Bug 20250 - freedesktop bug database uses certificate signed by CA not recognized by Mozilla
freedesktop bug database uses certificate signed by CA not recognized by Mozilla
Status: RESOLVED FIXED
Product: freedesktop.org
Classification: Unclassified
Component: Bugzilla
unspecified
All All
: medium major
Assigned To: Keith Packard
https://bugs.freedesktop.org/index.cg...
: NEEDINFO
: 30465 30863 31750 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-22 01:25 UTC by Jeff Walden (remove +bfo to email)
Modified: 2011-02-27 18:20 UTC (History)
14 users (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Walden (remove +bfo to email) 2009-02-22 01:25:04 UTC
If I want to use b.fd.o I have to click through a few strongly-worded warning screens to do so -- not cool.  (I've set up a temporary exception for now, definitely not adding a permanent exception given that I don't use this bugzilla all that much and would rather not grant carte blanche to a cert signed by a CA Mozilla doesn't trust yet.)

You should use a certificate signed by a CA that 80-90% of the browsing world will recognize, rather than one that Apple (via Safari), Microsoft (via IE7), and Mozilla (via Firefox), at a minimum, will not accept.  That's just desensitizing users to blindly accept a certificate that, in an inauspicious environment with active MITM happening, might not even be this site's certificate.
Comment 1 Benjamin Close 2009-04-13 03:24:34 UTC
It's a cost thing. fd.o is predominately a volunteer organisation. If your willing to pay for the certificate then we're happy to fulfill your request.
Comment 2 Reed Loden 2009-04-13 08:21:26 UTC
(In reply to comment #1)
> It's a cost thing. fd.o is predominately a volunteer organisation. If your
> willing to pay for the certificate then we're happy to fulfill your request.

There's actually several ways to get valid SSL certificates for free...

* GoDaddy gives open source projects *free* SSL certificates (https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp).

* StartSSL (https://www.startssl.com) has fully valid *free* SSL certificates that work in most browsers (not IE).

Both of the above options are better than the current usage of CAcert.org, which is not trusted by any major browser, so I'm reopening this bug.
Comment 3 Benjamin Close 2009-04-13 19:04:32 UTC
Wow, didn't know about the godaddy offer. The startssl.com doesn't appear to work with Chrome though. I'll certainly look into the godaddy offer though.

Thanks!
Comment 4 David Keeler 2009-07-01 13:45:51 UTC
Any progress on this?
Comment 5 Alan Coopersmith 2009-10-06 22:08:11 UTC
(In reply to comment #1)
> It's a cost thing. fd.o is predominately a volunteer organisation. If your
> willing to pay for the certificate then we're happy to fulfill your request.

The X.Org Foundation is willing to pay for it - we've been talking about it
with Keith Packard for the last week or so.
Comment 6 Benjamin Close 2009-10-06 22:14:55 UTC
Ok, so I'm happy to install the crt if someone buys it as I don't have details/access to buy one.
Comment 7 Benjamin Close 2010-01-24 19:50:02 UTC
Hi Folks has there been advances on the SSL certificate for bugzilla? 
Digicert seems to have some at reasonable rates:

http://www.digicert.com/welcome/ssl-plus.htm
Comment 8 Jean-François Fortin Tam 2010-04-06 06:09:42 UTC
Not only Firefox, but Chrome also tries everything to prevent you from accessing f.d.o. bugzilla, with HUGE WARNINGS COVERED IN BLOOD (complete with the red pirate head insigna). This needs to be fixed.

Godaddy gives em for free for you, and you've been talking about it for a week back in october. What's holding this back now?
Comment 9 manj_k 2010-10-11 13:43:56 UTC
CC
Comment 10 Benjamin Close 2010-11-09 16:31:17 UTC
*** Bug 30863 has been marked as a duplicate of this bug. ***
Comment 11 Benjamin Close 2010-11-09 16:38:41 UTC
I tried the godaddy route but despite repeated email, they kept requesting information how the fd.o uses an open source repository. They couldn't understand that fd.o is the open source repository. Simply put because we're not part of sf.net the didnt list us as an open source project. 

Hence buying the certificate makes the most sense. We just need one of the fd.o board members to ok and tell the sysadmins how we can go about purchasing the certificate.
Comment 12 Tollef Fog Heen 2010-11-18 23:06:14 UTC
*** Bug 31750 has been marked as a duplicate of this bug. ***
Comment 13 NoOp 2010-11-21 11:49:32 UTC
Even when the certs are installed:
http://www.cacert.org/index.php?id=3
per
http://wiki.cacert.org/BrowserClients
still had issues today.

Cleared & reinstalled the certs & lo & behold:
====
bugs.freedesktop.org uses an invalid security certificate.

The certificate expired on 11/19/2010 08:23 PM.

(Error code: sec_error_expired_certificate)
====
Not valid after:
11/19/2010 20:23:04
(11/20/2010 04:23:04 GMT)

Note: had to add a temporary exception to post to this bug report.
Comment 14 Benjamin Close 2010-11-21 17:01:03 UTC
  I've found when installing you certificates you need to kick apache 
with a restart, a graceful won't do it.

apache2ctl restart


On 22/11/10 06:19, bugzilla-daemon@freedesktop.org wrote:
> https://bugs.freedesktop.org/show_bug.cgi?id=20250
>
> NoOp<glgxg@sbcglobal.net>  changed:
>
>             What    |Removed                     |Added
> ----------------------------------------------------------------------------
>                   CC|                            |glgxg@sbcglobal.net
>
> --- Comment #13 from NoOp<glgxg@sbcglobal.net>  2010-11-21 11:49:32 PST ---
> Even when the certs are installed:
> http://www.cacert.org/index.php?id=3
> per
> http://wiki.cacert.org/BrowserClients
> still had issues today.
>
> Cleared&  reinstalled the certs&  lo&  behold:
> ====
> bugs.freedesktop.org uses an invalid security certificate.
>
> The certificate expired on 11/19/2010 08:23 PM.
>
> (Error code: sec_error_expired_certificate)
> ====
> Not valid after:
> 11/19/2010 20:23:04
> (11/20/2010 04:23:04 GMT)
>
> Note: had to add a temporary exception to post to this bug report.
>
Comment 15 NoOp 2010-11-21 21:18:33 UTC
Say what? What has apache to do with the bugs.freedesktop.org cert expiring?
Not valid after:
11/19/2010 20:23:04
(11/20/2010 04:23:04 GMT)

You *did* look at the cert before making that comment... right?
Comment 16 Benjamin Close 2010-11-21 21:27:02 UTC
<sigh> My mistake, I took it you had reinstalled the certificate on the server not on the client.

I've upgraded the cacert certificate so it's at least not expired. The CA is still invalid as FF/IE don't recognise cacert as a CA. Hence you'll still get a warning but the certificate won't be out of date.

I would be really nice to resolve this by the fd.o foundation letting us know how we could proceed with the purchase of a certificate.
Comment 17 Benjamin Close 2010-11-21 21:29:06 UTC
*** Bug 30465 has been marked as a duplicate of this bug. ***
Comment 18 NoOp 2010-11-22 11:28:34 UTC
On 11/21/2010 09:27 PM, bugzilla-daemon@freedesktop.org wrote:
...
> I've upgraded the cacert certificate so it's at least not expired. The CA is
> still invalid as FF/IE don't recognise cacert as a CA. Hence you'll still get a
> warning but the certificate won't be out of date.
...
Thanks. Actually, using the instructions in
http://wiki.cacert.org/BrowserClients works for me (SeaMonkey 2.0.10
linux) as long as the cert is not out of date. I used the instructions
for Mozilla Firefox on that page.
Comment 19 Jim Gettys 2010-11-22 14:33:49 UTC
(In reply to comment #16)
> <sigh> My mistake, I took it you had reinstalled the certificate on the server
> not on the client.
> 
> I've upgraded the cacert certificate so it's at least not expired. The CA is
> still invalid as FF/IE don't recognise cacert as a CA. Hence you'll still get a
> warning but the certificate won't be out of date.
> 
> I would be really nice to resolve this by the fd.o foundation letting us know
> how we could proceed with the purchase of a certificate.

Note that there are some widely accepted CA's that will give open source projects certificates for free....  I forget which ones off hand, but google is your friend.
Comment 20 Reed Loden 2010-11-22 14:49:17 UTC
... or just get a free StartCom SSL certificate? :)

https://www.startssl.com/

Why don't you try that out? It's actually supported by a good number of
browsers (much better than CAcert).
Comment 21 Josh Triplett 2011-02-14 02:34:01 UTC
At this point, Startcom claims to have support from Chrome, Android, iPhone, and anything else I could think of offhand.  Alternatively, Thawte will give free certificates to FOSS projects; I've gone through that process and it proved fairly straightforward.
Comment 22 Benjamin Close 2011-02-22 17:42:18 UTC
Well the starcom method ended up with a failed registration and no way to be able to reissue the 'certificate' they need to authenticate.

Time to try Thawte
Comment 23 Benjamin Close 2011-02-22 19:17:46 UTC
As a follow up and to finally close this bug, Eddy Nigg from StartCom contacted me after noticing I had some issues with the account creation process. After a quick interplay of email we sorted things out and hence now Bug.fd.o is officially ssl enabled with the free key from StartCom.

Many thanks to Eddy for helping resolve the issue and to StartCom for the certificate!
Comment 24 NoOp 2011-02-25 12:22:41 UTC
I suppose I should file a new bug, but since this is related to the new StartCom cert:

Perhaps you can get Florian and/or Eddy to update all the certs to include libreoffice.org? Clicking on Installation etc., brings up:
====
www.libreoffice.org uses an invalid security certificate.

The certificate is only valid for the following names:
  *.documentfoundation.org , documentfoundation.org  

(Error code: ssl_error_bad_cert_domain)
====

And examining the cert shows that it is only valid for documentfoundation.org.
Comment 25 Benjamin Close 2011-02-27 16:34:07 UTC
Ok, I'm fairly certain we can a certificate for libreoffice.org but who does the hosting? 

Non-authoritative answer:
Name:	www.libreoffice.org
Address: 88.198.53.251

This doesn't appear to be a fd.o or x.org machine.
Comment 26 NoOp 2011-02-27 18:20:27 UTC
My apologies. I was having issues with https://www.libreoffice.org/download defaulting to the *.documentfoundation.org certificate rather than the StartCom *.libreoffice.org cert. Found out that the cert from StartCom is using sni & my browser client was set for ssl2 true. Reset to ssl2 false and it now works.