Page MenuHomePhabricator
Create Task
Maniphest T157398

Book collections communicate with pediapress using http:
Closed, ResolvedPublic
Actions

Description

Creating a new Book collection and choosing «Preview with PediaPress» on https://en.wikipedia.org/wiki/Special:Book sends the data through http:// and their website is browsed without https: until the last step, where it changes to https:// (and sets HSTS, hiding it on further requests).

The $wgCollectionPODPartners parameters look like they should work out-of-the-box with a change from http to https. However, there's an issue with the public pediapress server at tools.pediapress.com in that it doesn't have an appropriate certificate, it is using the general EV certificate, which is only valid for pediapress.com and www.pediapress.com

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use a https:// url for $wgCollectionMWServeURLmediawiki/extensions/Collectionmaster+1 -1
Use https:// default urls for communication with PediaPressmediawiki/extensions/Collectionmaster+2 -2
Use https:// urls when communicating with PediaPressoperations/mediawiki-configmaster+2 -2
Customize query in gerrit

Event Timeline

Platonides created this task.Feb 6 2017, 11:57 PM
Restricted Application added a project: Traffic. · View Herald TranscriptFeb 6 2017, 11:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot subscribed.Feb 7 2017, 12:00 AM

Change 336340 had a related patch set uploaded (by Platonides):
Use https:// urls when communicating with PediaPress

https://gerrit.wikimedia.org/r/336340

Restricted Application added a project: SRE. · View Herald TranscriptFeb 7 2017, 12:00 AM
gerritbot added a project: Patch-For-Review.Feb 7 2017, 12:00 AM
gerritbot added a comment.Feb 7 2017, 12:02 AM

Change 336341 had a related patch set uploaded (by Platonides):
Use https:// default urls for communication with PediaPress

https://gerrit.wikimedia.org/r/336341

gerritbot added a comment.Feb 7 2017, 12:02 AM

Change 336342 had a related patch set uploaded (by Platonides):
Use a https:// url for $wgCollectionMWServeURL

https://gerrit.wikimedia.org/r/336342

Dzahn subscribed.Feb 7 2017, 12:03 AM

So does pediapress have to fix their cert on tools.pediapress before this can be merged or is it unrelated to that change?

Ckepper added a comment.Feb 7 2017, 7:03 PM

Thanks for the heads up. If there is no other option, we can get a wildcard SSL cert for tools.pediapress.com.

Dzahn added a comment.Feb 7 2017, 7:11 PM

@Ckepper How about using https://letsencrypt.org/ it's easy with https://certbot.eff.org/ , you don't have to spend any money on it and the root cert is in all browsers. At WMF we use it for several "misc" services now (also puppetized).

Ckepper added a comment.Feb 7 2017, 7:52 PM

Thank you @Dzahn, that's an excellent suggestion. I will look into it and try to set it up for tools.pediapress.com.

Platonides added a comment.Feb 7 2017, 10:22 PM

Only the last patch depend on the pediapress changing their certificate. The other hosts have a valid certificate, and should be safe to merge.

Ckepper added a comment.Feb 8 2017, 5:41 PM

We have installed letsencrypt/certbot. You can now start testing on https://tools.pediapress.com/

Dzahn added a comment.Feb 8 2017, 7:20 PM

@Ckepper very cool :) thank you looks good to me and gets A rating here https://www.ssllabs.com/ssltest/analyze.html?d=tools.pediapress.com

Dzahn awarded a token.Feb 8 2017, 7:21 PM
Dzahn claimed this task.Feb 8 2017, 11:54 PM

https://wikitech.wikimedia.org/w/index.php?title=Deployments&type=revision&diff=1480106&oldid=1478688

gerritbot added a comment.Feb 9 2017, 12:07 AM

Change 336340 merged by jenkins-bot:
Use https:// urls when communicating with PediaPress

https://gerrit.wikimedia.org/r/336340

Stashbot subscribed.Feb 9 2017, 12:11 AM

Mentioned in SAL (#wikimedia-operations) [2017-02-09T00:11:01Z] <dereckson@tin> Synchronized wmf-config/CommonSettings.php: Use https:// urls when communicating with PediaPress (T157398) (duration: 00m 41s)

Dzahn added a comment.Feb 9 2017, 12:18 AM

confirmed that Special:Book, creating a book, preview with Pediapress, still works fine after sync of the change above which makes it use https

Dzahn closed this task as Resolved.Feb 9 2017, 12:18 AM
Dzahn reassigned this task from Dzahn to Platonides.
gerritbot added a comment.Feb 15 2017, 7:39 PM

Change 336341 merged by Dzahn:
Use https:// default urls for communication with PediaPress

https://gerrit.wikimedia.org/r/336341

gerritbot added a comment.Feb 15 2017, 7:42 PM

Change 336342 merged by Dzahn:
Use a https:// url for $wgCollectionMWServeURL

https://gerrit.wikimedia.org/r/336342

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2017-02-21_(1.29.0-wmf.13)).Feb 15 2017, 8:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits