please install new root onto Windows build & test machines

RESOLVED FIXED

Status

Infrastructure & Operations
RelOps
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: bhearsum, Assigned: markco)

Tracking

Details

Attachments

(1 attachment, 1 obsolete attachment)

1.76 KB, application/x-x509-ca-cert
Details
(Reporter)

Description

2 years ago
Created attachment 8659914 [details]
MozFakeCA.pem

We sign a lot of builds with a certificate generated from a root that we maintain ourselves. That original root was installed onto our Windows build and test machines a long time ago. In bug 1079858, we're upgrading to a SHA-2 certificate, and we've got a new root to go along with it, so we'll need the new root installed onto the build & test machines, otherwise update tests will fail.

It should be installed into the "Trusted Root Certification Authorities" for the "Current User" (cltbld, I assume). Here's a screenshot that shows where the existing root is installed on one of our XP machines: http://people.mozilla.org/~bhearsum/sattap/982d978b.png

Attached is the new certificate.
Assignee: relops → mcornmesser
(Assignee)

Comment 1

2 years ago
I am planning on doing a small roll out to test pool on Monday. Then additional deployment depending on the results of the test pool.
(Assignee)

Comment 2

2 years ago
This turns out to be a bit more entangled than I originally thought after a cursory look last week. There is an Install_mozilla_root_certs GPO, but it is only applied to the XP tester OU. I am not seeing through the DC or WDS how the other platforms are receiving the cert. I may need to consult with Q on this, who is out on PTO today and tomorrow. 

Q: if I haven't hashed this out by the time you are back, could we meet and chat about this?
Flags: needinfo?(q)
(Reporter)

Comment 3

2 years ago
(In reply to Mark Cornmesser [:markco] from comment #2)
> This turns out to be a bit more entangled than I originally thought after a
> cursory look last week. There is an Install_mozilla_root_certs GPO, but it
> is only applied to the XP tester OU. I am not seeing through the DC or WDS
> how the other platforms are receiving the cert. I may need to consult with Q
> on this, who is out on PTO today and tomorrow. 
> 
> Q: if I haven't hashed this out by the time you are back, could we meet and
> chat about this?

It's possible that the existing cert isn't installed on the build machines come to think of it... but we'd have test failures if it wasn't installed on Win7 or 8. I wonder if it was included on a base image for those platforms or something...IIRC they didn't exist when we first rolled it out.
Said in irc, but I want to make sure we capture it here. We need the new cert bundle IN ADDITION TO the existing MozFakeCA.pem, so this isn't an overwrite or deleting anything.
(Assignee)

Comment 5

2 years ago
bhearsum: When you have a moment could you checkout t-w732-ix-10, please? If that is good I will pull the trigger for Win 7 and 8 2015-09-25 am for Win 7 and 8.
(Reporter)

Comment 6

2 years ago
Created attachment 8665990 [details]
MozFakeCA.pem

(In reply to Mark Cornmesser [:markco] from comment #5)
> bhearsum: When you have a moment could you checkout t-w732-ix-10, please? If
> that is good I will pull the trigger for Win 7 and 8 2015-09-25 am for Win 7
> and 8.

The deployment looks fine, but I noticed while inspecting it that it expires in just a few weeks. That's my fault - I forgot to override the default expiry while generating it. Here's a new one, that has a much longer validity period. Sorry about that - the deployment method itself looks correct to me.
Attachment #8659914 - Attachment is obsolete: true
(Assignee)

Comment 7

2 years ago
I updated the certificate and removed the item level targeting. This should be going out to 7,8, and XP this morning.
(Reporter)

Comment 8

2 years ago
(In reply to Mark Cornmesser [:markco] from comment #7)
> I updated the certificate and removed the item level targeting. This should
> be going out to 7,8, and XP this morning.

I spot checked a few machines (one of each OS) and can confirm that they're getting deployed \o/. Thank you!
(Assignee)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Updated

2 years ago
Flags: needinfo?(q)
You need to log in before you can comment on or make changes to this bug.