fr.wikipedia.beta.wmflabs.org uses an invalid security certificate
Closed, ResolvedPublic

Description

fr.wikipedia.beta.wmflabs.org is not on the security certificate, serving an SSL_ERROR_BAD_CERT_DOMAIN

Raw error text:

https://fr.wikipedia.beta.wmflabs.org/wiki/Main_Page

Unable to communicate securely with peer: requested domain name does not match the server’s certificate.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIRcTCCEFmgAwIBAgISA0EKJ7RGeMFAeHmZA1Y8AmBtMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAxMjgwNTM2NDJaFw0x
ODA0MjgwNTM2NDJaMCoxKDAmBgNVBAMTH2FhLm0ud2lraXBlZGlhLmJldGEud21m
bGFicy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmLDzEED9x
l10bfNCCPX/KCgnB+vkS5hzk+WvUqnQfolL7qSz2QAP5FcM3gK3gIJAFBPaHQ29+
YcWFrVLKOqAiHv3lnADeVjLnVGMWcFL+bzGqgmki/o2agqX6jvkj74IfjhuizXoN
Yh1SOkVK8nIobIzZre7LpAMRKkWIkfbpAH++XIwdFWi2qnFfBnq1nPWJo0IDeGfS
YYDdtfJ9FDLBH5IZW6kN4Yj7QXG1CXFkmkx/c3fsOUQUI+FQaTK1qOYf08HhF45r
6kBREr7bjZEEWmwaduVws70NsPVRH39Fr07M2CEyQYFpIIrJI86eOgGX2H24Rxhm
jzeB14aE9SfXAgMBAAGjgg5vMIIOazAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFL4b
gCU/UO6VCYuJdxu9w+sxPRjPMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z
qOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50
LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50
LXgzLmxldHNlbmNyeXB0Lm9yZy8wggx4BgNVHREEggxvMIIMa4IfYWEubS53aWtp
cGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IdYWEud2lraXBlZGlhLmJldGEud21mbGFi
cy5vcmeCImFhLnplcm8ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCH2FyLm0u
d2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCHWFyLndpa2lwZWRpYS5iZXRhLndt
ZmxhYnMub3JngiJhci56ZXJvLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3JnghBi
ZXRhLndtZmxhYnMub3Jngh9jYS5tLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3Jn
gh1jYS53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IiY2EuemVyby53aWtpcGVk
aWEuYmV0YS53bWZsYWJzLm9yZ4IkY29tbW9ucy5tLndpa2ltZWRpYS5iZXRhLndt
ZmxhYnMub3JngiJjb21tb25zLndpa2ltZWRpYS5iZXRhLndtZmxhYnMub3JngiJj
b21tb25zLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3Jngh9kZS5tLndpa2lwZWRp
YS5iZXRhLndtZmxhYnMub3JngiBkZS5tLndpa3Rpb25hcnkuYmV0YS53bWZsYWJz
Lm9yZ4IdZGUud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCHmRlLndpa3Rpb25h
cnkuYmV0YS53bWZsYWJzLm9yZ4IiZGUuemVyby53aWtpcGVkaWEuYmV0YS53bWZs
YWJzLm9yZ4InZGVwbG95bWVudC5tLndpa2ltZWRpYS5iZXRhLndtZmxhYnMub3Jn
giVkZXBsb3ltZW50Lndpa2ltZWRpYS5iZXRhLndtZmxhYnMub3JngiNlbi1ydGwu
bS53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IhZW4tcnRsLndpa2lwZWRpYS5i
ZXRhLndtZmxhYnMub3JngiZlbi1ydGwuemVyby53aWtpcGVkaWEuYmV0YS53bWZs
YWJzLm9yZ4IfZW4ubS53aWtpYm9va3MuYmV0YS53bWZsYWJzLm9yZ4IeZW4ubS53
aWtpbmV3cy5iZXRhLndtZmxhYnMub3Jngh9lbi5tLndpa2lwZWRpYS5iZXRhLndt
ZmxhYnMub3Jngh9lbi5tLndpa2lxdW90ZS5iZXRhLndtZmxhYnMub3JngiBlbi5t
Lndpa2lzb3VyY2UuYmV0YS53bWZsYWJzLm9yZ4IhZW4ubS53aWtpdmVyc2l0eS5i
ZXRhLndtZmxhYnMub3JngiBlbi5tLndpa2l2b3lhZ2UuYmV0YS53bWZsYWJzLm9y
Z4IgZW4ubS53aWt0aW9uYXJ5LmJldGEud21mbGFicy5vcmeCHWVuLndpa2lib29r
cy5iZXRhLndtZmxhYnMub3Jnghxlbi53aWtpbmV3cy5iZXRhLndtZmxhYnMub3Jn
gh1lbi53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IdZW4ud2lraXF1b3RlLmJl
dGEud21mbGFicy5vcmeCHmVuLndpa2lzb3VyY2UuYmV0YS53bWZsYWJzLm9yZ4If
ZW4ud2lraXZlcnNpdHkuYmV0YS53bWZsYWJzLm9yZ4IeZW4ud2lraXZveWFnZS5i
ZXRhLndtZmxhYnMub3Jngh5lbi53aWt0aW9uYXJ5LmJldGEud21mbGFicy5vcmeC
ImVuLnplcm8ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCH2VvLm0ud2lraXBl
ZGlhLmJldGEud21mbGFicy5vcmeCHWVvLndpa2lwZWRpYS5iZXRhLndtZmxhYnMu
b3JngiJlby56ZXJvLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3Jngh9lcy5tLndp
a2lwZWRpYS5iZXRhLndtZmxhYnMub3Jngh1lcy53aWtpcGVkaWEuYmV0YS53bWZs
YWJzLm9yZ4IiZXMuemVyby53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IfZmEu
bS53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IdZmEud2lraXBlZGlhLmJldGEu
d21mbGFicy5vcmeCImZhLnplcm8ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeC
H2hlLm0ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCIGhlLm0ud2lrdGlvbmFy
eS5iZXRhLndtZmxhYnMub3Jngh1oZS53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9y
Z4IeaGUud2lrdGlvbmFyeS5iZXRhLndtZmxhYnMub3JngiJoZS56ZXJvLndpa2lw
ZWRpYS5iZXRhLndtZmxhYnMub3Jngh9oaS5tLndpa2lwZWRpYS5iZXRhLndtZmxh
YnMub3Jngh1oaS53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IiaGkuemVyby53
aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IfamEubS53aWtpcGVkaWEuYmV0YS53
bWZsYWJzLm9yZ4IdamEud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCImphLnpl
cm8ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCH2tvLm0ud2lraXBlZGlhLmJl
dGEud21mbGFicy5vcmeCHWtvLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3JngiJr
by56ZXJvLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3JngiJsb2dpbi5tLndpa2lt
ZWRpYS5iZXRhLndtZmxhYnMub3JngiBsb2dpbi53aWtpbWVkaWEuYmV0YS53bWZs
YWJzLm9yZ4IbbS53aWtpZGF0YS5iZXRhLndtZmxhYnMub3JngiFtZXRhLm0ud2lr
aW1lZGlhLmJldGEud21mbGFicy5vcmeCH21ldGEud2lraW1lZGlhLmJldGEud21m
bGFicy5vcmeCH25sLm0ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCHW5sLndp
a2lwZWRpYS5iZXRhLndtZmxhYnMub3JngiJubC56ZXJvLndpa2lwZWRpYS5iZXRh
LndtZmxhYnMub3Jngh9ydS5tLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3Jngh1y
dS53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4IicnUuemVyby53aWtpcGVkaWEu
YmV0YS53bWZsYWJzLm9yZ4Ijc2ltcGxlLm0ud2lraXBlZGlhLmJldGEud21mbGFi
cy5vcmeCIXNpbXBsZS53aWtpcGVkaWEuYmV0YS53bWZsYWJzLm9yZ4Imc2ltcGxl
Lnplcm8ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCH3NxLm0ud2lraXBlZGlh
LmJldGEud21mbGFicy5vcmeCHXNxLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3Jn
giJzcS56ZXJvLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3JngiF0ZXN0Lm0ud2lr
aW1lZGlhLmJldGEud21mbGFicy5vcmeCH3Rlc3Qud2lraW1lZGlhLmJldGEud21m
bGFicy5vcmeCH3VrLm0ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCHXVrLndp
a2lwZWRpYS5iZXRhLndtZmxhYnMub3JngiJ1ay56ZXJvLndpa2lwZWRpYS5iZXRh
LndtZmxhYnMub3Jnghl3aWtpZGF0YS5iZXRhLndtZmxhYnMub3Jngh53d3cud2lr
aWJvb2tzLmJldGEud21mbGFicy5vcmeCHnd3dy53aWtpbWVkaWEuYmV0YS53bWZs
YWJzLm9yZ4Ied3d3Lndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3Jngh93d3cud2lr
dGlvbmFyeS5iZXRhLndtZmxhYnMub3JngiF6ZXJvLm0ud2lraW1lZGlhLmJldGEu
d21mbGFicy5vcmeCH3plcm8ud2lraW1lZGlhLmJldGEud21mbGFicy5vcmeCH3po
Lm0ud2lraXBlZGlhLmJldGEud21mbGFicy5vcmeCHXpoLndpa2lwZWRpYS5iZXRh
LndtZmxhYnMub3JngiJ6aC56ZXJvLndpa2lwZWRpYS5iZXRhLndtZmxhYnMub3Jn
MIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggr
BgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwIC
MIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBi
eSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRo
ZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlw
dC5vcmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAILJ6sOXZ6dk/zPQ
+cPQMimgDgbyNBjR43Dt1Yfq5fnmtlHrNzPy2FEujhaxh6TFz95mJOYGGbUD+CTG
SxQPnMPbgxHxSNB7BUFH8qL9W+e5xQEy1EGrle1Hmqvn+rcmcQnj6DNV3PAQn2Sy
yXXJbe6a4CWbfaxdRQgW4gKEtV6lq29zL7DTM89rgibja0amMs3wQyZmmHHfo4mR
yl5u1a/68g0ic3+5a+3wiAQWP2DTW1aYiKtzthpyfmz2lSXrACfe+XBpmrwDh7VH
b8I7J+kkZHC9Uz9jBhx+/jgf5YXEkFOjSSQ2SIWf+LcrckQZL9C4ZWOVZnBjsndp
kukE3b0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Keegan created this task.Feb 26 2018, 5:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 26 2018, 5:57 PM
greg added a subscriber: greg.Feb 26 2018, 6:04 PM

Looks like it wasn't added to the list of let's encrypt domains.

Change 414730 had a related patch set uploaded (by Greg Grossmeier; owner: Greg Grossmeier):
[operations/puppet@production] beta: add fr.wikipedia for LE cert

https://gerrit.wikimedia.org/r/414730

greg triaged this task as High priority.Feb 26 2018, 6:17 PM
greg claimed this task.
greg moved this task from To Triage to Backlog on the Beta-Cluster-Infrastructure board.

Change 414730 merged by Dzahn:
[operations/puppet@production] beta: add fr.wikipedia for LE cert

https://gerrit.wikimedia.org/r/414730

Mentioned in SAL (#wikimedia-releng) [2018-02-26T18:39:13Z] <mutante> deployment-cache-text04 - manually creating Letsencrypt SSL cert for fr.wikipedia.beta.wmflabs.org (acme-setup -i "fr_wikipedia_beta_wmflabs_org" -s "fr.wikipedia.beta.wmflabs.org" --key-user root --key-group root), restarted nginx (T188288)

Dzahn added a subscriber: Dzahn.Feb 26 2018, 6:47 PM

13:39 < mutante> ..but .. it did not fix it yet, heh
13:40 < mutante> i see, what i did is create a new cert for just the missing one
13:40 < mutante> but usually they are all added to a single unified one

back to fixing the unrelated puppet error we see on deployment-cache-text04 which prevents puppet from doing that the right way

Change 414738 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] deployment-prep: set profile::cache::kafka::webrequest::kafka_cluster_name

https://gerrit.wikimedia.org/r/414738

Change 414738 merged by Dzahn:
[operations/puppet@production] deployment-prep: set profile::cache::kafka::webrequest::kafka_cluster_name

https://gerrit.wikimedia.org/r/414738

Dzahn added a comment.Feb 26 2018, 8:03 PM

This changed the puppet error to a new one, since now there is a kafka_cluster_name but no kafka_config for this cluster is found.

EddieGP closed this task as Resolved.Apr 10 2018, 5:55 PM
EddieGP added a subscriber: EddieGP.

The puppet errors are fixed and fr.wikipedia.beta.wmflabs.org seems to now be part of the unified cert. Thus I'm closing this as resolved.

However, there is no database frwiki in beta and no wiki is configured for fr.wikipedia.beta.wmflabs.org. It resolves only because we happen to use a wildcard dns *.beta.wmflabs.org. I assume noone checked that and instead just went ahead trying to fix the issue at hand. Thanks for that, but future tasks to add domains to the ASNs of the beta letsencrypt cert should be closed as Invalid if that domain just points to the "Nothing configured here" page. There's no way we can get all these unconfigured domains int the ASN of our cert (as a single entry per domain).

The preferred solution to this is to get a wildcard certificate from letsencrypt. That's a tracked at T182927.