Page MenuHomePhabricator
Create Task
Maniphest T292217

User browser complains about SSL certificate expired for several toolforge webservices
Closed, DeclinedPublicSecurity
Actions

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities

Related Objects
Search...

Event Timeline

Esc3300 created this task.Sep 30 2021, 5:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 30 2021, 5:42 PM
Esc3300 triaged this task as Unbreak Now! priority.Sep 30 2021, 5:47 PM
Legoktm subscribed.Sep 30 2021, 5:56 PM

@Esc3300 you're being affected by https://meta.wikimedia.org/wiki/HTTPS/2021_Let%27s_Encrypt_root_expiry - can you share information about what device you're using? You'll probably need to upgrade it.

BBlack subscribed.Sep 30 2021, 6:00 PM

@Esc3300 - Can you provide some details about the client side of the connection? What browser+OS versions (or if it's a code client, what platform/language/libraries/etc)?

Legoktm added a subscriber: ssingh.Sep 30 2021, 6:07 PM
Esc3300 added a comment.Sep 30 2021, 8:58 PM

If it's a known issue with the certificate WMF is using, why not change it?

Seems that Let's Encrypt isn't suitable for this.

Bstorm subscribed.Sep 30 2021, 10:15 PM

Listeria is using the image docker-registry.tools.wmflabs.org/toolforge-php73-sssd-web. That's a buster-based image, so the usual upgrade advice doesn't necessarily seem to apply there unless the buster images had an old SSL stack at some point. If so, restarting should fix it.

Esc3300 added a comment.Oct 1 2021, 6:57 AM

This isn't limited to Listeria, all toolforge domains seem to be affected:

Didn't WMF have everybody switch there not too long ago for security reasons?

If restarting something helps. please request the relevant team to do so. It still doesn't work.

Esc3300 added subscribers: Magnus, Lydia_Pintscher.Oct 1 2021, 6:58 AM
Esc3300 renamed this task from SSL certificate expired https://listeria.toolforge.org to SSL certificate expired https://listeria.toolforge.org https://quickstatements.toolforge.org/ https://toolforge.org/.Oct 1 2021, 7:19 AM
taavi subscribed.Oct 1 2021, 11:17 AM
aborrero renamed this task from SSL certificate expired https://listeria.toolforge.org https://quickstatements.toolforge.org/ https://toolforge.org/ to User browser complains about SSL certificate expired for several toolforge webservices.Oct 1 2021, 11:27 AM
aborrero added a parent task: T283164: Let's Encrypt issuance chains update.
aborrero lowered the priority of this task from Unbreak Now! to High.Oct 1 2021, 11:30 AM
aborrero added a project: cloud-services-team (Kanban).
aborrero subscribed.

Hey @Esc3300 just double checking that you've read this message and the information contained in the metawiki page.

In T292217#7392252, @Legoktm wrote:

@Esc3300 you're being affected by https://meta.wikimedia.org/wiki/HTTPS/2021_Let%27s_Encrypt_root_expiry - can you share information about what device you're using? You'll probably need to upgrade it.

Esc3300 added a comment.Oct 1 2021, 12:13 PM

I did, but it doesn't solve it for WMF in general nor address the root problem

Bstorm added a comment.Oct 1 2021, 3:27 PM

Wait, are you seeing the toolforge.org domain "expired"?

bd808 subscribed.Oct 1 2021, 5:43 PM
In T292217#7394456, @Esc3300 wrote:

I did, but it doesn't solve it for WMF in general nor address the root problem

The 20 year old "DST Root CA X3" X509 certificate reached it's planned end of use on 2021-09-30 14:01:15 GMT. Clients which have not yet gained trust of the "ISRG Root X1" that Let's Encrypt created in June 2015 to replace trust in "DST Root CA X3" are now failing to validate Let's Encrypt issued certificates. This problem is not at all local to the Wikimedia Foundation managed websites. Let's Encrypt certificates are used by millions of websites (1) and by one estimate is the root signing authority for 64% of TLS protected websites (2).

See also:

sbassett subscribed.EditedOct 4 2021, 3:50 PM

Making this task public as 1) there isn't any obviously sensitive information discussed here (other than certain toolforge tools might not be working properly right now for a small set of users) and 2) this task would likely be valuable and informative for anyone else experiencing these issues.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 4 2021, 3:51 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett moved this task from Incoming to Watching on the Security-Team board.
Aklapper added a comment.Oct 7 2021, 4:02 PM

@Esc3300: Could you please answer T292217#7395086 and elaborate how to see what where? See https://www.mediawiki.org/wiki/How_to_report_a_bug - Thanks!

taavi closed this task as Declined.Nov 7 2021, 5:28 PM

No response, closing.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Nov 8 2021, 2:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL