1203990 - please install new root onto Windows build & test machines

Status: RESOLVED FIXED

(Infrastructure & Operations :: RelOps: General, task)

Description

[bhearsum@mozilla.com (:bhearsum)]

Attachment: MozFakeCA.pem

We sign a lot of builds with a certificate generated from a root that we maintain ourselves. That original root was installed onto our Windows build and test machines a long time ago. In bug 1079858, we're upgrading to a SHA-2 certificate, and we've got a new root to go along with it, so we'll need the new root installed onto the build & test machines, otherwise update tests will fail.

It should be installed into the "Trusted Root Certification Authorities" for the "Current User" (cltbld, I assume). Here's a screenshot that shows where the existing root is installed on one of our XP machines: http://people.mozilla.org/~bhearsum/sattap/982d978b.png

Attached is the new certificate.

Comment 1

[Mark Cornmesser [:markco]]

I am planning on doing a small roll out to test pool on Monday. Then additional deployment depending on the results of the test pool.

Comment 2

[Mark Cornmesser [:markco]]

This turns out to be a bit more entangled than I originally thought after a cursory look last week. There is an Install_mozilla_root_certs GPO, but it is only applied to the XP tester OU. I am not seeing through the DC or WDS how the other platforms are receiving the cert. I may need to consult with Q on this, who is out on PTO today and tomorrow. 

Q: if I haven't hashed this out by the time you are back, could we meet and chat about this?

Comment 3

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Mark Cornmesser [:markco] from comment #2)
> This turns out to be a bit more entangled than I originally thought after a
> cursory look last week. There is an Install_mozilla_root_certs GPO, but it
> is only applied to the XP tester OU. I am not seeing through the DC or WDS
> how the other platforms are receiving the cert. I may need to consult with Q
> on this, who is out on PTO today and tomorrow. 
> 
> Q: if I haven't hashed this out by the time you are back, could we meet and
> chat about this?

It's possible that the existing cert isn't installed on the build machines come to think of it... but we'd have test failures if it wasn't installed on Win7 or 8. I wonder if it was included on a base image for those platforms or something...IIRC they didn't exist when we first rolled it out.

Comment 4

[Amy Rich [:arr] [:arich]]

Said in irc, but I want to make sure we capture it here. We need the new cert bundle IN ADDITION TO the existing MozFakeCA.pem, so this isn't an overwrite or deleting anything.

Comment 5

[Mark Cornmesser [:markco]]

bhearsum: When you have a moment could you checkout t-w732-ix-10, please? If that is good I will pull the trigger for Win 7 and 8 2015-09-25 am for Win 7 and 8.

Comment 6

[bhearsum@mozilla.com (:bhearsum)]

Attachment: MozFakeCA.pem

(In reply to Mark Cornmesser [:markco] from comment #5)
> bhearsum: When you have a moment could you checkout t-w732-ix-10, please? If
> that is good I will pull the trigger for Win 7 and 8 2015-09-25 am for Win 7
> and 8.

The deployment looks fine, but I noticed while inspecting it that it expires in just a few weeks. That's my fault - I forgot to override the default expiry while generating it. Here's a new one, that has a much longer validity period. Sorry about that - the deployment method itself looks correct to me.

Comment 7

[Mark Cornmesser [:markco]]

I updated the certificate and removed the item level targeting. This should be going out to 7,8, and XP this morning.

Comment 8

[bhearsum@mozilla.com (:bhearsum)]

(In reply to Mark Cornmesser [:markco] from comment #7)
> I updated the certificate and removed the item level targeting. This should
> be going out to 7,8, and XP this morning.

I spot checked a few machines (one of each OS) and can confirm that they're getting deployed \o/. Thank you!