Closed
Bug 1158244
Opened 10 years ago
Closed 10 years ago
mozilla-community.org wildcard cert
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: tom, Assigned: Atoll)
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1054] )
Would be great to get a wildcard cert for mozilla-community.org
We're running a few things now, discourse, soon wordpress, jira, confluence, and more infra to come
A wildcard is probably cheaper than keeping ordering SSL certs. We already have stuff without certs that should have certs
|
||
Comment 1•10 years ago
|
||
sec-review for an ok from opsec (since it's a wildcard cert)
needinfo from Pierros for approval
Flags: sec-review?(jvehent)
Flags: needinfo?(pierros)
(In reply to Tom Farrow [:Tad] <away for 2wk - use needinfo> from comment #0)
> Would be great to get a wildcard cert for mozilla-community.org
>
> We're running a few things now, discourse, soon wordpress, jira, confluence,
> and more infra to come
>
> A wildcard is probably cheaper than keeping ordering SSL certs. We already
> have stuff without certs that should have certs
If we did a SAN cert for {one,two,three,...}.m-c.o, it would take somewhere around .. 15? 20? sites to approximately match the cost of a wildcard certificate.
|
|
||
Comment 3•10 years ago
|
||
I'm assuming that mozilla-community.org doesn't run anything sensitive, does not collect user data and does not impact the security of other critical services on mozilla.{org,com}. If that's true, then I don't have an issue with a wildcard cert.
However, if the intent is to share that certificate across multiple hosting providers (as opposed to just using it on the ZLBs), then I'd strongly recommend using multiple SAN certs and not sharing the private key.
Flags: sec-review?(jvehent) → sec-review+
|
|
||
Comment 4•10 years ago
|
||
There's l10n.mozilla-community.org and I'm not sure what else is under the domain.
Tom, Can you get a list of domains under mozilla-community.org please?
You can do this via awscli using the following commands :
aws route53 list-hosted-zones (and find the Id)
aws route53 list-resource-record-sets --hosted-zone-id (Id you pulled from the previous command)
l10n.mozilla-community.org
discourse.mozilla-community.org
jira.mozilla-community.org
confluence.mozilla-community.org
health.mozilla-community.org
ops.mozilla-community.org
we're constantly adding more stuff ;)
I'm fine with shipping either a single SAN cert or a wildcard cert for use in a *single* Amazon AWS account - on as many ELBs or EC2 instances as you wish, but only within that single account.
Otherwise, if these services are being spread across multiple accounts, then we should issue one SAN cert per account and no wildcard.
Will all of these services be fully public? Will any of them collect any data other than username/email for authentication purposes?
If you're okay depending on us to add new domains to the cert (15 minutes or less of work per domain), I'd really prefer to ship a SAN cert here rather than a wildard. But you can say "make it wildcard" and we'll do that instead.
(Also, if the SAN cert becomes unwieldy or insufficient, we can upgrade to a wildcard cert without losing the money spent on the SAN cert.)
Flags: needinfo?(pierros) → needinfo?(tom)
Let's go SAN :)
Those services are all fully public; data is mainly usernames and passwords.
Discourse has an internal category that has some budget-related things in, and will also contain NDA-sensitive data once the mozillians API comes out.
But again, everything is accessed with a username and password that needs protecting
There's also jenkins.mozilla-community.org
Flags: needinfo?(tom)
(In reply to Tom Farrow [:Tad] <away for 2wk - use needinfo> from comment #5)
> l10n.mozilla-community.org
> discourse.mozilla-community.org
> jira.mozilla-community.org
> confluence.mozilla-community.org
> health.mozilla-community.org
> ops.mozilla-community.org
>
> we're constantly adding more stuff ;)
Do you want the SAN cert to contain all of these domains initially, or a subset of them, or a different list entirely?
|
||
Comment 9•10 years ago
|
||
l10n.mozilla-community.org is not managed by :Tad and his group, so please don't include it in the SAN list. That's a separate VPS hosted on OVH.
|
Reporter | |
Comment 10•10 years ago
|
||
reed beat me to it
l10n.mozilla-community.org
discourse.mozilla-community.org
jira.mozilla-community.org
confluence.mozilla-community.org
health.mozilla-community.org
ops.mozilla-community.org
jenkins.mozilla-community.org
Please use that list initially :)
|
|
Assignee | |
Comment 11•10 years ago
|
||
Reed rejected the l10n domain in that list, so we'll proceed excluding that one.
|
|
Reporter | |
Comment 12•10 years ago
|
||
(exclude l10n., I'm tired, I left it on the list. whoops)
Since we have discourse on a standalone cert right now, here's the final list for now, this one makes sense. Let's not renew discourse.mozilla-community.org or guides.mozilla-community.org
jira.mozilla-community.org
confluence.mozilla-community.org
health.mozilla-community.org
ops.mozilla-community.org
jenkins.mozilla-community.org
znc.mozilla-community.org
|
|
Reporter | |
Comment 13•10 years ago
|
||
I just got a call from :costenslayer, telling me that we should buy a cert for mozfestea.org. I agree.
Would we be able to add this to the SAN, instead of buying a whole cert? afaik SANs can have additional root domains, is this correct?
Thanks
|
|
Assignee | |
Comment 14•10 years ago
|
||
Is that cert hosted in the same AWS account as the other domains in comment 12? If so, then yes. Otherwise, no. (As a rule of thumb, anyways.)
|
|
Reporter | |
Comment 15•10 years ago
|
||
mozfestea.org isn't.
Can SANs not have multiple private keys issued?
|
|
Assignee | |
Comment 16•10 years ago
|
||
Yeah, SANs are one-key, one-cert and we reissue the cert for that key with +/- domains as needed. So, I'll proceed without mozfestea, and you/they can request it in a separate bug if needed.
|
|
||
Comment 17•10 years ago
|
||
I still need Pierros to sign off on this _before_ we make any purchases.
Flags: needinfo?(pierros)
|
||
Comment 18•10 years ago
|
||
health.mozilla-community.org isn't currently under SSL and I'm not aware of plans to make it so (I'm not currently paying for SSL from statushub.io).
Do we we think we need that CN in the SAN?
|
|
||
Comment 19•10 years ago
|
||
@Pierros, bump?
Certainly not desirable to have anything on the Internet without proper encryption and while there is a cert, there's a CN mismatch and I certainly don't want to encourage people to accept SSL warnings.
|
|
||
Comment 20•10 years ago
|
||
@atoll, any thing you can do to help escalate? Worried about non-SSL. Maybe I shouldn't be?
|
|
Assignee | |
Comment 21•10 years ago
|
||
I don't know if it's best to have SSL for health.m-c.o or not (cost is a concern), but we can trivially add further domains at a later date if you decide to do so. (Personally, I don't care if a status site is SSL or not, if that helps any :)
|
|
||
Comment 22•10 years ago
|
||
Oops. Context was lost.
Was asking more for the generic wildcard cert for things like our Jira & Confluence instance, both of which have some notion of user logins. In which case, I may or may not want to be worried about non-SSL, amiright?
I share your thoughts on that status page.
|
|
Assignee | |
Comment 23•10 years ago
|
||
For Jira and Confluence, it's probably better over time to end up with some sort of SSL cert if they're going to accept logins - even if it's federated, there's still tokens all over the place.
|
|
||
Comment 24•10 years ago
|
||
Agree, of course. Anything you can do to help escalate this since we appear to be stalled on signoff from @pierros? I've purposely slowed or advocated against adoption until we have SSL.
|
|
Assignee | |
Comment 26•10 years ago
|
||
Alright. So, the current list of domains is:
jira.mozilla-community.org
confluence.mozilla-community.org
ops.mozilla-community.org
jenkins.mozilla-community.org
znc.mozilla-community.org
I subtracted health.m-c.o per comment 18, and mozfestea needs an entirely separate bug (it can't ridealong here, sorry).
Waiting a few hours before proceeding in case I misunderstood the requested domain list somehow.
|
|
Reporter | |
Comment 27•10 years ago
|
||
Hey atoll
Let's cut jenkins as well, I don't think we need jenkins for now after some unexpected changes, we can add it in future if we need to
Yeah, jira, confluence, ops and znc.
Thanks
|
|
Assignee | |
Comment 28•10 years ago
|
||
Okay.
jira.mozilla-community.org
confluence.mozilla-community.org
ops.mozilla-community.org
znc.mozilla-community.org
Which of these is Discourse (comment 0)?
|
|
||
Comment 29•10 years ago
|
||
None!
discourse.mozilla-community.org
|
|
Reporter | |
Comment 30•10 years ago
|
||
mrz beat me, been a long day, I was just selecting from the list in comment 26.
Blame the train system
|
|
Assignee | |
Comment 31•10 years ago
|
||
jira.mozilla-community.org
confluence.mozilla-community.org
ops.mozilla-community.org
znc.mozilla-community.org
discourse.mozilla-community.org
Last call!
|
|
Reporter | |
Comment 32•10 years ago
|
||
+1 from me!
mrz, sanity check before we proceed?
Flags: needinfo?(mzeier)
|
|
||
Comment 35•10 years ago
|
||
Intermediate cert
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----
|
|
||
Comment 36•10 years ago
|
||
san.mozilla-community.org cert
-----BEGIN CERTIFICATE-----
MIIFuzCCBKOgAwIBAgIQCHCNjqiUhRyYH3g6Fba1FzANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTUwNjEwMDAwMDAwWhcN
MTYwNjE0MTIwMDAwWjB0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNV
BAcTDU1vdW50YWluIFZpZXcxHDAaBgNVBAoTE01vemlsbGEgQ29ycG9yYXRpb24x
IjAgBgNVBAMTGXNhbi5tb3ppbGxhLWNvbW11bml0eS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDA9f1Fy22T2t/fzL7Z/jBRHNZnQPcr4yUnOdTG
eQP6t1e3bwhrxCND702FsdMUokJFmb9kG1t9nrHkPEiZcyPhpAfQ11MdQEzho3S3
JoZN7sN8JhC7Vr37O0ot0JHVfS2UvoeZH/dYO01dKFNj33jE2CM+GtGdGstZVmUZ
WK93LYvzSFaQ4z8dutInGXfC3Yb/XY3gZSYbj2ytW0FYz5eB69ATkHGvV14WaQrl
J3BPp6kO31fV1d8pe/VV7SDNKHGfqcuNVzSWqWZVMmqibHtUU/ZhrK+OaV+A4Yhh
vrtEQlwAAQx+Q4c9iuSbtJH0Yd0IoWQ1I8TowlIhpdtTesf1AgMBAAGjggJuMIIC
ajAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUPWDf
Vr6HDjD/iLTp6iruw4u7dAUwgbsGA1UdEQSBszCBsIIZc2FuLm1vemlsbGEtY29t
bXVuaXR5Lm9yZ4IaamlyYS5tb3ppbGxhLWNvbW11bml0eS5vcmeCIGNvbmZsdWVu
Y2UubW96aWxsYS1jb21tdW5pdHkub3JnghlvcHMubW96aWxsYS1jb21tdW5pdHku
b3Jnghl6bmMubW96aWxsYS1jb21tdW5pdHkub3Jngh9kaXNjb3Vyc2UubW96aWxs
YS1jb21tdW5pdHkub3JnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGln
aWNlcnQuY29tL3NzY2Etc2hhMi1nNC5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRp
Z2ljZXJ0LmNvbS9zc2NhLXNoYTItZzQuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9
bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw
fAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkq
hkiG9w0BAQsFAAOCAQEAragPTZpHucLAE4hO49kZoiDw4VwqHAv4h6RAdM9zch6w
QjiCHjdbbSg2X7Yb+yJvTzelu9ZZ2SquN+giG2dyBUR6o+/uwp+NdswNA8Q+fnYb
nIavncprJKxt8VXxywcWtkoTe0rlkVyG3Led7loRsDe10pwV9Ld/yVWx4ztT8M9x
h21BfB81s2eHaSeQwUx3tBZlAw4v41emUU3fa6PMGShlRDFy6Xl9pS0eA0dLPjR4
1aGRaN7u606FJ/ZKT8WJ4vT6suWLRrlaY3yqosWKUNMs0u77ei/VyBzyfonaTnaR
AoCf3OOte+YpV2lntLisGH4ho+Z/e9/V16WH7N5UUA==
-----END CERTIFICATE-----
|
|
Reporter | |
Comment 38•10 years ago
|
||
in a rush to leave, please send key to Logan.
|
||
Comment 39•10 years ago
|
||
Could you please send the key to me at loganrosen@gmail.com?
My public key is here: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0x04E7F142F1ED1345
Flags: needinfo?(cliang)
|
|
||
Comment 41•10 years ago
|
||
Got it, thanks!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•