Page MenuHomePhabricator

enable SSL/https support again
Closed, ResolvedPublic


Please enable ssl/https support for the beta wikis again. It is missing after migration to eqiad.

Btw: The old cert issued by Labs CA for all beta subdomains was not considered "valid" because among others things it was only for issued for * (counts only for direct subdomain) but thats ok.
see bug 48501 for task to get real beta certs but only for limited subdomains.

Version: unspecified
Severity: normal
See Also:



Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:14 AM
bzimport set Reference to bz63538.
Se4598 created this task.Apr 4 2014, 6:09 PM

Change 124057 had a related patch set uploaded by Hashar:
beta: adjust protoproxy for eqiad

Patch is there, will get it fixed this afternoon hopefully :-]

While applying the puppet class on deployment-cache-bits01, nginx ends up bailing out with:

root@deployment-cache-bits01:~# /etc/init.d/nginx start
Starting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/") failed

(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

nginx: configuration file /etc/nginx/nginx.conf test failed

Change 124057 merged by Dzahn:
beta: adjust protoproxy for eqiad

The puppet class role::protoproxy::ssl::beta is applied on all varnish instances. Nginx refuses to starts because the /etc/ssl/private/ key mismatch (see comment #3). That would be solved whenever we get certificates on beta which is the rather long bug 48501.

REOPEN: bug 48501 is about getting real, valid certs. This about accessing beta with https (regardless if the cert is valid for the browser and a warning message pops up).

I don't know nginx to say why he doesn't like the cert, but how about generating new, self-signed or by Labs CA for beta domains? Thats how it was and worked in pmtpa, so what's the problem here?

(In reply to se4598 from comment #6)
appendix: even if the mentioned bug now covers that too, leave this bug open until it's somehow working, because of the dependencies/blocked bug of this etc.

SSL is enabled again but is not going to work until someone sort out the SSL certificate issue tracked by bug 48501. There is no need to have two bugs to track the issue :-D