I can't reproduce this in Firefox 72.0.2 on Windows 10. Though, we're facing an issue in the Wikimedia Commons Android app in which we're unable to connect to the Commons beta cluster. It might be due to the OCSP stapling issue. Link to the issue.

Analysing the SSL certificate of Commons beta cluster using SSL Server test clearly shows an issue with OCSP stapling:

References:

• Mail sent to wikitech-l describing the issue faced in the commons app

alex@alex-laptop:~$ ssh deployment-cache-text05
Linux deployment-cache-text05 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
Debian GNU/Linux 9.5 (stretch)
deployment-cache-text05 is a text Varnish/ATS cache server (cache::text)
The last Puppet run was at Mon Jan  6 14:20:09 UTC 2020 (36202 minutes ago).

T243226?

I can't reproduce this in Firefox 72.0.2 on Windows 10

I have to take that back. I'm starting to get the error mentioned in the description. I'm not sure what changed in the mean time but I now observe the behaviour as described in the task description.

worked around by deploying the new cert from acme-chief manually on -cache-text05 for now. upload may still be broken

I can confirm that that the beta site now is accessible again, and that images from upload.beta are still missing.

Yeah, I can confirm that the beta site is now accessible again in my desktop. The issue faced in the commons app also seems to be gone now. Thanks for the quick fix! :-)

IIUC, this is just a temporary fix and repairing puppet is the long term solution, right?

Yep

Just wondering, how long would the temporary solution work? I think that's the same as the answer to the question: How long is the stapled response valid?

According to SSL server test it already expired (at Feb 05 09:00:00 UTC 2020), but it seems like Firefox does it's own caching and will accept the OCSP response for a while even after it is expired. Given that it first expired on Jan 09, and issues started only 20+ days later, we probably can hope that the temporary solution works more or less till the end of February.

According to SSL server test it already expired (at Feb 05 09:00:00 UTC 2020), ...

Oh! That's bad and shows that waiting for puppet to get fixed is the best solution.

... but it seems like Firefox does it's own caching and will accept the OCSP response for a while even after it is expired. Given that it first expired on Jan 09, and issues started only 20+ days later, we probably can hope that the temporary solution works more or less till the end of February.

I'm not sure about Firefox but for the behaviour is different for the Commons beta app. The error has popped up again already 😦

@Krenair As of now, I can confirm that this is fixed in both Firefox on Windows and the commons beta app. Thanks a lot for fixing this! 🙂

Also, SSL server test seems to be a lot happier (A) than before (B). Though I notice that it shows "No" near OCSP stapling now. Is this intentional?