Book collections communicate with pediapress using http:
Closed, ResolvedPublic

Description

Creating a new Book collection and choosing «Preview with PediaPress» on https://en.wikipedia.org/wiki/Special:Book sends the data through http:// and their website is browsed without https: until the last step, where it changes to https:// (and sets HSTS, hiding it on further requests).

The $wgCollectionPODPartners parameters look like they should work out-of-the-box with a change from http to https. However, there's an issue with the public pediapress server at tools.pediapress.com in that it doesn't have an appropriate certificate, it is using the general EV certificate, which is only valid for pediapress.com and www.pediapress.com

Restricted Application added a project: Traffic. · View Herald TranscriptFeb 6 2017, 11:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 336340 had a related patch set uploaded (by Platonides):
Use https:// urls when communicating with PediaPress

https://gerrit.wikimedia.org/r/336340

Restricted Application added a project: Operations. · View Herald TranscriptFeb 7 2017, 12:00 AM

Change 336341 had a related patch set uploaded (by Platonides):
Use https:// default urls for communication with PediaPress

https://gerrit.wikimedia.org/r/336341

Change 336342 had a related patch set uploaded (by Platonides):
Use a https:// url for $wgCollectionMWServeURL

https://gerrit.wikimedia.org/r/336342

Dzahn added a subscriber: Dzahn.Feb 7 2017, 12:03 AM

So does pediapress have to fix their cert on tools.pediapress before this can be merged or is it unrelated to that change?

Thanks for the heads up. If there is no other option, we can get a wildcard SSL cert for tools.pediapress.com.

Dzahn added a comment.Feb 7 2017, 7:11 PM

@Ckepper How about using https://letsencrypt.org/ it's easy with https://certbot.eff.org/ , you don't have to spend any money on it and the root cert is in all browsers. At WMF we use it for several "misc" services now (also puppetized).

Thank you @Dzahn, that's an excellent suggestion. I will look into it and try to set it up for tools.pediapress.com.

Only the last patch depend on the pediapress changing their certificate. The other hosts have a valid certificate, and should be safe to merge.

We have installed letsencrypt/certbot. You can now start testing on https://tools.pediapress.com/

Dzahn added a comment.Feb 8 2017, 7:20 PM

@Ckepper very cool :) thank you looks good to me and gets A rating here https://www.ssllabs.com/ssltest/analyze.html?d=tools.pediapress.com

Dzahn awarded a token.Feb 8 2017, 7:21 PM

Change 336340 merged by jenkins-bot:
Use https:// urls when communicating with PediaPress

https://gerrit.wikimedia.org/r/336340

Mentioned in SAL (#wikimedia-operations) [2017-02-09T00:11:01Z] <dereckson@tin> Synchronized wmf-config/CommonSettings.php: Use https:// urls when communicating with PediaPress (T157398) (duration: 00m 41s)

Dzahn added a comment.Feb 9 2017, 12:18 AM

confirmed that Special:Book, creating a book, preview with Pediapress, still works fine after sync of the change above which makes it use https

Dzahn reassigned this task from Dzahn to Platonides.Feb 9 2017, 12:18 AM
Dzahn closed this task as Resolved.

Change 336341 merged by Dzahn:
Use https:// default urls for communication with PediaPress

https://gerrit.wikimedia.org/r/336341

Change 336342 merged by Dzahn:
Use a https:// url for $wgCollectionMWServeURL

https://gerrit.wikimedia.org/r/336342