1438222 - PKI: verify if aus4-admin.mozilla.org can use LEA or will need Private PKI

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Description

[Scott Idler [:sidler] [:escote]]

https://docs.google.com/spreadsheets/d/1IMBAao-AE_G5BkNdwBUc5ge4O5p9xfcm7DebIruA3EY

Comment 1

[Scott Idler [:sidler] [:escote]]

check with bhearsum on IRC

Comment 2

[Scott Idler [:sidler] [:escote]]

This host(s) is currently using a cert created from our internal root-ca.  We are decommisioning all uses of certs from the root-ca in 2018.  Most certs can retrieved from LE automation via https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_infoblox.sh

1) Does this host(s) require an SSL cert?
2) Does this host(s) survive scl3 exit?
3) Can this host use LE automation (acme.sh, certbot, etc)?
4) If not can this cert use a public SSL cert from DigiCert?
5) If not can this cert use a private PKI cert from DigiCert?

Comment 3

[Jon Buckley [:jbuck]]

I can confirm that aus4-admin.mozilla.org is currently using a public SSL certificate issued by DigiCert

Comment 4

[Scott Idler [:sidler] [:escote]]

Thanks :jbuck would it be a candidate to use the LE automation I mention above?  Basically requires a cron job that grabs that repo and runs the script with some parameters.  The script will communicate with LE servers over the internet and then coordinate with out internal infoblox server for doing DNS auth.  Once setup LE certs will be automatically updated every 2mos.

Getting rid of root-ca generate certs is part of this work for me.  The other part is identifying potential hosts that can benefit from the LE automation.

Comment 5

[Jon Buckley [:jbuck]]

No, I don't think it's a good candidate for LE automation