Tim Landscheidt t...@tim-landscheidt.de changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #6 from Tim Landscheidt t...@tim-landscheidt.de --- I fixed this with step-by-step instructions from jeremyb, inspired by bug #23631: - Point SSLCertificateFile to tools.wmflabs.org.pem, and - point SSLCertificateChainFile to RapidSSL_CA.pem. Yeah, that's right, not to some chained certificate or whatever, just to the missing intermediate certificate :-). Thanks again to jeremyb for his help. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 --- Comment #7 from Marc A. Pelletier m...@uberbox.org --- Wait, so SSLCertificateChainFile should specifically /not/ be a certificate chain file? That's... so sane. *groan* Thanks for debugging this Tim. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 Daniel Schwen dan...@schwen.de changed: What|Removed |Added CC||dan...@schwen.de --- Comment #4 from Daniel Schwen dan...@schwen.de --- This still exists. I get the certificate error (intermediate missing) on my Android phone and Tablet. For me it causes tool breakage, as my tool depends on a CORS connection to labs, which is refused for hosts with broken certs. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 --- Comment #5 from Tim Landscheidt t...@tim-landscheidt.de --- I played around with it a bit yesterday, but any attempt appeared futile. On tools-webproxy, I made sure RapidSSL_CA.pem was in /etc/ssl/certs, up to date and had a symlink. I've set SSLCACertificatePath to /etc/ssl/certs, shut down and started up Apache, and still only the server certificate was served either to online test sites or echo | openssl s_client -connect tools.wmflabs.org:443 | less. I set SSLCertificateChainFile to tools.wmflabs.org.chained.pem which I created by cat tools.wmflabs.org.pem RapidSSL_CA.pem GeoTrust_Global_CA.pem tools.wmflabs.org.chained.pem, yet: Nada. I've renamed tools.wmflabs.org.chained.pem to tools.wmflabs.org.pem to have Apache read the chained certificate as its only SSLCertificateFile option, and still only the server certificate was served; and in all cases, after a proper shutdown start. So, Coren, after this experience and recently watching RobH fiddle with wikitech's certificate for hours to get it right, a checklist: File x should have one -- CERTIFICATE -- session, Directive y should point to file Z, etc. would be greatly appreciated :-). -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 Krinkle krinklem...@gmail.com changed: What|Removed |Added Depends on||55957 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 Bug 52630 depends on bug 55957, which changed state. Bug 55957 Summary: Get SSL certificates for wmflabs.org (tracking) https://bugzilla.wikimedia.org/show_bug.cgi?id=55957 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 Ryan Lane rlan...@gmail.com changed: What|Removed |Added Depends on|55957 | -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 Sumana Harihareswara suma...@wikimedia.org changed: What|Removed |Added Priority|Unprioritized |Normal CC||suma...@wikimedia.org Severity|normal |major --- Comment #3 from Sumana Harihareswara suma...@wikimedia.org --- If this is still a problem, I'd say it's at least normal priority. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 jeremyb bugzilla+org.wikime...@tuxmachine.com changed: What|Removed |Added CC||bugzilla+org.wikimedia@tuxm ||achine.com --- Comment #1 from jeremyb bugzilla+org.wikime...@tuxmachine.com --- To be clear, this is not just about doing things right; the service inaccessible to some users (e.g. my phone) in its current state. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 52630] Fix certificate chain issue for tools.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=52630 --- Comment #2 from jeremyb bugzilla+org.wikime...@tuxmachine.com --- Also, should copy the nginx conf for cipher prefs, etc. from prod. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l