Closed
Bug 1179339
Opened 9 years ago
Closed 9 years ago
please set-up aus5.m.o w/ sha2 (or higher) SSL cert
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bhearsum, Assigned: rwatson)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1374] )
SHA1 based certificates have been deprecated and deemed insecure (https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/). We should transition away from them, especially in our product delivery cluster.
Because the Firefox update client pins the server to certs with specific issuer information, this means we need to get a new domain name with a new cert, but still backed by the same webheads. Ie, when completed, aus4.m.o and aus5.m.o should be exactly the same, except for their SSL cert. We did this once before (aus2 -> aus3), so there's some precedent.
Updated•9 years ago
|
Assignee: server-ops-webops → rwatson
Assignee | ||
Comment 1•9 years ago
|
||
I believe this work has been completed as requested.
Can you test for me please Ben?
Reporter | ||
Comment 2•9 years ago
|
||
(In reply to Ryan Watson [:w0ts0n] from comment #1)
> I believe this work has been completed as requested.
> Can you test for me please Ben?
I did a quick test today that looked fine. I'm running a more extensive set now, I'll report back tomorrow.
Assignee | ||
Comment 3•9 years ago
|
||
Perfect, I'm going to close this out, if needed feel free to re-open!
Thanks!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 4•9 years ago
|
||
My more complete checks passed (for RelEng: these were "quick" update verify checks using all of the mozBeta update verify configs concat'ed together), so I think all is well here.
One thing I got to thinking about, is that it would probably be good to have aus5-dev.allizom.org set-up as well. I don't really care what cert it uses, but aus4-dev.allizom.org uses the *.allizom.org wildcard, so if we have a SHA-2 equivalent of that I guess that would make sense. Sorry for not thinking about this in the first place.
Flags: needinfo?(rwatson)
Reporter | ||
Comment 5•9 years ago
|
||
Ack, I have to re-open this for other reasons. When I was getting review on the patch to change the in-tree update server URL, I was reminded that we're supposed to be keeping a backup cert on hand for the AUS domain. We last did this for aus3.mozilla.org in bug 583678 - and we totally forgot to do it for aus4.mozilla.org.
Can we do the same for aus5, please? Apologies again for tacking on work after filing.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 6•9 years ago
|
||
we have decided to go with thawte for the second cert (it's who we used last time for aus3). I just need to figure out payment as we don't have a card on file. Should have this done for you by the end of the week.
Flags: needinfo?(rwatson)
Assignee | ||
Comment 7•9 years ago
|
||
Thawte is processing your order
Received on 06-Aug-2015
Product: SSL Web Server Certificate
Status: PENDING
Typical processing time for your SSL Certificate is two business days or less.
Assignee | ||
Comment 8•9 years ago
|
||
I'm heading out to PTO tomorrow, :fox2mike is going to test the backup cert tomorrow. (as per our conversation :bhearsum)
Flags: needinfo?(smani)
Reporter | ||
Comment 9•9 years ago
|
||
(In reply to Ryan Watson [:w0ts0n] from comment #8)
> I'm heading out to PTO tomorrow, :fox2mike is going to test the backup cert
> tomorrow. (as per our conversation :bhearsum)
Please hold off on this, 41.0b1 still hasn't shipped, and we're building a 40.0.1 :(.
Reporter | ||
Comment 11•9 years ago
|
||
(In reply to Shyam Mani [:fox2mike] from comment #10)
> I haven't made any changes :) Shall hold off.
We're fine to do this anytime now, we shipped yesterday.
Assignee | ||
Comment 12•9 years ago
|
||
Hi Ben.
I'll reach out to you later today on IRC to test the aus5 cert switch. Once that's complete I'll go ahead and get started on the dev cert/setup.
Assignee | ||
Comment 13•9 years ago
|
||
Update:
aus5.m.o was tested with the second cert and approved by ben a few days ago.
https://aus5-dev.allizom.org was setup today. Ben can you run your tests?
I wouldn't mind a R+ from :fox2mike also since he helped me do the aus5.m.o but it looks like it's working.
Flags: needinfo?(smani)
Flags: needinfo?(bhearsum)
Reporter | ||
Comment 14•9 years ago
|
||
(In reply to Ryan Watson [:w0ts0n] from comment #13)
> Update:
> aus5.m.o was tested with the second cert and approved by ben a few days ago.
>
> https://aus5-dev.allizom.org was setup today. Ben can you run your tests?
Looks fine to me!
Flags: needinfo?(bhearsum)
Assignee | ||
Updated•9 years ago
|
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(smani)
Comment 15•9 years ago
|
||
Ryan, what will we do about docs for this ? We have https://mana.mozilla.org/wiki/display/websites/aus4.mozilla.org already (which is the first set of hosts for a Balrog-based update server), and now the cert refresh from this bug.
Flags: needinfo?(rwatson)
Assignee | ||
Comment 16•9 years ago
|
||
Sorry for the delay on response. The bug was closed and I have filters on that stuff so missed it.
Hmm, I'm not sure where we stand with docs. Perhaps we need a small working session to get this stuff updated? My suggestion would be to file a bug and then perhaps we can setup a time to update the docs to a suitable level?
Flags: needinfo?(rwatson)
Comment 17•9 years ago
|
||
Bug 1216019 for that.
You need to log in
before you can comment on or make changes to this bug.
Description
•