Last modified: 2014-08-01 23:00:38 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T65538, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 63538 - enable SSL/https support again
enable SSL/https support again
Status: RESOLVED FIXED
Product: Wikimedia Labs
Classification: Unclassified
deployment-prep (beta) (Other open bugs)
unspecified
All All
: High normal
: ---
Assigned To: Antoine "hashar" Musso (WMF)
:
Depends on: 48501
Blocks: 51494 59141
  Show dependency treegraph
 
Reported: 2014-04-04 18:09 UTC by se4598
Modified: 2014-08-01 23:00 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description se4598 2014-04-04 18:09:16 UTC
Please enable ssl/https support for the beta wikis again. It is missing after migration to eqiad.

Btw: The old cert issued by Labs CA for all beta subdomains was not considered "valid" because among others things it was only for issued for *.wmflabs.org (counts only for direct subdomain) but thats ok.
see bug 48501 for task to get real beta certs but only for limited subdomains.
Comment 1 Gerrit Notification Bot 2014-04-05 10:26:38 UTC
Change 124057 had a related patch set uploaded by Hashar:
beta: adjust protoproxy for eqiad

https://gerrit.wikimedia.org/r/124057
Comment 2 Antoine "hashar" Musso (WMF) 2014-04-05 10:27:14 UTC
Patch is there, will get it fixed this afternoon hopefully :-]
Comment 3 Antoine "hashar" Musso (WMF) 2014-04-07 10:13:06 UTC
While applying the puppet class on deployment-cache-bits01, nginx ends up bailing out with:

 root@deployment-cache-bits01:~# /etc/init.d/nginx start
 Starting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/star.wmflabs.org.key") failed
   (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
 nginx: configuration file /etc/nginx/nginx.conf test failed
Comment 4 Gerrit Notification Bot 2014-04-16 08:29:06 UTC
Change 124057 merged by Dzahn:
beta: adjust protoproxy for eqiad

https://gerrit.wikimedia.org/r/124057
Comment 5 Antoine "hashar" Musso (WMF) 2014-04-16 10:08:53 UTC
The puppet class role::protoproxy::ssl::beta  is applied on all varnish instances.  Nginx refuses to starts because the /etc/ssl/private/star.wmflabs.org.key key mismatch (see comment #3).  That would be solved whenever we get certificates on beta which is the rather long bug 48501.
Comment 6 se4598 2014-04-16 17:54:19 UTC
REOPEN: bug 48501 is about getting real, valid certs. This about accessing beta with https (regardless if the cert is valid for the browser and a warning message pops up).

I don't know nginx to say why he doesn't like the cert, but how about generating new, self-signed or by Labs CA for beta domains? Thats how it was and worked in pmtpa, so what's the problem here?
Comment 7 se4598 2014-04-16 18:03:40 UTC
(In reply to se4598 from comment #6)
appendix: even if the mentioned bug now covers that too, leave this bug open until it's somehow working, because of the dependencies/blocked bug of this etc.
Comment 8 Antoine "hashar" Musso (WMF) 2014-04-17 07:49:30 UTC
SSL is enabled again but is not going to work until someone sort out the SSL certificate issue tracked by bug 48501.  There is no need to have two bugs to track the issue :-D

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links