1328435 - Please switch treeherder.mozilla.org to the SNI based Heroku SSL

Status: RESOLVED FIXED

(Infrastructure & Operations :: SSL Certificates, task)

Description

[Ed Morley [:emorley]]

Stage was switched in bug 1320303. Everything is looking good so we can now do the same for production.

Please could someone:
1) Install/update the Heroku CLI & log in as an admin of the mozilla org (I can give access if needed)
2) Re-upload the treeherder.mozilla.org cert/key (with intermediates included in the cert bundle) to the SNI ELB using:
  $ `heroku certs:add example.crt example.key -app treeherder-prod --type sni`
3) Run `heroku domains -a treeherder-prod` to find out the new DNS CNAME target (it should be something like `treeherder.mozilla.org.herokudns.com`)
4) Update the treeherder.mozilla.org CNAME to point to the `<...>.herokudns.com` target instead of the existing `tokyo-43605.herokussl.com` one.

Once 24 hours have passed allowing the DNS to propagate, I'll remove the legacy non-SNI addon.

Many thanks :-)

Comment 1

[Ed Morley [:emorley]]

Would someone be able to take a look at this soon?

Comment 2

[Eric Ziegenhorn :ericz]

Cert uploaded to new SNI endpoint, DNS switched and verified working for me.

Comment 3

[Ed Morley [:emorley]]

Many thanks!

Enough time has passed for the DNS changes to have propagated - so I've now removed the legacy SSL endpoint addon:

$ heroku addons:destroy ssl -a treeherder-prod
 !    WARNING: Destructive Action
 !    This command will affect the app treeherder-prod
 !    To proceed, type treeherder-prod or re-run this command with --confirm
 !    treeherder-prod

treeherder-prod
Destroying th-prod-ssl on treeherder-prod... done

Comment 4

[Ed Morley [:emorley]]

Not sure why Kanban reopened this?

Comment 5

[:Atoll]

It's a bug. Two-way syncing with years-old code and no test suite is adventurous. We'll be mass re-closing them.