Details
- Risk Rating
- Medium
- Author Affiliation
- Wikimedia Communities
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | TheDJ | T283164 Let's Encrypt issuance chains update | |||
Declined | Security | None | T292217 User browser complains about SSL certificate expired for several toolforge webservices |
Event Timeline
@Esc3300 you're being affected by https://meta.wikimedia.org/wiki/HTTPS/2021_Let%27s_Encrypt_root_expiry - can you share information about what device you're using? You'll probably need to upgrade it.
@Esc3300 - Can you provide some details about the client side of the connection? What browser+OS versions (or if it's a code client, what platform/language/libraries/etc)?
If it's a known issue with the certificate WMF is using, why not change it?
Seems that Let's Encrypt isn't suitable for this.
Listeria is using the image docker-registry.tools.wmflabs.org/toolforge-php73-sssd-web. That's a buster-based image, so the usual upgrade advice doesn't necessarily seem to apply there unless the buster images had an old SSL stack at some point. If so, restarting should fix it.
This isn't limited to Listeria, all toolforge domains seem to be affected:
Didn't WMF have everybody switch there not too long ago for security reasons?
If restarting something helps. please request the relevant team to do so. It still doesn't work.
Hey @Esc3300 just double checking that you've read this message and the information contained in the metawiki page.
The 20 year old "DST Root CA X3" X509 certificate reached it's planned end of use on 2021-09-30 14:01:15 GMT. Clients which have not yet gained trust of the "ISRG Root X1" that Let's Encrypt created in June 2015 to replace trust in "DST Root CA X3" are now failing to validate Let's Encrypt issued certificates. This problem is not at all local to the Wikimedia Foundation managed websites. Let's Encrypt certificates are used by millions of websites (1) and by one estimate is the root signing authority for 64% of TLS protected websites (2).
See also:
Making this task public as 1) there isn't any obviously sensitive information discussed here (other than certain toolforge tools might not be working properly right now for a small set of users) and 2) this task would likely be valuable and informative for anyone else experiencing these issues.
@Esc3300: Could you please answer T292217#7395086 and elaborate how to see what where? See https://www.mediawiki.org/wiki/How_to_report_a_bug - Thanks!