Closed Bug 1260332 Opened 9 years ago Closed 9 years ago

SSL certificate for sensorweb.io

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: elin, Unassigned)

References

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2766] )

Since we have several subdomains to secure, e.g. apex,www,app,api,developer... can we have a wildcard certificate for that?
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2766]
Blocks: 1258287
Assignee: server-ops-webops → eziegenhorn
:kang, does opsec want to review issuing a wildcard cert for sensorweb.io?
Flags: needinfo?(gdestuynder)
yes - using wildcard certificates is strongly discouraged and only used when there is no other solution. @elin, what is your usage case? Could alternate subject names be ok instead of wildcard? It sounds like SensorWeb could potentially use an RRA instead to determine this (https://wiki.mozilla.org/Security/Risk_management/Rapid_Risk_Assessment) (can request via bug https://wiki.mozilla.org/Security/OpSec#Service:_Rapid_Risk_.28Impact.29_Assessment_.28RRA.29)
Flags: needinfo?(gdestuynder)
Please kick off the RRA via the bug link above then we'll proceed on certs once that review is completed.
Flags: needinfo?(elin)
www.sensorweb.io resolves to ec2-52-196-14-197.ap-northeast-1.compute.amazonaws.com, so this is on a self-hosted EC2 instance. I strongly recommend using Let's Encrypt here, and Webops has approval from Mozilla Infosec to issue certs through LE for our sites. Based on your Nginx version (1.8.1), you're running the nginx stable PPA on a modern Ubuntu host, probably 14.04 LTS. https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 has a complete guide to configuring and running Let's Encrypt on Ubuntu 14.04, and should allow you to self-provision a certificate here (even if you're on 15, or 16 LTS). Could you please try this and let us know if it works out for you?
Oh, and: Each time you want to change (Add or Remove) the domains authorized for that certificate, you would just repeat this line from the instructions: > ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d example.com -d www.example.com Specifying a new set of -d X -d Y parameters listing all the domains you intend to accept, and then restart Nginx once it's updated the certificate on disk.
Assignee: eziegenhorn → server-ops-webops
Timeout, please re-open when there's activity. Thanks!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(elin)
You need to log in before you can comment on or make changes to this bug.