Issue temporary SAN for Thunderbird API cluster migration

RESOLVED FIXED

Status

Infrastructure & Operations
WebOps: SSL and Domain Names
RESOLVED FIXED
9 months ago
8 months ago

People

(Reporter: atoll, Assigned: atoll)

Tracking

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4431])

(Assignee)

Description

9 months ago
As part of migrating the Thunderbird API cluster to the Thunderbird project, we're going to need a SAN certificate containing all of the active hostnames in use. Per discussion with :sancus, this is a *temporary* certificate, and we should intend to revoke it within 28 days to recover the (significant) cost. This will provide :sancus time to work out the Let's Encrypt or Amazon Certificate Manager or whatever details without delaying user migrations from our EOL'd hosting cluster.

List of SANs to follow.

Updated

9 months ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4431]

Updated

9 months ago
Assignee: server-ops-webops → rsoderberg
thunderbird.net www.thunderbird.net
live.thunderbird.net live.mozillamessaging.com
autoconfig.thunderbird.net autoconfig.mozillamessaging.com autoconfig-live.mozillamessaging.com
broker.thunderbird.net broker-live.mozillamessaging.com
mx.thunderbird.net mx-live.mozillamessaging.com
support.thunderbird.net support.mozillamessaging.com
support.live.mozillamessaging.com

I think this is the complete list of domains we might need. I'm 100% certain about the thunderbird.net ones, but maybe give a quick look at the mozillamessaging.com DNS configuration and see if I missed any aliases of anything there.
(Assignee)

Comment 2

9 months ago
Here's a complete snapshot of all mozillamessaging.com DNS records we have live today for your cross-checking:

mozillamessaging.com	MX	10	mx1.scl3.mozilla.com	Edit
mozillamessaging.com	MX	10	mx2.scl3.mozilla.com	Edit

*.www.mozillamessaging.com	CNAME	mozillamessaging.com	Edit
autoconfig-live.mozillamessaging.com	CNAME	autoconfig.thunderbird.net	Edit
broker-live.mozillamessaging.com	CNAME	broker.thunderbird.net	Edit
live.mozillamessaging.com	CNAME	live.thunderbird.net	Edit
mx-live.mozillamessaging.com	CNAME	mx.thunderbird.net	Edit
support.live.mozillamessaging.com	CNAME	support.thunderbird.net	Edit
support.mozillamessaging.com	CNAME	support.thunderbird.net	Edit
www.mozillamessaging.com	CNAME	mozillamessaging.com	Edit

mozillamessaging.com	A	63.245.213.56	Edit
(Assignee)

Comment 3

9 months ago
(In reply to Andrei Hajdukewycz [:sancus] from comment #1)
> I think this is the complete list of domains we might need. I'm 100% certain
> about the thunderbird.net ones, but maybe give a quick look at the
> mozillamessaging.com DNS configuration and see if I missed any aliases of
> anything there.

thunderbird.net
www.thunderbird.net

These are correct; you'll be hosting top-level and www, and we're hosting these two for messaging.

live.thunderbird.net
live.mozillamessaging.com

Seems okay.

autoconfig.thunderbird.net

autoconfig.mozillamessaging.com
autoconfig-live.mozillamessaging.com

We don't have "autoconfig.mozillamessaging.com" in DNS; can we remove that here?

broker.thunderbird.net
broker-live.mozillamessaging.com

Confirmed absence of 'broker.mozillamessaging.com' from DNS.

mx.thunderbird.net
mx-live.mozillamessaging.com

Confirmed absence of 'mx.mozillamessaging.com' from DNS.

support.thunderbird.net

support.mozillamessaging.com
support.live.mozillamessaging.com

These are good.
Yeah, you can remove autoconfig.mozillamessaging.com, it never existed. Full list is repeated again below with only autoconfig.mozillamessaging.com removed.

thunderbird.net www.thunderbird.net
live.thunderbird.net live.mozillamessaging.com
autoconfig.thunderbird.net autoconfig-live.mozillamessaging.com
broker.thunderbird.net broker-live.mozillamessaging.com
mx.thunderbird.net mx-live.mozillamessaging.com
support.thunderbird.net support.mozillamessaging.com
support.live.mozillamessaging.com
(Assignee)

Comment 5

9 months ago
One per line format for Digicert:

thunderbird.net
www.thunderbird.net
live.thunderbird.net
live.mozillamessaging.com
autoconfig.thunderbird.net
autoconfig-live.mozillamessaging.com
broker.thunderbird.net
broker-live.mozillamessaging.com
mx.thunderbird.net
mx-live.mozillamessaging.com
support.thunderbird.net
support.mozillamessaging.com
support.live.mozillamessaging.com
Double-checked, looks good!
(Assignee)

Comment 7

9 months ago
Delivered, n? :sancus to RESO FIXE when they're verified working on his load balancers
Flags: needinfo?(sancus)
This is working at 104.200.27.94, see 
curl -iL --resolve live.thunderbird.net:443:104.200.27.94 https://live.thunderbird.net/thunderbird/start

I have also stored the key(encrypted using git-crypt) and cert in our repo https://github.com/thundernest/thundernest-ansible/tree/master/files (privkey.pem and fullchain.pem) in case there is any need for anyone other than me to access them, unlikely as that may be.
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Flags: needinfo?(sancus)
Resolution: --- → FIXED
(Assignee)

Comment 9

9 months ago
:sancus, when you're done with it, please let us know (reopen this bug if it's less than a week since I closed it, or otherwise file a new bug in this same component) to revoke the certificate we issued you. Please mention Digicert order #1365607 to whoever helps you out with that revoke.
(Assignee)

Comment 10

8 months ago
Ping?

Comment 11

8 months ago
(In reply to Richard Soderberg [:atoll] from comment #10)
> Ping?

hey atoll see 1353840 if you're still waiting on that ping back
You need to log in before you can comment on or make changes to this bug.