Closed
Bug 404656
Opened 17 years ago
Closed 17 years ago
Need wildcard SSL certificate for *.addons.mozilla.org
Categories
(mozilla.org Graveyard :: Server Operations, task)
mozilla.org Graveyard
Server Operations
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: reed, Assigned: mrz)
References
Details
(Whiteboard: waiting for qa, blocks firefox 3 beta 3)
Attachments
(1 file)
(deleted),
text/plain
|
Details |
Bug 404362 and bug 401923 both use subdomains under the *.addons.mozilla.org suffix. A wildcard SSL certificate needs to be purchased in order to support these new subdomains completely, as using the *.mozilla.org wildcard SSL certificate for them is in violation of RFC 2818 (bug 159483). Note that this is becoming an issue with Firefox, too, as bug 159483 has a patch, is sg:want (security group wants it), and blocking1.9 (blocking for final release of Firefox 3) has been requested.
Updated•17 years ago
|
Assignee: server-ops → justin
Comment 1•17 years ago
|
||
need a csr...oremj, can you generate it?
Comment 2•17 years ago
|
||
You might want to double check this csr.
Assignee | ||
Updated•17 years ago
|
Attachment #290418 -
Attachment mime type: application/octet-stream → text/plain
Assignee | ||
Comment 3•17 years ago
|
||
cert & key added to netscaler.
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 4•17 years ago
|
||
Thanks for the quick response on this guys.
Now, can we get facebook.addons.mozilla.org and services.addons.mozilla.org to use this new wildcard cert instead of (ab)using the *.mozilla.org cert? Otherwise, this new cert isn't being used. :)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 5•17 years ago
|
||
Is there a way to test the switch before the actual switch to make sure we don't screw over users?
Comment 6•17 years ago
|
||
Also: services.addons.mozilla.org is an alias for addons.mozilla.org
So no change to do there. Not sure what that is anyways.
Reporter | ||
Comment 7•17 years ago
|
||
(In reply to comment #6)
> Also: services.addons.mozilla.org is an alias for addons.mozilla.org
>
> So no change to do there. Not sure what that is anyways.
SSL certificates don't work that way. They don't accept the value of a CNAME as what to use for hostname matching, so it's still going to try to compare services.addons.mozilla.org against *.mozilla.org and fail. I think you'll probably need to create a separate vip for this (addons-services-ssl?) so that you can use a separate SSL certificate for this host.
As far as what services.addons.mozilla.org is going to be used for, check out bug 404362.
Comment 8•17 years ago
|
||
When services.addons goes live, we'll add the right cert/ip then. I'll leave it to webdev to let me know when it's ready.
Comment 9•17 years ago
|
||
So, facebook.addons isn't actually being used per fligtar, so I swapped it out. I tested and it works.
Yay for buying certs and doing work for sites that aren't even in use (both facebook and services). Let's not do this again.
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Comment 10•17 years ago
|
||
We should set this up so nightly users can test services.addons.mozilla.org without the Fx3 SSL exception dialog. I don't see a reason to delay adding the cert since release is in the near future and we need to have an arbitrarily large audience use this -- thoughts?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 11•17 years ago
|
||
Mike, just to clarify - services.amo needs SSL right?
Comment 12•17 years ago
|
||
Assignee | ||
Comment 13•17 years ago
|
||
Attaching CSR.
-----BEGIN CERTIFICATE REQUEST-----
MIICPjCCAacCAQAwgcsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBv
cmF0aW9uMSQwIgYDVQQLExtzZXJ2aWNlcy5hZGRvbnMubW96aWxsYS5vcmcxJDAi
BgNVBAMTG3NlcnZpY2VzLmFkZG9ucy5tb3ppbGxhLm9yZzElMCMGCSqGSIb3DQEJ
ARYWaG9zdG1hc3RlckBtb3ppbGxhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAybYZMQ92gkMRAsw3JTzPr//apq9rCJUPQwpW7/630v015fqKGzrhhVBY
shusHbOglwDHRTcNV2fc+sXgUhQy8/kamPsbgbvIz873gPXE7UZeq4pfX63VEeNq
otdxRNflIrqXIjhBYRHPbGg+Dtz0Zl3GJNQMOLIPeDTFuncThusCAwEAAaAyMDAG
CSqGSIb3DQEJDjEjMCEwEQYJYIZIAYb4QgEBBAQDAgZAMAwGA1UdEwEB/wQCMAAw
DQYJKoZIhvcNAQEEBQADgYEAk+Xmq5778R3f4/TtHHeW+XBu14rDHNnzBKtASMCF
eRQKkIuRRpTjyvJmpFM9eFlLbWXRrIWxEuXz4oniBarI/hkqiesk1HULuyp9ED5A
7M0duThXr+lOmQ3pKgE//TV2/gAfaAsDREWIlP3EcLl8Tjten1Vvw128IqcaZAa7
zzI=
-----END CERTIFICATE REQUEST-----
Reporter | ||
Comment 14•17 years ago
|
||
(In reply to comment #13)
> Attaching CSR.
You already have a certificate, as per comment #3... No need to get a new one.
Assignee | ||
Updated•17 years ago
|
Assignee: justin → mrz
Status: REOPENED → NEW
Assignee | ||
Comment 15•17 years ago
|
||
(In reply to comment #12)
> Yes:
> https://services.addons.mozilla.org/
Do you -only- need https or do you also need :80 open?
Assignee | ||
Comment 16•17 years ago
|
||
Site is up @ 63.245.209.15, https only. Looking for webdev signoff before flipping DNS.
Flags: needs-downtime+
Whiteboard: waiting for qa
Comment 17•17 years ago
|
||
We could leave 80 open as a redirect to 443/https as a convenience thing. Any objections? Other than that, we're set. Thanks for setting this up.
Assignee | ||
Comment 19•17 years ago
|
||
updated -
services.addons IN CNAME dyna-services-amo.nslb.sj.mozilla.com.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Comment 20•17 years ago
|
||
Thanks Reed!
Reporter | ||
Comment 21•17 years ago
|
||
Host services.addons.mozilla.org not found: 3(NXDOMAIN)
Host dyna-services-amo.nslb.sj.mozilla.com not found: 3(NXDOMAIN)
Umm...
mconnor/Mossop: This is why "Get Add-ons" isn't working right now.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 22•17 years ago
|
||
Upping severity based on comment 21; unless there's another way to resolve that issue, we need this fixed ASAP so that our testers can continue their testing work. Also, it puts a firm deadline on the fix for Feb 4, which is when we start handing builds to QA for testing.
Severity: normal → major
Whiteboard: waiting for qa → waiting for qa, blocks firefox 3 beta 3
Assignee | ||
Comment 23•17 years ago
|
||
Error in the mozilla.com zone, wasn't loading changes. Fixed and verified -
host dyna-services-amo.nslb.sj.mozilla.com
dyna-services-amo.nslb.sj.mozilla.com has address 63.245.209.15
[root@mradm01 external]# host services.addons.mozilla.org
services.addons.mozilla.org is an alias for dyna-services-amo.nslb.sj.mozilla.com.
dyna-services-amo.nslb.sj.mozilla.com has address 63.245.209.15
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•