Page MenuHomePhabricator

Please add to the wgCopyUploadsDomains whitelist of Wikimedia Commons
Closed, ResolvedPublic

Description (US National Archives web site) is already listed in the white list, but the media server for the online catalog is actually at, so that should be added too. Thanks!

See also
Previous request: T124080 / ea4b855b

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Event Timeline

Dereckson moved this task from Backlog to Working on on the Wikimedia-Site-requests board.
Dereckson moved this task from Incoming to Uploading on the Commons board.
Dereckson updated the task description. (Show Details)

That means to add * as there are subdomains like,,

Change 293513 had a related patch set uploaded (by Dereckson):
Add * to wgCopyUploadsDomains

Dereckson triaged this task as Medium priority.Jun 9 2016, 3:07 PM

Change 293513 merged by jenkins-bot:
Add * to wgCopyUploadsDomains

We've deployed this.

During the tests, we've seen there is an issue with SSL. This mean you can't currently upload https links to Commons, only http ones.

SSL issue

Error fetching URL: SSL certificate problem: unable to get local issuer certificate

Currently, the site only publishes their final certificate.

But SSL trust is a chain of certificates: root authority → intermediate CA → final certificate.

As only the root authority certificate is in trust stores, clients have two solutions:

  1. download missing certificates manually, which is why on Chrome or Firefox all is fine
  2. raise an error, the choice of curl and other libraries

How to fix that

Could you get in touch with US archives operations team and ask them to fix their SSL configuration?

They need to create a "bundle" of two certificates, concatenating all the certificates (the root one isn't needed, as already in client trust stores):

cat intermediate-certificate final-certificate > bundle.pem

Then, they need to edit the webserver configuration to serve this bundle instead of the final certificate (private key setting doesn't need to be modified). For apache, this is SSLCertificateFile (and not SSLCertificateChainFile which is deprecated)



Dereckson closed this task as Resolved.EditedJun 9 2016, 3:45 PM

Marking as resolved as working for HTTP, and as there is nothing to do on Wikimedia side, now or after they fixed the configuration (it will work automatically).