Last modified: 2014-11-12 01:44:02 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T46731, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 44731 - Wrong cert on mail.wikipedia.org (as it redirects to lists.wikimedia.org)


Summary:	Wrong cert on mail.wikipedia.org (as it redirects to lists.wikimedia.org)

Status:	RESOLVED FIXED

Product:	Wikimedia
Classification:	Unclassified
Component:	Mailing lists (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Normal normal (vote)
Target Milestone:	---
Assigned To:	jeremyb

URL:
Whiteboard:
Keywords:	ops

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-02-07 00:27 UTC by Matthew Flaschen
Modified:	2014-11-12 01:44 UTC (History)
CC List:	13 users (show)

See Also:	68553 https://rt.wikimedia.org/Ticket/Display.html?id=6981 73290
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Matthew Flaschen 2013-02-07 00:27:10 UTC

When you visit:

https://mail.wikipedia.org/mailman/listinfo/wikitech-l

it provides the cert for *.wikimedia.org

Comment 1 Thehelpfulone 2013-02-07 00:29:18 UTC

Thanks for this - confirmed, this is because mail.wikipedia.org redirects to lists.wikimedia.org, not sure if this can be fixed though.

Comment 2 Matthew Flaschen 2013-02-07 00:33:39 UTC

We have a wildcard cert for *.wikipedia.org (used on e.g. enwiki).

Could that be installed on mail.wikipedia.org, or would it pose a risk?

Otherwise, we could get a cert for mail.wikipedia.org and use it to serve the redirect.

I hit this since I use HTTPS Everywhere, with has a general Wikimedia rule.  If a fix is not possible, I will request they disable this redirect (http://mail.wikipedia.org -> https://mail.wikipedia.org).

Comment 3 Matthew Flaschen 2013-02-07 00:34:44 UTC

Also, if we can't fix it we should consider just disable accessing it by SSL (so https://mail.wikipedia.org wouldn't work).

Comment 4 Thehelpfulone 2013-06-24 18:02:47 UTC

Adding Daniel to CC to have a look at the feasibility of this.

Comment 5 Zell Faze 2014-02-18 17:17:11 UTC

The second Google Result for wikitech-l links to mail.wikipedia.org page, so I suspect there are probably at least a few people who have run into this issue trying to find the wikitech-l archives.

Comment 6 Daniel Zahn 2014-03-06 02:02:25 UTC

https://rt.wikimedia.org/Ticket/Display.html?id=6981

Comment 7 Jan Zerebecki 2014-07-08 19:43:17 UTC

The google result might change its URL if we add a permanent HTTP redirect from mail.wikipedia.org to lists.wikimedia.org (maybe add some of its other aliases when we are at it) in the apache config.

Comment 8 Matthew Flaschen 2014-07-17 06:43:00 UTC

There is a 301 redirect (permanent redirect) currently.  However, for SSL=>SSL (https://mail.wikipedia.org => https://lists.wikimedia.org/), the only way you can even get the 301 is by accepting an invalid certificate.

I'm not sure of GoogleBot's behavior in this regard. (Apparently, they send warnings out through Webmaster Tools, but I'm not sure how it affects the actual index).

Comment 9 Matthew Flaschen 2014-07-17 06:51:32 UTC

(In reply to Matthew Flaschen from comment #8)
> I'm not sure of GoogleBot's behavior in this regard. (Apparently, they send
> warnings out through Webmaster Tools, but I'm not sure how it affects the
> actual index).

Just to be clear, the result Zell mentioned is HTTP (http://mail.wikipedia.org/pipermail/wikitech-l/), not HTTPS, so that particular link would only affect HTTPS Everywhere (or similar) users.

Comment 10 Jan Zerebecki 2014-07-17 08:06:08 UTC

Maybe the link doesn't get updated because robots.txt has Disallow: /pipermail/ . Perhaps making http://mail.wikipedia.org/robots.txt (only for that domain) a 404 has the desirable effect.

Comment 11 Matthew Flaschen 2014-07-25 03:16:08 UTC

(In reply to Jan Zerebecki from comment #10)
> Maybe the link doesn't get updated because robots.txt has Disallow:
> /pipermail/ . Perhaps making http://mail.wikipedia.org/robots.txt (only for
> that domain) a 404 has the desirable effect.

I think that may have been the original domain, so that will probably still lead to crawling the archives.

Comment 12 Matthew Flaschen 2014-07-25 03:18:49 UTC

(In reply to Matthew Flaschen from comment #11)
> (In reply to Jan Zerebecki from comment #10)
> > Maybe the link doesn't get updated because robots.txt has Disallow:
> > /pipermail/ . Perhaps making http://mail.wikipedia.org/robots.txt (only for
> > that domain) a 404 has the desirable effect.
> 
> I think that may have been the original domain, so that will probably still
> lead to crawling the archives.

Actually never mind, as long as the crawlers respect the destination robots.txt (after being redirected) it should be fine.

Comment 13 John Mark Vandenberg 2014-07-25 07:19:43 UTC

(In reply to Matthew Flaschen from comment #9)
> (In reply to Matthew Flaschen from comment #8)
> > I'm not sure of GoogleBot's behavior in this regard. (Apparently, they send
> > warnings out through Webmaster Tools, but I'm not sure how it affects the
> > actual index).
> 
> Just to be clear, the result Zell mentioned is HTTP
> (http://mail.wikipedia.org/pipermail/wikitech-l/), not HTTPS, so that
> particular link would only affect HTTPS Everywhere (or similar) users.

HTTPS was enabled on this domain because of a HTTPS Everywhere user:
https://bugzilla.wikimedia.org/show_bug.cgi?id=33897

Comment 14 Zell Faze 2014-07-26 14:26:40 UTC

I would recommend not turning off HTTPS on the domain if that is the direction the discussion is heading.  I like the idea of even just the simple redirect being secure.

> Just to be clear, the result Zell mentioned is HTTP
> (http://mail.wikipedia.org/pipermail/wikitech-l/), not HTTPS, so that
> particular link would only affect HTTPS Everywhere (or similar) users.

This is correct.  I use HTTPS Everywhere, and there are quite a lot of people who do, especially within the sort of community that searches for technical mailing list archives.

Comment 15 Gerrit Notification Bot 2014-08-15 00:35:23 UTC

Change 154222 had a related patch set uploaded by Jeremyb:
fix cert mismatch on mail.wikipedia.org

https://gerrit.wikimedia.org/r/154222

Comment 16 Gerrit Notification Bot 2014-08-15 00:35:35 UTC

Change 154223 had a related patch set uploaded by Jeremyb:
fix cert mismatch on mail.wikipedia.org

https://gerrit.wikimedia.org/r/154223

Comment 17 jeremyb 2014-08-15 00:41:47 UTC

btw, I tested mail to a -request address @mail.wikipedia.org (subject="help") and got the same response I would expect for mail to the canonical address.

This change *should* keep that status quo working fine...

Comment 18 Gerrit Notification Bot 2014-10-27 22:03:51 UTC

Change 154223 merged by Faidon Liambotis:
Redirect mail.wikipedia.org to lists.wikimedia.org

https://gerrit.wikimedia.org/r/154223

Comment 19 Gerrit Notification Bot 2014-10-27 23:17:03 UTC

Change 154222 merged by Faidon Liambotis:
Move mail.wikipedia.org to the main cluster

https://gerrit.wikimedia.org/r/154222

Comment 20 Faidon Liambotis 2014-10-28 03:48:23 UTC

This should be fixed now. Thanks Jeremy for all the work!

Comment 21 jeremyb 2014-10-28 03:54:28 UTC

Thanks for updating the patches. LGTM.

https://www.google.com/search?q=site%3Amail.wikipedia.org has ~2850 results.

Let's check in a week or three and see if that has improved.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links