Closed Bug 1438223 Opened 7 years ago Closed 7 years ago

PKI: verify if mozdef machines can use LEA or need Private PKI

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sidler, Assigned: sidler)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6218])

mozdef.private.scl3.mozilla.com mozdef1.private.scl3.mozilla.com mozdef3.private.scl3.mozilla.com mozdefes10.private.scl3.mozilla.com mozdefes11.private.scl3.mozilla.com mozdefes6.private.scl3.mozilla.com mozdefes7.private.scl3.mozilla.com mozdefes8.private.scl3.mozilla.com mozdefes9.private.scl3.mozilla.com eis-automation1.private.scl3.mozilla.com nxp-con3.private.scl3.mozilla.com syslog-proxy1.dmz.scl3.mozilla.com syslog1.private.scl3.mozilla.com Check with Alicia or Tristan
Summary: verify if mozdef machines can use LEA or need Private PKI → PKI: verify if mozdef machines can use LEA or need Private PKI
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6218]
Assignee: server-ops-webops → sidler
You were missing a couple of hosts there, so I added them in for you. The mozdef hosts will stay on digicert certs due to the nature of the data that they contain and because we don't want to have to maintain and renew often (at least right now as we don't have the bandwidth to create the required pieces to facilitate this) mozdef.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or migrated to mdc1 (these will need digicert certs) mozdef1.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or be migrated to mdc1 (these will need digicert certs) mozdef2.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or be migrated to mdc1 (these will need digicert certs) mozdef3.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or be migrated to mdc1 (these will need digicert certs) mozdef4.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or be migrated to mdc1 (these will need digicert certs) mozdef5.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or be migrated to mdc1 (these will need digicert certs) mozdef6.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or be migrated to mdc1 (these will need digicert certs) mozdef7.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or be migrated to mdc1 (these will need digicert certs) mozdef8.private.scl3.mozilla.com is a vm that will either be decommissioned if replaced by a new vm or be migrated to mdc1 (these will need digicert certs) mozdefes10.private.scl3.mozilla.com is physical hardware that will be migrated to mdc1 (these will need digicert certs) mozdefes11.private.scl3.mozilla.com is physical hardware that will be migrated to mdc1 (these will need digicert certs) mozdefes6.private.scl3.mozilla.com is physical hardware that will be migrated to mdc1 (these will need digicert certs) mozdefes7.private.scl3.mozilla.com is physical hardware that will be migrated to mdc1 (these will need digicert certs) mozdefes8.private.scl3.mozilla.com is physical hardware that will be migrated to mdc1 (these will need digicert certs) mozdefes9.private.scl3.mozilla.com is physical hardware that will be migrated to mdc1 (these will need digicert certs) eis-automation1.private.scl3.mozilla.com this will need to be migrated or a new host spun up and this one decom'd, I will have to wait until Tristan comes back from parental leave before I know which avenue we are taking on this. This may be a great candidate for LE certs - again this will fall on Tristan to make the call. nxp-con3.private.scl3.mozilla.com will be decommissioned as we have an mdc1 host (eis-scanner1) however, we will want this to be decomissioned as one of the last pieces since we use it to keep up with vulnerabilities in scl3 infra. I have not checked to see if that host has a cert (in mdc1 - I am thinking it does not, but will check and verify) syslog-proxy1.dmz.scl3.mozilla.com will be decomissioned as soon as 1445816, 1442469 and 1450049 are completed. We have already spun up syslog-proxy1.mdc1.mozilla.com to take it's place and is using digicert certs.. syslog1.private.scl3.mozilla.com, syslog1.private.mdc1 and mdc2 are configured and already pointed to mozdef and using digicert certs. syslog1 in scl3 will be decommissioned after most of the infra is removed from scl3 so that we are not without visibility into infra there. Let me know if there are any further questions!
Flags: needinfo?(sidler)
Thanks Alicia, The purpose of this bug is to identify if any of these hosts that need a cert can use LE instead of DigiCert public certs. I am thinking of using something like: https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_infoblox.sh But the system must be able to reach out to LE over the public internet and then talk to our infoblox website. So if you know that this is not possible for any of the machines above that will be around in mdc1,2 and that you have marked with DigiCert could instead potentially use this method, that's what I need. Thanks, Scott
Flags: needinfo?(sidler) → needinfo?(asmith)
I'll be speaking with my team about this on Wednesday this week 04/11
Team is using DigiCert in the interim to get off of the root-ca certs. But is open to perhaps using some LE Automation in the future.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Flags: needinfo?(asmith)
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.