Change Details

After enabling the HTTPS role the server strangely redirects and and all requests to the HTTPS port from https to http and displays a 400 error. Steps to reproduce (after setting up a clean vagrant box per the instructions [[ https://www.mediawiki.org/wiki/MediaWiki-Vagrant | here]] with no roles enabled): 1. Follow the guide [[ https://jamielinux.com/docs/openssl-certificate-authority/ | here]] by generating a root and intermediate certificate. 2. Create a CSR using these [[https://geekflare.com/san-ssl-certificate/ | instructions]]. 3. In the configuration file for the intermediate folder place the code below under server_cert but before crl_ext: ``` subjectAltName = @alt_names [alt_names] DNS.1 = *.wiki.local.wmftest.net DNS.2 = wiki.local.wmftest.net ``` where local.wmftest.net is the value of ``` mwv::tld role::mediawiki::hostname and mediawiki::multiwiki::base_domain ``` in vagrant hiera configuration (puppet/hieradata/common.yaml). 4. Sign the client CSR by following the signing instructions [[ https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html | here]]. 5. Remove any AES256 encryption on the private key file using openssl (openssl rsa -in /root/ca/intermediate/private/www.example.com.key.pem -out /root/ca/intermediate/private/devwiki.key). 6. Copy the key from /root/ca/intermediate/private/devwiki.key and the .pem file from intermediate/certs/www.example.com.cert.pem into your vagrant directory on the host PC. 7. Use vagrant ssh to enter the vagrant box 8. Use the sudo mv command to move devwiki.key to /etc/ssl/certs/devwiki.key and www.example.com.cert.pem to /etc/ssl/certs/devwiki.pem 9. Delete/remove lines 3-12 from puppet/modules/role/manifests/https.pp or create a custom role with those lines removed 10. Enable the https/custom role you made and execute vagrant provision. Expected outcome: When I connect to my box using the HTTPS port nginx serves me the HTTPS version of the site (if I import the root and intermediate to their relevant trust stores) Actual outcome: I automatically get redirected to HTTP by nginx using a 301 redirect. I can manually replace http with https however that is an inconvenience. I can confirm that I have tested this redirect error on Chrome Version 67.0.3396.99 and Firefox Version 61.0.1. A screenshot of the network log from the Chrome browser is included below for your reference. {F23788257}

After enabling the HTTPS role the server strangely redirects all requests to the HTTPS port from https to http and displays a 400 error. Steps to reproduce (after setting up a clean vagrant box per the instructions [[ https://www.mediawiki.org/wiki/MediaWiki-Vagrant | here]] with no roles enabled): 1. Follow the guide [[ https://jamielinux.com/docs/openssl-certificate-authority/ | here]] by generating a root and intermediate certificate. 2. Create a CSR using these [[https://geekflare.com/san-ssl-certificate/ | instructions]]. 3. In the configuration file for the intermediate folder place the code below under server_cert but before crl_ext: ``` subjectAltName = @alt_names [alt_names] DNS.1 = *.wiki.local.wmftest.net DNS.2 = wiki.local.wmftest.net ``` where local.wmftest.net is the value of ``` mwv::tld role::mediawiki::hostname and mediawiki::multiwiki::base_domain ``` in vagrant hiera configuration (puppet/hieradata/common.yaml). 4. Sign the client CSR by following the signing instructions [[ https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html | here]]. 5. Remove any AES256 encryption on the private key file using openssl (openssl rsa -in /root/ca/intermediate/private/www.example.com.key.pem -out /root/ca/intermediate/private/devwiki.key). 6. Copy the key from /root/ca/intermediate/private/devwiki.key and the .pem file from intermediate/certs/www.example.com.cert.pem into your vagrant directory on the host PC. 7. Use vagrant ssh to enter the vagrant box 8. Use the sudo mv command to move devwiki.key to /etc/ssl/certs/devwiki.key and www.example.com.cert.pem to /etc/ssl/certs/devwiki.pem 9. Delete/remove lines 3-12 from puppet/modules/role/manifests/https.pp or create a custom role with those lines removed 10. Enable the https/custom role you made and execute vagrant provision. Expected outcome: When I connect to my box using the HTTPS port nginx serves me the HTTPS version of the site (if I import the root and intermediate to their relevant trust stores) Actual outcome: I automatically get redirected to HTTP by nginx using a 301 redirect. I can manually replace http with https however that is an inconvenience. I can confirm that I have tested this redirect error on Chrome Version 67.0.3396.99 and Firefox Version 61.0.1. A screenshot of the network log from the Chrome browser is included below for your reference. {F23788257}

After enabling the HTTPS role the server strangely redirects and and all requests to the HTTPS port from https to http and displays a 400 error. Steps to reproduce (after setting up a clean vagrant box per the instructions [[ https://www.mediawiki.org/wiki/MediaWiki-Vagrant | here]] with no roles enabled): 1. Follow the guide [[ https://jamielinux.com/docs/openssl-certificate-authority/ | here]] by generating a root and intermediate certificate. 2. Create a CSR using these [[https://geekflare.com/san-ssl-certificate/ | instructions]]. 3. In the configuration file for the intermediate folder place the code below under server_cert but before crl_ext: ``` subjectAltName = @alt_names [alt_names] DNS.1 = *.wiki.local.wmftest.net DNS.2 = wiki.local.wmftest.net ``` where local.wmftest.net is the value of ``` mwv::tld role::mediawiki::hostname and mediawiki::multiwiki::base_domain ``` in vagrant hiera configuration (puppet/hieradata/common.yaml). 4. Sign the client CSR by following the signing instructions [[ https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html | here]]. 5. Remove any AES256 encryption on the private key file using openssl (openssl rsa -in /root/ca/intermediate/private/www.example.com.key.pem -out /root/ca/intermediate/private/devwiki.key). 6. Copy the key from /root/ca/intermediate/private/devwiki.key and the .pem file from intermediate/certs/www.example.com.cert.pem into your vagrant directory on the host PC. 7. Use vagrant ssh to enter the vagrant box 8. Use the sudo mv command to move devwiki.key to /etc/ssl/certs/devwiki.key and www.example.com.cert.pem to /etc/ssl/certs/devwiki.pem 9. Delete/remove lines 3-12 from puppet/modules/role/manifests/https.pp or create a custom role with those lines removed 10. Enable the https/custom role you made and execute vagrant provision. Expected outcome: When I connect to my box using the HTTPS port nginx serves me the HTTPS version of the site (if I import the root and intermediate to their relevant trust stores) Actual outcome: I automatically get redirected to HTTP by nginx using a 301 redirect. I can manually replace http with https however that is an inconvenience. I can confirm that I have tested this redirect error on Chrome Version 67.0.3396.99 and Firefox Version 61.0.1. A screenshot of the network log from the Chrome browser is included below for your reference. {F23788257}