Provide ansible scripts for working with signing servers

NEW
Unassigned

Status

P3
normal
2 years ago
10 months ago

People

(Reporter: hwine, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Based on work on renewing Mac cert, some automation across all servers would be nice:

  - report current code deployment hash (should be identical)
  - report hashes of current secrets (should be identical)
  - automatically send email to explain mozdef emails

And, some automation against one server would be handy for:

  - generate Mac CSR for renewal purposes
  - manage the keychain (file) names during renewal process
  - help with deployment of new key/cert to peer servers? <= maybe not

Biggest bonus would be (imo) using inventory to ensure all current servers hit. That could be valuable for adhoc commands.
Darn -- the cli tool can't create the CSR -- or at least the obvious tool 'security' can not.

Comment 2

2 years ago
I have a csrtool.py that I think I used to replace the SSL certs for the signing servers.  Not sure if that helps or not: https://github.com/escapewindow/docker-signing-server/blob/master/csrtool.py
Priority: -- → P3
(Assignee)

Updated

10 months ago
Component: General Automation → General
Product: Release Engineering → Release Engineering
You need to log in before you can comment on or make changes to this bug.