Closed Bug 1452813 Opened 7 years ago Closed 7 years ago

Create new certs for SCL3 to MDC1 & MDC2 Vidyo infra cut-over

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jhelmers, Assigned: sidler)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6561])

Hello, Can AVops please have certificates created for the following - webrtc-beta1.av.mdc1.mozilla.com vgateway-beta1.av.mdc1.mozilla.com vgateway1.mdc1.mozilla.com vgateway2.mdc1.mozilla.com vportal-beta1.corpdmz.mdc1.mozilla.com vportal-beta1.av.mdc1.mozilla.com vportal1.mdc1.mozilla.com vportal2.mdc1.mozilla.com vreplay1.mdc1.mozilla.com vreplay2.mdc1.mozilla.com vrouter1.mdc1.mozilla.com vrouter2.mdc1.mozilla.com vrouter3.mdc1.mozilla.com vrouter4.mdc2.mozilla.com vrouter5.mdc2.mozilla.com vrouter1.ber3.mozilla.com vrouter1.lon2.mozilla.com vrouter1.mtv2.mozilla.com vrouter1.par1.mozilla.com vrouter1.sfo1.mozilla.com vrouter1.yvr1.mozilla.com vrouter1.pdx1.mozilla.com vrouter1.pocket1.mozilla.com vrouter1.av.tpe1.mozilla.com vrouter1.tor1.mozilla.com vrouter1.av.pek2.mozilla.com
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6465]
Assignee: server-ops-webops → sidler
It is my understanding there was some discussion before I started that single certs were recommended for security reasons. Can you comment to this?
Final list of names : v.mozilla.com v.allizom.org vreplay.mozilla.com webrtc-beta1.av.mdc1.mozilla.com vgateway-beta1.av.mdc1.mozilla.com vportal-beta1.corpdmz.mdc1.mozilla.com vportal-beta1.av.mdc1.mozilla.com vgateway1.mdc1.mozilla.com vgateway2.mdc1.mozilla.com vportal1.mdc1.mozilla.com vportal2.mdc1.mozilla.com vreplay1.mdc1.mozilla.com vreplay2.mdc1.mozilla.com vrouter1.mdc1.mozilla.com vrouter2.mdc1.mozilla.com vrouter3.mdc1.mozilla.com vrouter4.mdc2.mozilla.com vrouter5.mdc2.mozilla.com vrouter1.ber3.mozilla.com vrouter1.lon2.mozilla.com vrouter1.mtv2.mozilla.com vrouter1.par1.mozilla.com vrouter1.sfo1.mozilla.com vrouter1.yvr1.mozilla.com vrouter1.pdx1.mozilla.com vrouter1.pocket1.mozilla.com vrouter1.av.tpe1.mozilla.com vrouter1.tor1.mozilla.com vrouter1.av.pek2.mozilla.com
><(((º> autocert create san.vidyo.mozilla.com -o c -b 1452813 --sans-file vidyo.sans -v2 certs: - san.vidyo.mozilla.com@5213be38: authority: digicert: order_id: 2824695 bug: '1452813' common_name: san.vidyo.mozilla.com destinations: {} expiry: Wed, 17 Apr 2019 00:00:00 GMT modhash: 5213be38f16791a57ee3c5156877ace4 sans: - v.mozilla.com - v.allizom.org - vreplay.mozilla.com - webrtc-beta1.av.mdc1.mozilla.com - vgateway-beta1.av.mdc1.mozilla.com - vportal-beta1.corpdmz.mdc1.mozilla.com - vportal-beta1.av.mdc1.mozilla.com - vgateway1.mdc1.mozilla.com - vgateway2.mdc1.mozilla.com - vportal1.mdc1.mozilla.com - vportal2.mdc1.mozilla.com - vreplay1.mdc1.mozilla.com - vreplay2.mdc1.mozilla.com - vrouter1.mdc1.mozilla.com - vrouter2.mdc1.mozilla.com - vrouter3.mdc1.mozilla.com - vrouter4.mdc2.mozilla.com - vrouter5.mdc2.mozilla.com - vrouter1.ber3.mozilla.com - vrouter1.lon2.mozilla.com - vrouter1.mtv2.mozilla.com - vrouter1.par1.mozilla.com - vrouter1.sfo1.mozilla.com - vrouter1.yvr1.mozilla.com - vrouter1.pdx1.mozilla.com - vrouter1.pocket1.mozilla.com - vrouter1.av.tpe1.mozilla.com - vrouter1.tor1.mozilla.com - vrouter1.av.pek2.mozilla.com tardata: san.vidyo.mozilla.com@5213be38.tar.gz: san.vidyo.mozilla.com@5213be38.crt: CRT san.vidyo.mozilla.com@5213be38.csr: CSR san.vidyo.mozilla.com@5213be38.key: KEY timestamp: Thu, 12 Apr 2018 20:33:39 GMT The san cert can be picked up on server: autocert1.private.scl3.mozilla.com filepath: /data/autocert/certs/san.vidyo.mozilla.com@5213be38.tar.gz The README inside of the tarbundle explains the contents. Let me know if you need help with anything.
Closing this as done. Please let us know when you have deployed these certs and we can revoke the previous one.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Hello Scott, We have deployed these certs, and everything works beautifully. I wanted to get some clarification, which "previous" cert bundle were you looking to revoke in Comment 4? If it's the cert that's still being used on v.mozilla.com, that won't be good to revoke until late June. We have added some new devices that will need to be added to this cert. - v.mozilla.com - v.allizom.org - vreplay.mozilla.com - webrtc-beta1.av.mdc1.mozilla.com - vgateway-beta1.av.mdc1.mozilla.com - vportal-beta1.corpdmz.mdc1.mozilla.com - vportal-beta1.av.mdc1.mozilla.com - vgateway1.mdc1.mozilla.com - vgateway2.mdc1.mozilla.com - vportal1.mdc1.mozilla.com - vportal2.mdc1.mozilla.com - vreplay1.mdc1.mozilla.com - vreplay2.mdc1.mozilla.com - vrouter1.mdc1.mozilla.com - vrouter2.mdc1.mozilla.com - vrouter3.mdc1.mozilla.com - vrouter4.mdc2.mozilla.com - vrouter5.mdc2.mozilla.com - vrouter1.ber3.mozilla.com - vrouter1.lon2.mozilla.com - vrouter1.mtv2.mozilla.com - vrouter1.par1.mozilla.com - vrouter1.sfo1.mozilla.com - vrouter1.yvr1.mozilla.com - vrouter1.pdx1.mozilla.com - vrouter1.pocket1.mozilla.com - vrouter1.av.tpe1.mozilla.com - vrouter1.tor1.mozilla.com - vrouter1.av.pek2.mozilla.com *******NEW******** - webrtc1.mdc1.mozilla.com - webrtc2.mdc1.mozilla.com - webrtc3.mdc1.mozilla.com - webrtc4.mdc1.mozilla.com - webrtc5.mdc1.mozilla.com - webrtc6.mdc1.mozilla.com - webrtc7.mdc1.mozilla.com - webrtc8.mdc1.mozilla.com - webrtc9.mdc1.mozilla.com - webrtc10.mdc1.mozilla.com - webrtc11.mdc2.mozilla.com - webrtc12.mdc2.mozilla.com - webrtc13.mdc2.mozilla.com - webrtc14.mdc2.mozilla.com - webrtc15.mdc2.mozilla.com - webrtc16.mdc2.mozilla.com
Flags: needinfo?(smani)
Flags: needinfo?(sidler)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6465] → [kanban:https://webops.kanbanize.com/ctrl_board/2/6561]
><(((º> autocert renew -o c -b 1452813 san.vidyo.mozilla.com@5213be38 --sans-file vidyo.sans --no-whois-check -v2 certs: - san.vidyo.mozilla.com@5213be38: authority: digicert: order_id: 2933797 bug: '1452813' common_name: san.vidyo.mozilla.com destinations: {} expiry: Wed, 11 Sep 2019 00:00:00 GMT modhash: 5213be38f16791a57ee3c5156877ace4 sans: - webrtc5.mdc1.mozilla.com - vrouter1.sfo1.mozilla.com - webrtc11.mdc2.mozilla.com - vreplay2.mdc1.mozilla.com - webrtc8.mdc1.mozilla.com - vrouter2.mdc1.mozilla.com - webrtc15.mdc2.mozilla.com - vrouter1.ber3.mozilla.com - vportal2.mdc1.mozilla.com - vrouter1.av.pek2.mozilla.com - vgateway1.mdc1.mozilla.com - webrtc7.mdc1.mozilla.com - webrtc4.mdc1.mozilla.com - vreplay1.mdc1.mozilla.com - vrouter1.mtv2.mozilla.com - webrtc10.mdc1.mozilla.com - webrtc13.mdc2.mozilla.com - webrtc16.mdc2.mozilla.com - vrouter1.yvr1.mozilla.com - vrouter1.mdc1.mozilla.com - webrtc9.mdc1.mozilla.com - vrouter3.mdc1.mozilla.com - vreplay.mozilla.com - vportal1.mdc1.mozilla.com - webrtc3.mdc1.mozilla.com - webrtc12.mdc2.mozilla.com - vrouter1.tor1.mozilla.com - webrtc1.mdc1.mozilla.com - vrouter1.pocket1.mozilla.com - vportal-beta1.corpdmz.mdc1.mozilla.com - webrtc14.mdc2.mozilla.com - vrouter1.lon2.mozilla.com - v.mozilla.com - vgateway-beta1.av.mdc1.mozilla.com - vrouter4.mdc2.mozilla.com - webrtc2.mdc1.mozilla.com - vrouter1.par1.mozilla.com - vrouter1.pdx1.mozilla.com - webrtc-beta1.av.mdc1.mozilla.com - vrouter5.mdc2.mozilla.com - vgateway2.mdc1.mozilla.com - v.allizom.org - vportal-beta1.av.mdc1.mozilla.com - webrtc6.mdc1.mozilla.com - vrouter1.av.tpe1.mozilla.com tardata: san.vidyo.mozilla.com@5213be38.tar.gz: san.vidyo.mozilla.com@5213be38.crt: CRT san.vidyo.mozilla.com@5213be38.csr: CSR san.vidyo.mozilla.com@5213be38.key: KEY timestamp: Thu, 12 Apr 2018 20:33:39 GMT
Flags: needinfo?(sidler)
ugh, that ^^^ output is not sorted; but this is: ><(((º> ac ls san.vidyo -v2 [1/1875] certs: - san.vidyo.mozilla.com@5213be38: authority: digicert: matched: true order_id: 2933797 bug: '1452813' common_name: san.vidyo.mozilla.com destinations: {} expiry: Wed, 11 Sep 2019 00:00:00 GMT modhash: 5213be38f16791a57ee3c5156877ace4 sans: - v.allizom.org - v.mozilla.com - vgateway-beta1.av.mdc1.mozilla.com - vgateway1.mdc1.mozilla.com - vgateway2.mdc1.mozilla.com - vportal-beta1.av.mdc1.mozilla.com - vportal-beta1.corpdmz.mdc1.mozilla.com - vportal1.mdc1.mozilla.com - vportal2.mdc1.mozilla.com - vreplay.mozilla.com - vreplay1.mdc1.mozilla.com - vreplay2.mdc1.mozilla.com - vrouter1.av.pek2.mozilla.com - vrouter1.av.tpe1.mozilla.com - vrouter1.ber3.mozilla.com - vrouter1.lon2.mozilla.com - vrouter1.mdc1.mozilla.com - vrouter1.mtv2.mozilla.com - vrouter1.par1.mozilla.com - vrouter1.pdx1.mozilla.com - vrouter1.pocket1.mozilla.com - vrouter1.sfo1.mozilla.com - vrouter1.tor1.mozilla.com - vrouter1.yvr1.mozilla.com - vrouter2.mdc1.mozilla.com - vrouter3.mdc1.mozilla.com - vrouter4.mdc2.mozilla.com - vrouter5.mdc2.mozilla.com - webrtc-beta1.av.mdc1.mozilla.com - webrtc1.mdc1.mozilla.com - webrtc10.mdc1.mozilla.com - webrtc11.mdc2.mozilla.com - webrtc12.mdc2.mozilla.com - webrtc13.mdc2.mozilla.com - webrtc14.mdc2.mozilla.com - webrtc15.mdc2.mozilla.com - webrtc16.mdc2.mozilla.com - webrtc2.mdc1.mozilla.com - webrtc3.mdc1.mozilla.com - webrtc4.mdc1.mozilla.com - webrtc5.mdc1.mozilla.com - webrtc6.mdc1.mozilla.com - webrtc7.mdc1.mozilla.com - webrtc8.mdc1.mozilla.com - webrtc9.mdc1.mozilla.com tardata: san.vidyo.mozilla.com@5213be38.tar.gz: san.vidyo.mozilla.com@5213be38.crt: CRT san.vidyo.mozilla.com@5213be38.csr: CSR san.vidyo.mozilla.com@5213be38.key: KEY timestamp: Thu, 12 Apr 2018 20:33:39 GMT
i gpg'd the tarball and sent it to mrichards@mozilla.com
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
Thanks Scott! Applied new certs to all infra in MDC! You're clear to revoke the "old" san cert from Comment 3
Flags: needinfo?(smani)
You need to log in before you can comment on or make changes to this bug.