Page MenuHomePhabricator

Fix access to https://wikimedia.it (URL without www) caused by expired certificate in server fabula
Closed, ResolvedPublic

Assigned To
Authored By
valerio.bozzolan
Feb 8 2021, 12:29 PM
Referenced Files
None
Tokens
"Burninate" token, awarded by YacineBoussoufa."Burninate" token, awarded by valerio.bozzolan.

Description

Our dear user @YacineBoussoufa reported that you cannot access the non-www version of the Wikimedia Italia website:

Websites prove their identity via certificates, which are valid for a set time period. The certificate for wikimedia.it expired on 10/17/2020.
https://wikimedia.it/

This should be fixed because some people access the website manually typing the URL without www and should not see a very-big and scaring warning about the kidnapping of your browser ecc.

NOTE: Actually the DNS record wikimedia.it points to the server wmi-fabula while the www.wikimedia.it points to our provider. So this is our fault.

Event Timeline

I've just deployed a new small configuration for Apache HTTPd in server fabula and in some seconds the related configuration in rWIIN wikimedia-it-wmit-infrastructure will be connected here.

The new configuration relies on the fact that the http://wikimedia.it/.well-known path is not redirected and instead it's served by /var/www/html/.well-known so Let's Encrypt can push temporary files even if we redirect the user to another server.

So the SSL certificate was simply deployed with Let's Encrypt as follow:

$ certbot certonly --webroot --webroot-path=/var/www/html -d wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wikimedia.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wikimedia.it/privkey.pem
   Your cert will expire on 2021-05-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le