please set-up aus5.m.o w/ sha2 (or higher) SSL cert

RESOLVED FIXED

Status

RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: bhearsum, Assigned: rwatson)

Tracking

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1374] )

SHA1 based certificates have been deprecated and deemed insecure (https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/). We should transition away from them, especially in our product delivery cluster.

Because the Firefox update client pins the server to certs with specific issuer information, this means we need to get a new domain name with a new cert, but still backed by the same webheads. Ie, when completed, aus4.m.o and aus5.m.o should be exactly the same, except for their SSL cert. We did this once before (aus2 -> aus3), so there's some precedent.

Updated

3 years ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1374]

Updated

3 years ago
Assignee: server-ops-webops → rwatson
(Assignee)

Comment 1

3 years ago
I believe this work has been completed as requested. 
Can you test for me please Ben?
(In reply to Ryan Watson [:w0ts0n] from comment #1)
> I believe this work has been completed as requested. 
> Can you test for me please Ben?

I did a quick test today that looked fine. I'm running a more extensive set now, I'll report back tomorrow.
(Assignee)

Comment 3

3 years ago
Perfect, I'm going to close this out, if needed feel free to re-open!

Thanks!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
My more complete checks passed (for RelEng: these were "quick" update verify checks using all of the mozBeta update verify configs concat'ed together), so I think all is well here.

One thing I got to thinking about, is that it would probably be good to have aus5-dev.allizom.org set-up as well. I don't really care what cert it uses, but aus4-dev.allizom.org uses the *.allizom.org wildcard, so if we have a SHA-2 equivalent of that I guess that would make sense. Sorry for not thinking about this in the first place.
Flags: needinfo?(rwatson)
Ack, I have to re-open this for other reasons. When I was getting review on the patch to change the in-tree update server URL, I was reminded that we're supposed to be keeping a backup cert on hand for the AUS domain. We last did this for aus3.mozilla.org in bug 583678 - and we totally forgot to do it for aus4.mozilla.org.

Can we do the same for aus5, please? Apologies again for tacking on work after filing.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 6

3 years ago
we have decided to go with thawte for the second cert (it's who we used last time for aus3). I just need to figure out payment as we don't have a card on file. Should have this done for you by the end of the week.
Flags: needinfo?(rwatson)
(Assignee)

Comment 7

3 years ago
Thawte is processing your order
Received on 06-Aug-2015
Product: SSL Web Server Certificate
Status: PENDING
Typical processing time for your SSL Certificate is two business days or less.
(Assignee)

Comment 8

3 years ago
I'm heading out to PTO tomorrow, :fox2mike is going to test the backup cert tomorrow. (as per our conversation :bhearsum)
Flags: needinfo?(smani)
(In reply to Ryan Watson [:w0ts0n] from comment #8)
> I'm heading out to PTO tomorrow, :fox2mike is going to test the backup cert
> tomorrow. (as per our conversation :bhearsum)

Please hold off on this, 41.0b1 still hasn't shipped, and we're building a 40.0.1 :(.
I haven't made any changes :) Shall hold off.
Flags: needinfo?(smani)
(In reply to Shyam Mani [:fox2mike] from comment #10)
> I haven't made any changes :) Shall hold off.

We're fine to do this anytime now, we shipped yesterday.
(Assignee)

Comment 12

3 years ago
Hi Ben.

I'll reach out to you later today on IRC to test the aus5 cert switch. Once that's complete I'll go ahead and get started on the dev cert/setup.
(Assignee)

Comment 13

3 years ago
Update: 
aus5.m.o was tested with the second cert and approved by ben a few days ago.

https://aus5-dev.allizom.org was setup today. Ben can you run your tests? 

I wouldn't mind a R+ from :fox2mike also since he helped me do the aus5.m.o but it looks like it's working.
Flags: needinfo?(smani)
Flags: needinfo?(bhearsum)
(In reply to Ryan Watson [:w0ts0n] from comment #13)
> Update: 
> aus5.m.o was tested with the second cert and approved by ben a few days ago.
> 
> https://aus5-dev.allizom.org was setup today. Ben can you run your tests? 

Looks fine to me!
Flags: needinfo?(bhearsum)
(Assignee)

Updated

3 years ago
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
(Assignee)

Updated

3 years ago
Flags: needinfo?(smani)
Ryan, what will we do about docs for this ? We have https://mana.mozilla.org/wiki/display/websites/aus4.mozilla.org already (which is the first set of hosts for a Balrog-based update server), and now the cert refresh from this bug.
Flags: needinfo?(rwatson)
(Assignee)

Comment 16

3 years ago
Sorry for the delay on response. The bug was closed and I have filters on that stuff so missed it. 

Hmm, I'm not sure where we stand with docs. Perhaps we need a small working session to get this stuff updated? My suggestion would be to file a bug and then perhaps we can setup a time to update the docs to a suitable level?
Flags: needinfo?(rwatson)
Depends on: 1216019
Depends on: 1220510
Blocks: 1248760
You need to log in before you can comment on or make changes to this bug.