Page MenuHomePhabricator

Please add nara.gov to the wgCopyUploadsDomains whitelist of Wikimedia Commons
Closed, ResolvedPublic

Description

archives.gov (US National Archives web site) is already listed in the white list, but the media server for the online catalog is actually at nara.gov, so that should be added too. Thanks!

See also
Previous request: T124080 / ea4b855b

Event Timeline

Dominicbm created this task.Jun 9 2016, 2:18 PM
Restricted Application added subscribers: Zppix, Poyekhali, JEumerus and 3 others. · View Herald TranscriptJun 9 2016, 2:18 PM
Dereckson claimed this task.Jun 9 2016, 2:57 PM
Dereckson moved this task from Backlog to Working on on the Wikimedia-Site-requests board.
Dereckson moved this task from Incoming to Uploading on the Commons board.
Dereckson updated the task description. (Show Details)

That means to add *.nara.gov as there are subdomains like hoover.nara.gov, search.nara.gov, clinton5.nara.gov

Change 293513 had a related patch set uploaded (by Dereckson):
Add *.nara.gov to wgCopyUploadsDomains

https://gerrit.wikimedia.org/r/293513

Dereckson triaged this task as Normal priority.Jun 9 2016, 3:07 PM

Change 293513 merged by jenkins-bot:
Add *.nara.gov to wgCopyUploadsDomains

https://gerrit.wikimedia.org/r/293513

We've deployed this.

During the tests, we've seen there is an issue with SSL. This mean you can't currently upload https links to Commons, only http ones.

SSL issue

Error fetching URL: SSL certificate problem: unable to get local issuer certificate

Currently, the site only publishes their final certificate.

But SSL trust is a chain of certificates: root authority → intermediate CA → final certificate.

As only the root authority certificate is in trust stores, clients have two solutions:

  1. download missing certificates manually, which is why on Chrome or Firefox all is fine
  2. raise an error, the choice of curl and other libraries

How to fix that

Could you get in touch with US archives operations team and ask them to fix their SSL configuration?

They need to create a "bundle" of two certificates, concatenating all the certificates (the root one isn't needed, as already in client trust stores):

cat intermediate-certificate final-certificate > bundle.pem

Then, they need to edit the webserver configuration to serve this bundle instead of the final certificate (private key setting doesn't need to be modified). For apache, this is SSLCertificateFile (and not SSLCertificateChainFile which is deprecated)

Reference: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile

Test: https://www.ssllabs.com/ssltest/analyze.html?d=clinton4.nara.gov&s=2620%3a0%3a2b0%3a10f1%3a0%3a0%3a0%3a109

Dereckson closed this task as Resolved.EditedJun 9 2016, 3:45 PM

Marking as resolved as working for HTTP, and as there is nothing to do on Wikimedia side, now or after they fixed the configuration (it will work automatically).