Provide ansible scripts for working with signing servers

NEW
Unassigned

Status

Release Engineering
General Automation
P3
normal
a year ago
11 months ago

People

(Reporter: hwine, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
Based on work on renewing Mac cert, some automation across all servers would be nice:

  - report current code deployment hash (should be identical)
  - report hashes of current secrets (should be identical)
  - automatically send email to explain mozdef emails

And, some automation against one server would be handy for:

  - generate Mac CSR for renewal purposes
  - manage the keychain (file) names during renewal process
  - help with deployment of new key/cert to peer servers? <= maybe not

Biggest bonus would be (imo) using inventory to ensure all current servers hit. That could be valuable for adhoc commands.
(Reporter)

Comment 1

a year ago
Darn -- the cli tool can't create the CSR -- or at least the obvious tool 'security' can not.

Comment 2

a year ago
I have a csrtool.py that I think I used to replace the SSL certs for the signing servers.  Not sure if that helps or not: https://github.com/escapewindow/docker-signing-server/blob/master/csrtool.py

Updated

11 months ago
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.