Closed Bug 1257214 Opened 9 years ago Closed 5 years ago

Thunderbird Bouncer links go to download.cdn.mozilla.net, showing cert error page

Categories

(Cloud Services :: Operations: Product Delivery, task)

Product:
Cloud Services
Component:
Operations: Product Delivery
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kohei, Unassigned)

References

Details

Click one of the links on https://www.mozilla.org/en-US/thunderbird/ or https://www.mozilla.org/en-US/thunderbird/all/ and you'll be redirected to https://download.cdn.mozilla.net/ that shows the insecure connection error. Please fix it ASAP.
Component: Releases → Operations: Product Delivery
Product: Release Engineering → Cloud Services
QA Contact: rail → oremj
this is what I get: curl -IL https://download.mozilla.org/\?product\=thunderbird-38.7.0\&os\=linux64\&lang\=en-US HTTP/1.1 302 Found Cache-Control: max-age=60 Content-Length: 132 Content-Type: text/html; charset=utf-8 Date: Wed, 16 Mar 2016 16:36:43 GMT Location: http://download.cdn.mozilla.net/pub/thunderbird/releases/38.7.0/linux-x86_64/en-US/thunderbird-38.7.0.tar.bz2 Connection: keep-alive HTTP/1.1 200 OK Content-Type: application/x-bzip2 Content-Length: 40804098 Connection: keep-alive Date: Wed, 16 Mar 2016 16:36:44 GMT x-amz-replication-status: COMPLETED x-amz-version-id: HBC0JoUcOHRE7E0XF2ryRHbUROWdZJkk Last-Modified: Sun, 13 Mar 2016 23:45:48 GMT ETag: "8fffff6de0b9655fd164820040a0d356" Accept-Ranges: bytes Server: AmazonS3 Via: 1.1 c274b14065f0d653675570ea1c144eb2.cloudfront.net (CloudFront), 1.1 b04a4cffa8fb4f524ff7edcab1b5ae31.cloudfront.net (CloudFront) X-Cache: Miss from cloudfront X-Amz-Cf-Id: FHpee5x8V6e4F5c2l5litmn70e3Qtx8WQ5QCEx8Ix_2n4g3kWT37Aw== No https://download.cdn.mozilla.net/ in the redirects...
I've also verified that bouncer has no references to https://download.cdn. Do you have an addon that is forcing https?
The error page says "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate." The error is gone once the NoScript extension is disabled.
The http downgrade is also reported in bug 1228502.
download.cdn.mozilla.net wasn't intended as a HTTPS endpoint. I've added a cert for now, since it seems the thunderbird builds are not going to download-installer and a fair number of people are forcing SSL.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
I had to roll this back, because of some weirdness in our akamai control panel around this endpoint. No traffic was affected. Let's keep this closed in favor of bug 1228502
Bug 1228502 is fixed today.
can we reopen this for those duplicated Firefox download error bugs? Or we need to reopen those bugs for Firefox download endpoint in bug 1232305, bug 1258291, bug 1258275.
oops, I mean bug 1262305, bug 1258291 and bug 1258275
I think this should be solved anyway. Can you please fix the firefox-latest and thunderbird-latest products, currently leading to the problematic download.cdn.mozilla.net endpoint? This is blocking Bug 937865.
Blocks: 937865
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Rail, it looks like firefox-latest and thunderbird-latest point at HTTP endpoints. Should they be sent over SSL instead? We also have firefox-latest-SSL and thunderbird-latest-SSL products for this case. Is this only an issue for people who are forcing SSL everywhere?
Flags: needinfo?(rail)
Looking at this now...
(In reply to Kohei Yoshino [:kohei] from comment #15) > Looks like the most of -latest products are broken. See: > https://docs.google.com/spreadsheets/d/ > 1F8PeBWiR5LP3xnWU1Jlp59gvDMOzFX4wBiHVHXZCXDc > > The -latest-SSL products are 404: > https://download.mozilla.org/?product=firefox-latest-SSL&os=win&lang=en-US > https://download.mozilla.org/?product=thunderbird-latest-SSL&os=win&lang=en- > US I don't think we add latest-SSL aliases, see https://dxr.mozilla.org/mozilla-central/search?q=path%3Atesting%2Fmozharness%2Fconfigs%2Freleases%2Fbouncer+alias&redirect=false&case=false
(In reply to Jeremy Orem [:oremj] from comment #14) > Rail, it looks like firefox-latest and thunderbird-latest point at HTTP > endpoints. Should they be sent over SSL instead? I think was intentional to be backward compatible with something (stub installer? web site?). So I'm not sure. I'd keep them as is. > We also have firefox-latest-SSL and thunderbird-latest-SSL products for this > case. Is this only an issue for people who are forcing SSL everywhere? I think you mean "we can add" ;) I just checked bouncer admin for aliases we have and don't see anything with SSL in name. It shouldn't be hard to add these aliases and use them on the website instead of firefox-latest.
Flags: needinfo?(rail)

@Rail, checking on the health of this bug. Is this still needed?

Flags: needinfo?(rail)

I'm going to close this as FIXED, n omore http://:

curl -IL https://download.mozilla.org/\?product\=thunderbird-38.7.0\&os\=linux64\&lang\=en-US  
HTTP/1.1 302 Found
Cache-Control: max-age=60
Content-Length: 143
Content-Type: text/html; charset=utf-8
Date: Thu, 29 Aug 2019 19:45:50 GMT
Location: https://download-installer.cdn.mozilla.net/pub/thunderbird/releases/38.7.0/linux-x86_64/en-US/thunderbird-38.7.0.tar.bz2
Connection: keep-alive

HTTP/2 200 
content-type: application/x-bzip2
content-length: 40804098
x-amz-replication-status: COMPLETED
last-modified: Sun, 13 Mar 2016 23:45:48 GMT
x-amz-version-id: HBC0JoUcOHRE7E0XF2ryRHbUROWdZJkk
accept-ranges: bytes
server: AmazonS3
via: 1.1 7d5b81244bd8116fcbcfa4c6fef02f93.cloudfront.net (CloudFront), 1.1 6d4ee90b03b8194eed74421e603ee2a8.cloudfront.net (CloudFront)
date: Thu, 29 Aug 2019 08:49:04 GMT
etag: "8fffff6de0b9655fd164820040a0d356"
age: 61001
x-cache: Hit from cloudfront
x-amz-cf-pop: IAD89-C2
x-amz-cf-id: aZnxG2jHIZj4ptyWmCFjGx6MLy-IxThmlgizipj6r4ImPRwUcXcHzg==
Status: REOPENED → RESOLVED
Closed: 9 years ago5 years ago
Flags: needinfo?(rail)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.