Wikidata.org is using the SSL certificate for *.wikimedia.org
Reedy says this is RT #3803, creating bug here so no one else does.
Version: unspecified
Severity: normal
Description
Description
Details
Details
- Reference
- bz41437
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T43487 CentralAuth: Auto-login failed to www.wikidata.org | |||
| Resolved | None | T43437 Wikidata.org is using the SSL certificate for *.wikimedia.org |
Event Timeline
Comment Actions
(In reply to comment #2)
Doesn't seem to have fixed it... Or just hasn't been deployed.
It was a guess as it looked spurious. Daniel did confirm it was supposed to be deployed by puppet, and then restarted the ssl proxies/terminators
Knocking down to normal/normal as it's not a high priority as it's currently a test site
Comment Actions
(In reply to comment #3)
Knocking down to normal/normal as it's not a high priority as it's currently a
test site
It is a test site, but due to SUL und the image after login and logout you will get a error in the browser (at least IE), which can make wmf wikis (except wikidata) feeling untrusted by other users. So this should fixed asap.
Comment Actions
<Krenair> Ah so wikidata SSL is working now
<^demon> Krenair: For wikidata.org & www.wikidata.org. Lang subdomains need a little further tweaking.
<^demon> Krenair: Apache config is correct. It needs further DNS work.
And Wikidata SUL autologin has been re-enabled with Gerrit change 30623.
Comment Actions
The certificate chain seems to be erroneously configured, a wrong CA "Wikimedia CA" is being appended to the chain instead of the issuer "DigiCert High Assurance CA-3":
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikidata.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
1 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA
i:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA
Therefore:
$ curl -v https://www.wikidata.org
- About to connect() to www.wikidata.org port 443 (#0)
- Trying 2620:0:861:ed1a::12...
- connected
[...cut...]
- SSLv3, TLS alert, Server hello (2):
- SSL certificate problem: unable to get local issuer certificate
- Closing connection #0
Comment Actions
I see this bug is now tagged with the "shell" keyword. I wonder if it should actually be tagged with the "ops" keyword instead.
Comment Actions
RT #3803 resolved, https://gerrit.wikimedia.org/r/#/c/30307/ merged.
Closing too, thanks for the ping.
Comment Actions
(In reply to comment #12)
RT #3803 resolved, https://gerrit.wikimedia.org/r/#/c/30307/ merged.
Closing too, thanks for the ping.
IMHO the diff doesn't look like a fix :(
If my understanding is correct, currently the certificate chain would let OpenSSL fail to verify the server certificate:
$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect www.wikidata.org:443
CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikidata.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
1 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA
i:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA
^^^
This is wrong. It should be the issuer for cert 0, not a random CA that has nothing to do with the previous cert.
Server certificate
-----BEGIN CERTIFICATE-----
[...cut...]
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikidata.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
No client certificate CA names sent
SSL handshake has read 3159 bytes and written 542 bytes
New, TLSv1/SSLv3, Cipher is RC4-SHA
[...cut...]
Verify return code: 21 (unable to verify the first certificate)
QUIT
DONE
$
Reopening again.
Comment Actions
dzahn: Could you take a look at comment 13, please (as you reviewed the initial patch in comment 12)?
Comment Actions
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect www.wikidata.org:443
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikipedia.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA Verify return code: 0 (ok)