Page MenuHomePhabricator
Create Task
Maniphest T133360

Fix wikitech-static TLS config
Closed, ResolvedPublic
Actions

Description

wikitech-static has a couple minor TLS issues:

  1. Does not send chain cert, which should be RapidSSL SHA256 CA - G3
  2. HTTP->HTTPS redirect is 302, should be 301 (probably just need to locate the rewrite rule and change R to R=301 in the bracketed part at the end)

I tried to log in and look at this myself, but the supposed access method doesn't work for me (using info from pwstore).

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBBlackT104681 HTTPS Plans (tracking / high-level info)
 ResolvedBBlackT102824 Clean up DNS/redirects for TLS
 ResolvedArielGlennT107575 download.wiki[mp]edia.org are using an invalid certificate
 ResolvedChmarkineT110511 sitemap.wikimedia.org uses invalid SSL certificate
 ResolvedBBlackT104244 Preload HSTS
 ResolvedBBlackT102814 Decom old multiple-subdomain wikis in wikipedia.org
 ResolvedBBlackT104942 TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org
 ResolvedBBlackT102815 Decom www.$lang hostnames/redirects
 ResolvedBBlackT102826 Fix/decom multiple-subdomain wikis in wikimedia.org
 ResolvedBBlackT102827 Decide what to do with *.donate.wikimedia.org subdomain + TLS
 Resolved CCogdill_WMFT130414 delete links.email.donate.wikimedia.org (and all other email.donate.*?) from DNS
 DeclinedBBlackT111967 Preload HSTS for select hostnames within wikimedia.org
 DuplicateBBlackT111998 investigate/remove hostname login.m.wikimedia.org
 ResolvedBBlackT40516 Enable HSTS on Wikimedia sites
 ResolvedBBlackT132521 Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination
 ResolvedKrenairT133360 Fix wikitech-static TLS config
 ResolvedBBlackT132452 HSTS preload for wmfusercontent.org
 ResolvedBBlackT132685 Preload STS for wikimedia.org
 ResolvedBBlackT34796 status.wikimedia.org has no (valid) HTTPS
 ResolvedBBlackT132450 enable https for (ubuntu|apt|mirrors).wikimedia.org
 ResolvedBBlackT132812 Sort out letsencrypt puppetization for simple public hosts

Event Timeline

BBlack created this task.Apr 21 2016, 10:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 21 2016, 10:13 PM
BBlack updated the task description. (Show Details)Apr 21 2016, 10:13 PM
BBlack updated the task description. (Show Details)
BBlack added a subscriber: Andrew.
Krenair subscribed.Apr 21 2016, 10:21 PM

Fixed #2.

BBlack added a comment.Apr 21 2016, 10:27 PM

If I had to blindly guess on #1, it's that the config has SSLCertificateFile and SSLCertificateKeyFile, but lacks SSLCertificateChainFile, which should point at a copy of the cert shown in https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO26457 . Also, delete any line with SSLCACertificatePath at the same time, if that exists.

Krenair claimed this task.Apr 21 2016, 10:49 PM

I think I've fixed #1 as well. I did find SSLCertificateChainFile in the docs but it's obsolete since apache 2.4.8. Please check.

(I also removed the SSLCACertificatePath line)

BBlack added a comment.EditedApr 21 2016, 11:13 PM

Fix for #1 + #2 works, thanks!

The deprecation thing is accurate, but the ChainFile method still works. We've just been configuring all of our in-house apaches the deprecated way because it works consistently across all the versions that we run. The not-deprecated way is to remove the ChainFile directive and append the contents of that file to the main certificate file.

Also, found a third issue - it's missing HSTS header output (a past audit said that it had HSTS, maybe that got dropped during some later re-config, maybe during switch to Jessie?). Should just require this at the VirtualHost level for the SSL virtualhost:

Header always set Strict-Transport-Security "max-age=31536000"
BBlack added a comment.Apr 21 2016, 11:14 PM

(edited above - #1 + #2 are fixed)

Krenair added a comment.Apr 21 2016, 11:28 PM
In T133360#2229474, @BBlack wrote:

The deprecation thing is accurate, but the ChainFile method still works. We've just been configuring all of our in-house apaches the deprecated way because it works consistently across all the versions that we run. The not-deprecated way is to remove the ChainFile directive and append the contents of that file to the main certificate file.

Yeah, I used the non-deprecated way.

In T133360#2229474, @BBlack wrote:

Also, found a third issue - it's missing HSTS header output (a past audit said that it had HSTS, maybe that got dropped during some later re-config, maybe during switch to Jessie?). Should just require this at the VirtualHost level for the SSL virtualhost:

Header always set Strict-Transport-Security "max-age=31536000"

I copied over all the apache configs during the migration, not sure what happened with that. I wouldn't normally set this sort of header myself for a service like wikitech-static, but I'm going to trust your judgement on this topic. :)
I had to a2enmod headers to get it working.

Do you want to open a separate ticket for fixing ops access to the machine? @Dzahn should have the credentials somewhere, alternatively there's probably some way in through the web panel, or if the right people approve I suppose I could set a new root password for you.

BBlack added a comment.Apr 21 2016, 11:39 PM

For all I know the STS header may have been previously-set in mediawiki config somehow, too, no idea on that. But it's outputting the right header now, so #3 fixed as well. ssllabs back up to A+ now.

Yeah I'll make a separate ticket about access not working as expected.

Krenair closed this task as Resolved.Apr 21 2016, 11:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL