That means to add *.nara.gov as there are subdomains like hoover.nara.gov, search.nara.gov, clinton5.nara.gov

Change 293513 had a related patch set uploaded (by Dereckson):
Add *.nara.gov to wgCopyUploadsDomains

https://gerrit.wikimedia.org/r/293513

Change 293513 merged by jenkins-bot:
Add *.nara.gov to wgCopyUploadsDomains

https://gerrit.wikimedia.org/r/293513

We've deployed this.

During the tests, we've seen there is an issue with SSL. This mean you can't currently upload https links to Commons, only http ones.

SSL issue

Error fetching URL: SSL certificate problem: unable to get local issuer certificate

Currently, the site only publishes their final certificate.

But SSL trust is a chain of certificates: root authority → intermediate CA → final certificate.

As only the root authority certificate is in trust stores, clients have two solutions:

1. download missing certificates manually, which is why on Chrome or Firefox all is fine
2. raise an error, the choice of curl and other libraries

How to fix that

Could you get in touch with US archives operations team and ask them to fix their SSL configuration?

They need to create a "bundle" of two certificates, concatenating all the certificates (the root one isn't needed, as already in client trust stores):

cat intermediate-certificate final-certificate > bundle.pem

Then, they need to edit the webserver configuration to serve this bundle instead of the final certificate (private key setting doesn't need to be modified). For apache, this is SSLCertificateFile (and not SSLCertificateChainFile which is deprecated)

Reference: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile

Test: https://www.ssllabs.com/ssltest/analyze.html?d=clinton4.nara.gov&s=2620%3a0%3a2b0%3a10f1%3a0%3a0%3a0%3a109