Closed Bug 1442470 Opened 7 years ago Closed 7 years ago

Discussion about certs for fxa logs sent to rabbitmq using ssl connection on syslog-proxy1 in mdc1. (migrating from syslog-proxy1 in scl3)

Categories

(Firefox :: Firefox Accounts, enhancement)

Product:
Firefox
Component:
Firefox Accounts
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: phrozyn, Unassigned)

Details

Hello! I'm opening this bug as we are in the process of migrating our syslog-proxy1.dmz.scl3.mozilla.com event sources to a new host in mdc1 (syslog-proxy1.dmz.mdc1.mozilla.com (1439994) The connection from fxa is over ssl to the current syslog-proxy1 host, and I'm not sure if you guys had to configure a client cert on your end to facilitate this connectivity, or if you are simply negotiating an ssl connection. This bug is to start discovery around this and ensure that we determine all requirements before starting work on this. If this host is configured to send with a mozilla CA signed certificate, then we will need to provision a new certificate (public signed digicert) If not, then no other work will be needed around that other than to point the fxa events to the new host once it's fully configured. Please let me know the configuration details on your side. Thank you!
Flags: needinfo?(ckolos)
302 -> :jbuck
Flags: needinfo?(ckolos) → needinfo?(jbuckley)
Sorry. What's the route on that? Or better, do you have an active connnection, and if so what is the IP:port of that?
Flags: needinfo?(jbuckley)
54.187.93.80:39013 appears to be the the IP:port You are connecting to syslog-proxy1.dmz.scl3.mozilla.com port 5671 to send these events.
Flags: needinfo?(jrgm)
Ahh, this is the fxa-heka box i-9b4a0583 . :whd, do you know how this box is configured to connect to syslog? > The connection from fxa is over ssl to the current syslog-proxy1 host, and I'm not sure if you guys had to configure a client cert on your end to facilitate this connectivity, or if you are simply negotiating an ssl connection.
Flags: needinfo?(jrgm) → needinfo?(whd)
We're connecting over AMQPS to syslog-proxy1.scl3.mozilla.com:5671, without a Mozilla-signed cert, so I agree with the assessment that the only work needed fxa-side will be to point the fxa events to the new host once it's fully configured.
Flags: needinfo?(whd)
When you have a chance can we point these events to syslog-proxy1.mdc1.mozilla.com and the port is 5671 (tls)
Flags: needinfo?(whd)
I can't resolve syslog-proxy1.mdc1.mozilla.com from AWS. This might have to wait until the DNS cutover that I believe is happening soon.
Flags: needinfo?(whd)
Agreed, I did ping johnb earlier about it - once he's told me it's good, I'll check and then update you.
These flows are open, and I see a connection to the fxa queue, let me know when you want to test switching from scl3 to mdc1 on syslog-proxy1
Flags: needinfo?(whd)
When testing I observed the following: Error making runner for MozDefOutput: Initialization failed for MozDefOutput': x509: certificate is valid for syslog-proxy1.dmz.mdc1.mozilla.com, not syslog-proxy1.mdc1.mozilla.com syslog-proxy1.dmz.mdc1.mozilla.com does not resolve.
Flags: needinfo?(whd)
We need a SAN certificate to cover the public and private endpoints of this service, which has been requested in 1456879.
(In reply to Brian Hourigan [:digi] from comment #11) > 1456879. Whoops! Bug 1456897.
(In reply to Brian Hourigan [:digi] from comment #11) > We need a SAN certificate to cover the public and private endpoints of this > service, which has been requested in 1456897. Updated certificate in 66ce1448f3fe4c4027fa1025a07f37394c1186b0, waiting for deploy. Will follow up with verification.
Having difficulty initiating a SSL connection to rabbitmq with openssl s_client. :whd, could you please retest?
Flags: needinfo?(whd)
Upon retesting it appears to have worked, so I left it pointed at the the new hostname and put in https://github.com/mozilla-services/puppet-config/pull/2727 to reflect this change.
Flags: needinfo?(whd)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.