Page MenuHomePhabricator
Create Task
Maniphest T199656

HTTPS automatically being rewritten to HTTP
Open, LowPublic
Actions

Description

After enabling the HTTPS role the server strangely redirects all requests to the HTTPS port from https to http and displays a 400 error.

Steps to reproduce (after setting up a clean vagrant box per the instructions here with no roles enabled):

  1. Follow the guide here by generating a root and intermediate certificate.
  2. Create a CSR using these instructions.
  3. In the configuration file for the intermediate folder place the code below under server_cert but before crl_ext:
subjectAltName = @alt_names
[alt_names]
DNS.1   = *.wiki.local.wmftest.net
DNS.2   = wiki.local.wmftest.net

where local.wmftest.net is the value of

mwv::tld
role::mediawiki::hostname
and mediawiki::multiwiki::base_domain

in vagrant hiera configuration (puppet/hieradata/common.yaml).

  1. Sign the client CSR by following the signing instructions here.
  2. Remove any AES256 encryption on the private key file using openssl (openssl rsa -in /root/ca/intermediate/private/www.example.com.key.pem -out /root/ca/intermediate/private/devwiki.key).
  3. Copy the key from /root/ca/intermediate/private/devwiki.key and the .pem file from intermediate/certs/www.example.com.cert.pem into your vagrant directory on the host PC.
  4. Use vagrant ssh to enter the vagrant box
  5. Use the sudo mv command to move devwiki.key to /etc/ssl/certs/devwiki.key and www.example.com.cert.pem to /etc/ssl/certs/devwiki.pem
  6. Delete/remove lines 3-12 from puppet/modules/role/manifests/https.pp or create a custom role with those lines removed
  7. Enable the https/custom role you made and execute vagrant provision.

Expected outcome: When I connect to my box using the HTTPS port nginx serves me the HTTPS version of the site (if I import the root and intermediate to their relevant trust stores)
Actual outcome: I automatically get redirected to HTTP by nginx using a 301 redirect. I can manually replace http with https however that is an inconvenience.

I can confirm that I have tested this redirect error on Chrome Version 67.0.3396.99 and Firefox Version 61.0.1.

A screenshot of the network log from the Chrome browser is included below for your reference.

error.JPG (699×557 px, 61 KB)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits