Closed
Bug 408889
Opened 17 years ago
Closed 17 years ago
figure out what the heck is wrong with the crash report submit URL on Vista
Categories
(mozilla.org Graveyard :: Server Operations, task)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: ted, Assigned: justin)
References
()
Details
We can't submit crash reports on Vista currently because the certificate revocation check fails. This was a problem earlier, and it was fixed by changing the reverse DNS for the crash-reports.mozilla.com host. It stopped working again ~Dec 7th, and it's definitely a server side problem, as builds before that date display the problem. You can test the behavior by visiting https://crash-reports.mozilla.com/submit/ in IE7 on Vista, or on XP by changing the pref "Check for server certificate revocation" (in Internet Options -> Advanced -> Security) and then visiting that URL. If the problem exists you will see a dialog that says "Revocation information for the security certificate for this site is not available. Do you want to proceed?" (at least on XP/IE6). Filing this separately and blocking bug 390568 so 390568 can stay blocking-1.9+.
Updated•17 years ago
|
Severity: normal → major
Comment 1•17 years ago
|
||
Can you get to https://addons.mozilla.org or https://www.mozilla.com/ ? I can't duplicate this with my XP VM.
Assignee | ||
Comment 2•17 years ago
|
||
I just tried this under vista with IE7 and it wfm - is there something special I need to do? It seems to just redirect to crash-stats.mozilla.com...
Reporter | ||
Comment 3•17 years ago
|
||
mrz: with the pref set, in XP/IE6, I get the same dialog at both of those URLs. Clicking "yes" once will get rid of the dialog until I restart. Justin: Now that I try it, it appears to work fine in IE7. I think Microsoft may have worked around this in IE7, so only IE6 or apps using WinINET display the problem.
Reporter | ||
Comment 4•17 years ago
|
||
I downloaded and compiled a WinINET sample from MSDN: http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/samples/internet/networking/asyncdemo/default.asp http://people.mozilla.com/~tmielczarek/AsyncDemo.exe It's sort of a crappy GUI, but you can put in two URLs and hit "download resources". If I put https://www.mozilla.org/ in the first URL box, and https://www.microsoft.com/ in the second, and hit download, the microsoft one gives me content, and the mozilla one gives an error. If you scroll down the "callbacks" list, you'll see that it lists error 12057. (The message looks something like: Closed: REQUEST_COMPLETE (8) Error (12057) encountered)
Comment 5•17 years ago
|
||
That's a non-helpful error. The only real difference I can see is that Mozilla's certificates are chained from XRamp. The GeoTrust certificate that's right now running in China isn't chained and works. If you add: 59.151.50.30 addons.mozilla.org to your hosts file and try that one, you'll get content back. It too is a wild card certificate. Either IE7 doesn't like XRamp's CRL or doesn't like XRamp's chain. I'm not sure how to tell which nor am I sure how to fix it other than getting a site specific certificate for crash-reports.mozilla.com. Anyone?
Comment 6•17 years ago
|
||
btw, if I use any of the XRamp certs, I get that error - none of the GeoTrust certs fail.
Comment 7•17 years ago
|
||
A possibly helpful tidbit: any HTTPS url ending with "mozilla.com." or "mozilla.org." (notice the trailing dot, that's the closing period of a Fully-Qualified Domain Name) fails in both browsers. The error in that case seems to be that the URLs "*.mozilla.org." and "*.mozilla.com." are missing from the certificates (only the dotless variants are there). Maybe the revocation information of the Mozilla domains is (accidentally or intentionally) at a domain that has the FQDN closing dot. (A quick test is visiting the url https://bugzilla.mozilla.org./show_bug.cgi?id=408889 in any browser that supports SSL/TLS. It is supposed to show this bug, but instead it will throw an error about an invalid certificate.)
Assignee | ||
Comment 8•17 years ago
|
||
I have never seen a url or hostname with a trailing period after the host name. Should these even work?
Comment 9•17 years ago
|
||
Yes, they should work. In nearly all cases, it's safe to omit the trailing period. However, there are cases when omission might cause ambiguity. Consider "www.msn.com", for example. The actual domain name in that case is something along the lines of "msn.com.ms.akadns.net.", which has "msn.com" set as a shorthand. Microsoft's DNS servers make sure that "www.msn.com" ends up the same as just "msn.com". However, there is also a separate domain name, "msn.com.", which is an FQDN, and not a shorthand. It redirects to "www.msn.com", but itself has a "www" subdomain (full form: "www.msn.com."), which points to a server once used for testing new MSN services. (The trailing dot ensures that the domain doesn't get expanded to "www.msn.com.ms.akadns.net.".) When looking up "www.msn.com", an incomplete domain name, Microsoft's DNS servers are configured to redirect to msn.com.ms.akadns.net. (or something like that), but typing "www.msn.com.", a complete, fully-qualified domain name, will trigger no completion. Another example is the domain "http://museum.", which is the canonical form of www.museum. Because the "www" subdomain doesn't have its own DNS record assigned, it gets the record of the TLD, that is, "museum.". Also, try typing "com." or "net." into Firefox or any other browser. It should bring up "www.com" or "www.net". (Similarly, the easiest way to access the Dot TK site is "tk.", which is the canonical form of "www.tk", a redirect to "dot.tk".) Note however, that "org." doesn't work, because W3C actually has the "www" subdomain of the "org" TLD registered, as opposed to the TLD itself. So, the "www" version is not a fallback address. (Note however, that many programs got screwed up when they get such an address. This is due to an incorrect implementation of the DNS specification.)
Comment 10•17 years ago
|
||
(In reply to comment #7) > A possibly helpful tidbit: any HTTPS url ending with "mozilla.com." or > "mozilla.org." (notice the trailing dot, that's the closing period of a > Fully-Qualified Domain Name) fails in both browsers. Do you have an example of a URL ending in either that does work? In my testing yesterday it was only the xramp wildcard cert sites - the geotrust ones work just fine (www.mozilla.org is geotrust, www.mozilla.com is xramp).
Comment 11•17 years ago
|
||
Talked to Ted - this is part of the crash reporting tool in Fx build off of WinINET. It isn't really clear where the error and I can't find a way to view XRamp's CRL. This error: "Revocation information for the security certificate for this site is not available. Do you want to proceed?" Isn't helpful since as best as I can tell, the CRL that the cert mentions is available. Error 12057 is even less meaningful. I want to do a little more debugging but I suspect a single host cert might just be easiest.
Assignee: server-ops → mrz
Reporter | ||
Comment 12•17 years ago
|
||
Just FYI, error 12057 is ERROR_INTERNET_SEC_CERT_REV_FAILED--"Security certificate revocation failed".
Comment 13•17 years ago
|
||
Does the CRL contain both crash-reports.mozilla.com AND dyna-crashreports.nslb.sj.mozilla.com (ad possibly the IP 63.245.209.57)? Maybe IE has a weird habit to check CRLs against canonical URLs. (Maybe the FQDN versions are also needed, that is, "crash-reports.mozilla.com." and "dyna-crashreports.nslb.sj.mozilla.com.")
Comment 14•17 years ago
|
||
It should contain neither - the cert is issues for *.mozilla.org and CRLs list certificate serial numbers that should be considered revoked. But I have no idea how to view the contents of the CRL - if you do, you're welcome to look at it and let me know. The CRL URI is in the cert details.
Comment 15•17 years ago
|
||
mail.mozilla.com uses a host specific Xramp chained SSL certificate and fails with 12057. mail.mozilla.com resolves to 10.2.72.15 and 10.2.72.15 resolves to mail.mozilla.com. build.mozilla.org uses a host specific GeoTrust non-chained SSL certificate and works (fails on web auth but otherwise works). Internally for me build.mozilla.org is an A RR to 10.2.74.128 which is really dm-wwwbuild.mozilla.org so in this case, DNS is not at issue.
Comment 16•17 years ago
|
||
Attaching CSR - -----BEGIN CERTIFICATE REQUEST----- MIICNjCCAZ8CAQAwgcMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBv cmF0aW9uMR4wHAYDVQQLExVNb3ppbGxhIENyYXNoIFJlcG9ydHMxIjAgBgNVBAMT GWNyYXNoLXJlcG9ydHMubW96aWxsYS5jb20xJTAjBgkqhkiG9w0BCQEWFmhvc3Rt YXN0ZXJAbW96aWxsYS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrr jxQWtgh6xJkFb6DebjldmLr0IU3SUymHaMcos6ISJ4w8IkkGGJS+59sMpLGR6bMZ mioH4dpSZqwQqCYPpMQxi8XjdkeIzxP8Q2+01lYYK/fTVqp2jh3TWwOk1gbiNBzY YYxxkhXOR5yjj6pfSHdWBJZZJRajYo/xddzmq5p9AgMBAAGgMjAwBgkqhkiG9w0B CQ4xIzAhMBEGCWCGSAGG+EIBAQQEAwIGQDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3 DQEBBAUAA4GBAJkSxFxy1EjWNnDlmmoD7rktEq7hy6IDmpKsWcVonWJgm2NneFi+ 8X59DjzBQaufH8HssuJIW8r3lRuG3ITPz4h/jQwwC0Okas1499vGhhqgM6upvj9V GuzhF0uDZsilDcXFJ/ZasjGvszGo6HLwxPN5fdv69CkYqMx2yJODi0Q1 -----END CERTIFICATE REQUEST-----
Assignee: mrz → justin
Comment 17•17 years ago
|
||
here's what I get when I load https://bugzilla.mozilla.org. in Firefox: Secure Connection Failed bugzilla.mozilla.org. uses an invalid security certificate. The certificate is only valid for *.mozilla.org. (Error code: ssl_error_bad_cert_domain) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later.
Comment 18•17 years ago
|
||
That's due to an error in the certificate, which is missing the url "*.mozilla.org.". The message looks quite confusing, because a period is visible after "org". However. that period is in fact a full-stop at the end of a sentence, that is, if the included URL was really "*.mozilla.org.", then the page would show "*.mozilla.org..". (I was also quite puzzled when I saw that the certificate is not for mozilla.org., but instead, it's for mozilla.org. The period is just plain confusing there.)
Reporter | ||
Comment 19•17 years ago
|
||
I don't think that has anything to do with the problem at hand, but feel free to demonstrate otherwise. If you can't though, please don't clutter up this bug with irrelevant information.
Comment 20•17 years ago
|
||
Comment #17 and #18 make sense - the Common Name for the certificate is "*.mozilla.org" without any trailing period. You'll see the same certificate warnings if you goto https://mail.google.com./ These errors, however, only appear for me in Fx3/Minefield - I don't see these errors in Safari. In any event, these aren't related to this bug - maybe a new bug ?
Reporter | ||
Comment 21•17 years ago
|
||
mrz: any update on this? I think we should just do whatever we have to do (new cert or whatever) to make this work, even if we're working around some broken behavior in Windows.
Comment 22•17 years ago
|
||
Ted - sorry for the delay - I had attached a CSR before the holidays. I'll make sure that gets put through this week.
Assignee | ||
Comment 23•17 years ago
|
||
cert is on order.
Comment 24•17 years ago
|
||
Do we have an ETA on the cert?
Assignee | ||
Comment 25•17 years ago
|
||
I've been after geotrust daily for a status, but it seems out sales person has left. I'll do what I can to push this along...
Reporter | ||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 26•17 years ago
|
||
verified fixed , i can send now crashreports via vista without problems. Thanks justin and ted.
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•