Wikimedia Bugzilla is closed!

Guess it needs the *.wikimedia.org cert adding

*** Bug 27301 has been marked as a duplicate of this bug. ***

I have a feeling ryan did this, but couldn't see it in a quick glance of the admin log. but won't fix till someone confirms

(In reply to comment #3)
> I have a feeling ryan did this, but couldn't see it in a quick glance of the
> admin log. but won't fix till someone confirms
nope, checked with ryan

> <Ryan_Lane> nope
> <Ryan_Lane> it's on a linode host
> <Ryan_Lane> we didn't want to put the * cert there
> <Ryan_Lane> so robh is going to be ordering a new cert for it

This bug is still marked 'NEW'. Has it been resolved or do outstanding issues with the cert remain?

Expired 21st January 2011

Still there


The site's security certificate is not trusted!
You attempted to reach wikitech.wikimedia.org, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.

Still not fixed:

wikitech.wikimedia.org uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate expired on 1/21/11 10:35 AM. The current time is 9/26/11 7:16 PM.

(Error code: sec_error_expired_issuer_certificate)

Ticket in internal RT has been untouched since being opened in April:

http://rt.wikimedia.org/Ticket/Display.html?id=790

I've added a bump comment.

Any action on this bug?

I'm asking on our internal IRC channels now if anyone can take this.

CT says he'll get someone to look at it.

Ok... So. We are possibly planning some changes to wikitech that may make this ticket not needed.

1. We may move the wikitech content to labsconsole.
2. We'll probably rename wikitech and labsconsole to something else, adding redirects and rewrite rules as appropriate.
3. We'll likely have a read-only mirror that sits off cluster.

Knowing that, we'll likely hold off purchasing a cert until we make a decision.

Can we at least renew the self-signed cert?

Pasting here at least the details of the current cert:

subject= /C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=wikitech.wikimedia.org/emailAddress=root@wikimedia.org
notBefore=Jan 21 15:35:39 2009 GMT
notAfter=Jan 21 15:35:39 2011 GMT
MD5 Fingerprint=F4:EF:BB:95:B3:AD:A5:14:72:7A:45:04:2F:6B:6C:A3
SHA1 Fingerprint=6F:31:C4:C5:68:5B:12:F1:F3:21:5C:3A:CA:35:0B:A3:3C:D1:FB:35

Still off with the pixies, though that may be the staff member keeping the pixies all for themself. :-/

Still mia. expired 11-01-21 07:35:39
(11-01-21 15:35:39 GMT)

This is probably the first time I saw a date in YY-MM-DD format. It completely confised me. Was it a bonus in case we managed to determinate between DD-MM-YYYY and MM-DD-YYYY formats? :D
Try to use YYYY-MM-DD, with the full year, please.

(In reply to comment #17)
> This is probably the first time I saw a date in YY-MM-DD format. It completely
> confised me. Was it a bonus in case we managed to determinate between
> DD-MM-YYYY and MM-DD-YYYY formats? :D
> Try to use YYYY-MM-DD, with the full year, please.

<grin> It was a c/p of the output! of course, that's my system default, which I think I set at some point...

Still not fixed:

wikitech.wikimedia.org uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate expired on 21/01/2011 16:35. The current time is 23/04/2012 09:49.

(Error code: sec_error_expired_issuer_certificate)


Now for bug 23004 (https://gerrit.wikimedia.org/r/4367) the https protocol is always used from noc.wikimedia.org portal.

Status of RT #790?

Still not resolved. 

Is there commentary on 
http://rt.wikimedia.org/Ticket/Display.html?id=790 ? 

I thought perhaps the WMF was outsourcing SSL portoflio management these days, has this request been passed on?

We are likely to soon merge wikitech.wikimedia.org into labsconsole.wikimedia.org. labsconsole will take on the wikitech domain name. It'll then be able to use the *.wikimedia.org certificate. We'll make a static off-site version of wikitech called wikitech-mirror.wikimedia.org. We'll get a certificate for that.

We won't be renewing this certificate, so we'll leave this unresolved for now.

This is still a issue. It is to hard for your techs to get your own site working with https? That sounds not so good ...

Well, you can read the bug to see why it isn't working.

(In reply to comment #23)
> Well, you can read the bug to see why it isn't working.

Is there a timetable for the wikitech -> labsconsole merge? If not, what are the relative costs of purchasing a cert in the interim?

It's a waste of money and time to purchase a cert for this. Relatively no one logs into it. Plans are to have this migrated in a relatively short time period (though we aren't giving a specific date as this time).

The current situation of this site is the same as it has been since it was created. An expired self-signed certificate is no worse than a non-expired self-signed certificate. They are both worthless from a point of view of trust when it comes to end-users.

(In reply to comment #25)
> It's a waste of money and time to purchase a cert for this. Relatively no one
> logs into it. Plans are to have this migrated in a relatively short time period
> (though we aren't giving a specific date as this time).
> [...]

Brion wrote in http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/45162 that the cost for a certificate was USD 8,- three years ago.  If this isn't current anymore, someone should answer Jarry1250's question in comment 24.  If this is still current, that amount could very well be spent without any fuss even if the migration will happen next week.

i renewed the self-signed cert for another year.

The certificate will expire in 364 days