Closed Bug 1348395 Opened 9 years ago Closed 9 years ago

Issue temporary SAN for Thunderbird API cluster migration

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: Atoll)

References

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4431])

As part of migrating the Thunderbird API cluster to the Thunderbird project, we're going to need a SAN certificate containing all of the active hostnames in use. Per discussion with :sancus, this is a *temporary* certificate, and we should intend to revoke it within 28 days to recover the (significant) cost. This will provide :sancus time to work out the Let's Encrypt or Amazon Certificate Manager or whatever details without delaying user migrations from our EOL'd hosting cluster. List of SANs to follow.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/4431]
Assignee: server-ops-webops → rsoderberg
thunderbird.net www.thunderbird.net live.thunderbird.net live.mozillamessaging.com autoconfig.thunderbird.net autoconfig.mozillamessaging.com autoconfig-live.mozillamessaging.com broker.thunderbird.net broker-live.mozillamessaging.com mx.thunderbird.net mx-live.mozillamessaging.com support.thunderbird.net support.mozillamessaging.com support.live.mozillamessaging.com I think this is the complete list of domains we might need. I'm 100% certain about the thunderbird.net ones, but maybe give a quick look at the mozillamessaging.com DNS configuration and see if I missed any aliases of anything there.
Here's a complete snapshot of all mozillamessaging.com DNS records we have live today for your cross-checking: mozillamessaging.com MX 10 mx1.scl3.mozilla.com Edit mozillamessaging.com MX 10 mx2.scl3.mozilla.com Edit *.www.mozillamessaging.com CNAME mozillamessaging.com Edit autoconfig-live.mozillamessaging.com CNAME autoconfig.thunderbird.net Edit broker-live.mozillamessaging.com CNAME broker.thunderbird.net Edit live.mozillamessaging.com CNAME live.thunderbird.net Edit mx-live.mozillamessaging.com CNAME mx.thunderbird.net Edit support.live.mozillamessaging.com CNAME support.thunderbird.net Edit support.mozillamessaging.com CNAME support.thunderbird.net Edit www.mozillamessaging.com CNAME mozillamessaging.com Edit mozillamessaging.com A 63.245.213.56 Edit
(In reply to Andrei Hajdukewycz [:sancus] from comment #1) > I think this is the complete list of domains we might need. I'm 100% certain > about the thunderbird.net ones, but maybe give a quick look at the > mozillamessaging.com DNS configuration and see if I missed any aliases of > anything there. thunderbird.net www.thunderbird.net These are correct; you'll be hosting top-level and www, and we're hosting these two for messaging. live.thunderbird.net live.mozillamessaging.com Seems okay. autoconfig.thunderbird.net autoconfig.mozillamessaging.com autoconfig-live.mozillamessaging.com We don't have "autoconfig.mozillamessaging.com" in DNS; can we remove that here? broker.thunderbird.net broker-live.mozillamessaging.com Confirmed absence of 'broker.mozillamessaging.com' from DNS. mx.thunderbird.net mx-live.mozillamessaging.com Confirmed absence of 'mx.mozillamessaging.com' from DNS. support.thunderbird.net support.mozillamessaging.com support.live.mozillamessaging.com These are good.
Yeah, you can remove autoconfig.mozillamessaging.com, it never existed. Full list is repeated again below with only autoconfig.mozillamessaging.com removed. thunderbird.net www.thunderbird.net live.thunderbird.net live.mozillamessaging.com autoconfig.thunderbird.net autoconfig-live.mozillamessaging.com broker.thunderbird.net broker-live.mozillamessaging.com mx.thunderbird.net mx-live.mozillamessaging.com support.thunderbird.net support.mozillamessaging.com support.live.mozillamessaging.com
One per line format for Digicert: thunderbird.net www.thunderbird.net live.thunderbird.net live.mozillamessaging.com autoconfig.thunderbird.net autoconfig-live.mozillamessaging.com broker.thunderbird.net broker-live.mozillamessaging.com mx.thunderbird.net mx-live.mozillamessaging.com support.thunderbird.net support.mozillamessaging.com support.live.mozillamessaging.com
Double-checked, looks good!
Delivered, n? :sancus to RESO FIXE when they're verified working on his load balancers
Flags: needinfo?(sancus)
This is working at 104.200.27.94, see curl -iL --resolve live.thunderbird.net:443:104.200.27.94 https://live.thunderbird.net/thunderbird/start I have also stored the key(encrypted using git-crypt) and cert in our repo https://github.com/thundernest/thundernest-ansible/tree/master/files (privkey.pem and fullchain.pem) in case there is any need for anyone other than me to access them, unlikely as that may be.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(sancus)
Resolution: --- → FIXED
:sancus, when you're done with it, please let us know (reopen this bug if it's less than a week since I closed it, or otherwise file a new bug in this same component) to revoke the certificate we issued you. Please mention Digicert order #1365607 to whoever helps you out with that revoke.
Ping?
(In reply to Richard Soderberg [:atoll] from comment #10) > Ping? hey atoll see 1353840 if you're still waiting on that ping back
You need to log in before you can comment on or make changes to this bug.