Last modified: 2013-09-04 15:06:00 UTC
Wikidata.org is using the SSL certificate for *.wikimedia.org Reedy says this is RT #3803, creating bug here so no one else does.
https://gerrit.wikimedia.org/r/#/c/30307/
Doesn't seem to have fixed it... Or just hasn't been deployed.
(In reply to comment #2) > Doesn't seem to have fixed it... Or just hasn't been deployed. It was a guess as it looked spurious. Daniel did confirm it was supposed to be deployed by puppet, and then restarted the ssl proxies/terminators Knocking down to normal/normal as it's not a high priority as it's currently a test site
(In reply to comment #3) > Knocking down to normal/normal as it's not a high priority as it's currently a > test site It is a test site, but due to SUL und the image after login and logout you will get a error in the browser (at least IE), which can make wmf wikis (except wikidata) feeling untrusted by other users. So this should fixed asap.
*** Bug 41486 has been marked as a duplicate of this bug. ***
I've disabled auto-login to .wikidata.org until we fix SSL.
<Krenair> Ah so wikidata SSL is working now <^demon> Krenair: For wikidata.org & www.wikidata.org. Lang subdomains need a little further tweaking. <^demon> Krenair: Apache config is correct. It needs further DNS work. And Wikidata SUL autologin has been re-enabled with Gerrit change #30623.
* https://wikidata.org * https://www.wikidata.org * https://example.wikidata.org * https://fr.wikidata.org
The certificate chain seems to be erroneously configured, a wrong CA "Wikimedia CA" is being appended to the chain instead of the issuer "DigiCert High Assurance CA-3": --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikidata.org i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 1 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA i:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA --- Therefore: $ curl -v https://www.wikidata.org * About to connect() to www.wikidata.org port 443 (#0) * Trying 2620:0:861:ed1a::12... * connected [...cut...] * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection #0
I see this bug is now tagged with the "shell" keyword. I wonder if it should actually be tagged with the "ops" keyword instead.
Is this still open?
RT #3803 resolved, https://gerrit.wikimedia.org/r/#/c/30307/ merged. Closing too, thanks for the ping.
(In reply to comment #12) > RT #3803 resolved, https://gerrit.wikimedia.org/r/#/c/30307/ merged. > Closing too, thanks for the ping. IMHO the diff doesn't look like a fix :( If my understanding is correct, currently the certificate chain would let OpenSSL fail to verify the server certificate: $ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect www.wikidata.org:443 CONNECTED(00000003) depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikidata.org i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 1 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA i:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA ^^^ This is wrong. It should be the issuer for cert 0, not a random CA that has nothing to do with the previous cert. --- Server certificate -----BEGIN CERTIFICATE----- [...cut...] -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikidata.org issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 --- No client certificate CA names sent --- SSL handshake has read 3159 bytes and written 542 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA [...cut...] Verify return code: 21 (unable to verify the first certificate) --- QUIT DONE $ Reopening again.
dzahn: Could you take a look at comment 13, please (as you reviewed the initial patch in comment 12)?
openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect www.wikidata.org:443 Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikipedia.org i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA Verify return code: 0 (ok)
Verified in Wikidata demo time