|Open||None||T60224 Add domains to $wgCopyUploadsDomains (tracking)|
|Resolved||Dereckson||T137423 Please add nara.gov to the wgCopyUploadsDomains whitelist of Wikimedia Commons|
We've deployed this.
During the tests, we've seen there is an issue with SSL. This mean you can't currently upload https links to Commons, only http ones.
Error fetching URL: SSL certificate problem: unable to get local issuer certificate
Currently, the site only publishes their final certificate.
But SSL trust is a chain of certificates: root authority → intermediate CA → final certificate.
As only the root authority certificate is in trust stores, clients have two solutions:
- download missing certificates manually, which is why on Chrome or Firefox all is fine
- raise an error, the choice of curl and other libraries
How to fix that
Could you get in touch with US archives operations team and ask them to fix their SSL configuration?
They need to create a "bundle" of two certificates, concatenating all the certificates (the root one isn't needed, as already in client trust stores):
cat intermediate-certificate final-certificate > bundle.pem
Then, they need to edit the webserver configuration to serve this bundle instead of the final certificate (private key setting doesn't need to be modified). For apache, this is SSLCertificateFile (and not SSLCertificateChainFile which is deprecated)