1462826 - Create new certs for MDC1 & MDC2 infra cut-over to the AV vlan

Status: RESOLVED FIXED

(Infrastructure & Operations :: SSL Certificates, task)

Description

[Mark Richards [:freshness]]

- v.allizom.org
- v.mozilla.com
- vgateway-beta1.av.mdc1.mozilla.com
- vgateway1.av.mdc1.mozilla.com
- vgateway2.av.mdc1.mozilla.com
- vportal-beta1.av.mdc1.mozilla.com
- vportal-beta1.corpdmz.mdc1.mozilla.com
- vportal1.av.mdc1.mozilla.com
- vportal2.av.mdc1.mozilla.com
- vreplay.mozilla.com
- vreplay1.av.mdc1.mozilla.com
- vreplay2.av.mdc1.mozilla.com
- vrouter1.av.pek2.mozilla.com
- vrouter1.av.tpe1.mozilla.com
- vrouter1.ber3.mozilla.com
- vrouter1.lon2.mozilla.com
- vrouter1.mdc1.mozilla.com
- vrouter1.mtv2.mozilla.com
- vrouter1.par1.mozilla.com
- vrouter1.pdx1.mozilla.com
- vrouter1.pocket1.mozilla.com
- vrouter1.sfo1.mozilla.com
- vrouter1.tor1.mozilla.com
- vrouter1.yvr1.mozilla.com
- vrouter2.av.mdc1.mozilla.com
- vrouter3.av.mdc1.mozilla.com
- vrouter4.av.mdc2.mozilla.com
- vrouter5.av.mdc2.mozilla.com
- webrtc-beta1.av.mdc1.mozilla.com
- webrtc1.av.mdc1.mozilla.com
- webrtc2.av.mdc1.mozilla.com
- webrtc3.av.mdc1.mozilla.com
- webrtc4.av.mdc1.mozilla.com
- webrtc5.av.mdc1.mozilla.com
- webrtc6.av.mdc1.mozilla.com
- webrtc7.av.mdc1.mozilla.com
- webrtc8.av.mdc1.mozilla.com
- webrtc9.av.mdc1.mozilla.com
- webrtc10.av.mdc1.mozilla.com
- webrtc11.av.mdc2.mozilla.com
- webrtc12.av.mdc2.mozilla.com
- webrtc13.av.mdc2.mozilla.com
- webrtc14.av.mdc2.mozilla.com
- webrtc15.av.mdc2.mozilla.com
- webrtc16.av.mdc2.mozilla.com

Comment 1

[Scott Idler [:sidler] [:escote]]

><(((º> autocert create -o c -b 1462826 san.vidyo.mozilla.com --sans-file vidyo.sans --no-whois-check -v2
certs:
- san.vidyo.mozilla.com@263d9924:
    authority:
      digicert:
        order_id: 2976320
    bug: '1462826'
    common_name: san.vidyo.mozilla.com
    destinations: {}
    expiry: Wed, 29 May 2019 00:00:00 GMT
    modhash: 263d99240f14d0bef582d428c2eaa613
    sans:
    - v.allizom.org
    - v.mozilla.com
    - vgateway-beta1.av.mdc1.mozilla.com
    - vgateway1.av.mdc1.mozilla.com
    - vgateway2.av.mdc1.mozilla.com
    - vportal-beta1.av.mdc1.mozilla.com
    - vportal-beta1.corpdmz.mdc1.mozilla.com
    - vportal1.av.mdc1.mozilla.com
    - vportal2.av.mdc1.mozilla.com
    - vreplay.mozilla.com
    - vreplay1.av.mdc1.mozilla.com
    - vreplay2.av.mdc1.mozilla.com
    - vrouter1.av.pek2.mozilla.com
    - vrouter1.av.tpe1.mozilla.com
    - vrouter1.ber3.mozilla.com
    - vrouter1.lon2.mozilla.com
    - vrouter1.mdc1.mozilla.com
    - vrouter1.mtv2.mozilla.com
    - vrouter1.par1.mozilla.com
    - vrouter1.pdx1.mozilla.com
    - vrouter1.pocket1.mozilla.com
    - vrouter1.sfo1.mozilla.com
    - vrouter1.tor1.mozilla.com
    - vrouter1.yvr1.mozilla.com
    - vrouter2.av.mdc1.mozilla.com
    - vrouter3.av.mdc1.mozilla.com
    - vrouter4.av.mdc2.mozilla.com
    - vrouter5.av.mdc2.mozilla.com
    - webrtc-beta1.av.mdc1.mozilla.com
    - webrtc1.av.mdc1.mozilla.com
    - webrtc2.av.mdc1.mozilla.com
    - webrtc3.av.mdc1.mozilla.com
    - webrtc4.av.mdc1.mozilla.com
    - webrtc5.av.mdc1.mozilla.com
    - webrtc6.av.mdc1.mozilla.com
    - webrtc7.av.mdc1.mozilla.com
    - webrtc8.av.mdc1.mozilla.com
    - webrtc9.av.mdc1.mozilla.com
    - webrtc10.av.mdc1.mozilla.com
    - webrtc11.av.mdc2.mozilla.com
    - webrtc12.av.mdc2.mozilla.com
    - webrtc13.av.mdc2.mozilla.com
    - webrtc14.av.mdc2.mozilla.com
    - webrtc15.av.mdc2.mozilla.com
    - webrtc16.av.mdc2.mozilla.com
    tardata:
      san.vidyo.mozilla.com@263d9924.tar.gz:
        san.vidyo.mozilla.com@263d9924.crt: CRT
        san.vidyo.mozilla.com@263d9924.csr: CSR
        san.vidyo.mozilla.com@263d9924.key: KEY
    timestamp: Mon, 21 May 2018 16:30:19 GMT

Comment 2

[Scott Idler [:sidler] [:escote]]

><(((º> ac ls san.vidyo
certs:
- san.vidyo.mozilla.com@263d9924: Wed, 29 May 2019 00:00:00 GMT #new cert, keep
- san.vidyo.mozilla.com@5213be38: Wed, 11 Sep 2019 00:00:00 GMT #old cert, revoke once migrated

Comment 3

[Scott Idler [:sidler] [:escote]]

I want to revoke the old cert now; can I?

Comment 4

[Mark Richards [:freshness]]

Not yet, as the infra has not been ported over to the av vlan yet.  Will update as soon as that's done and the new certs are applied.

Comment 5

[Scott Idler [:sidler] [:escote]]

><(((º> autocert revoke -b 1462826 san.vidyo.mozilla.com@5213be38
certs:
- san.vidyo.mozilla.com@5213be38: Mon, 25 Jun 2018 21:04:41 GMT

Comment 6

[Mark Richards [:freshness]]

Since we're still in the early stages of MDC migration attempt #2, we're doing some housekeeping with our certs:

**Turns out vrouter1.av.mdc1.mozilla.com was not included in the original tarball
**Pocket office abbreviation has been changed to "sfo2"

Updated/current list below:
   
    - v.allizom.org
    - v.mozilla.com
    - vgateway-beta1.av.mdc1.mozilla.com
    - vgateway1.av.mdc1.mozilla.com
    - vgateway2.av.mdc1.mozilla.com
    - vportal-beta1.av.mdc1.mozilla.com
    - vportal-beta1.corpdmz.mdc1.mozilla.com
    - vportal1.av.mdc1.mozilla.com
    - vportal2.av.mdc1.mozilla.com
    - vreplay.mozilla.com
    - vreplay1.av.mdc1.mozilla.com
    - vreplay2.av.mdc1.mozilla.com
    - vrouter1.av.pek2.mozilla.com
    - vrouter1.av.tpe1.mozilla.com
    - vrouter1.ber3.mozilla.com
    - vrouter1.lon2.mozilla.com
    - vrouter1.mdc1.mozilla.com
    - vrouter1.mtv2.mozilla.com
    - vrouter1.par1.mozilla.com
    - vrouter1.pdx1.mozilla.com
    - vrouter1.sfo1.mozilla.com
    - vrouter1.sfo2.mozilla.com
    - vrouter1.tor1.mozilla.com
    - vrouter1.yvr1.mozilla.com
    - vrouter1.av.mdc1.mozilla.com
    - vrouter2.av.mdc1.mozilla.com
    - vrouter3.av.mdc1.mozilla.com
    - vrouter4.av.mdc2.mozilla.com
    - vrouter5.av.mdc2.mozilla.com
    - webrtc-beta1.av.mdc1.mozilla.com
    - webrtc1.av.mdc1.mozilla.com
    - webrtc2.av.mdc1.mozilla.com
    - webrtc3.av.mdc1.mozilla.com
    - webrtc4.av.mdc1.mozilla.com
    - webrtc5.av.mdc1.mozilla.com
    - webrtc6.av.mdc1.mozilla.com
    - webrtc7.av.mdc1.mozilla.com
    - webrtc8.av.mdc1.mozilla.com
    - webrtc9.av.mdc1.mozilla.com
    - webrtc10.av.mdc1.mozilla.com
    - webrtc11.av.mdc2.mozilla.com
    - webrtc12.av.mdc2.mozilla.com
    - webrtc13.av.mdc2.mozilla.com
    - webrtc14.av.mdc2.mozilla.com
    - webrtc15.av.mdc2.mozilla.com
    - webrtc16.av.mdc2.mozilla.com

Comment 7

[Scott Idler [:sidler] [:escote]]

><(((º> autocert ls san.vidyo -v2
certs:
- san.vidyo.mozilla.com@263d9924:
    authority:
      digicert:
        matched: true
        order_id: 2976320
    bug: '1462826'
    common_name: san.vidyo.mozilla.com
    destinations: {}
    expiry: Wed, 29 May 2019 00:00:00 GMT
    modhash: 263d99240f14d0bef582d428c2eaa613
    sans:
    - v.allizom.org
    - v.mozilla.com
    - vgateway-beta1.av.mdc1.mozilla.com
    - vgateway1.av.mdc1.mozilla.com
    - vgateway2.av.mdc1.mozilla.com
    - vportal-beta1.av.mdc1.mozilla.com
    - vportal-beta1.corpdmz.mdc1.mozilla.com
    - vportal1.av.mdc1.mozilla.com
    - vportal2.av.mdc1.mozilla.com
    - vreplay.mozilla.com
    - vreplay1.av.mdc1.mozilla.com
    - vreplay2.av.mdc1.mozilla.com
    - vrouter1.av.pek2.mozilla.com
    - vrouter1.av.tpe1.mozilla.com
    - vrouter1.ber3.mozilla.com
    - vrouter1.lon2.mozilla.com
    - vrouter1.mdc1.mozilla.com
    - vrouter1.mtv2.mozilla.com
    - vrouter1.par1.mozilla.com
    - vrouter1.pdx1.mozilla.com
    - vrouter1.pocket1.mozilla.com
    - vrouter1.sfo1.mozilla.com
    - vrouter1.tor1.mozilla.com
    - vrouter1.yvr1.mozilla.com
    - vrouter2.av.mdc1.mozilla.com
    - vrouter3.av.mdc1.mozilla.com
    - vrouter4.av.mdc2.mozilla.com
    - vrouter5.av.mdc2.mozilla.com
    - webrtc-beta1.av.mdc1.mozilla.com
    - webrtc1.av.mdc1.mozilla.com
    - webrtc10.av.mdc1.mozilla.com
    - webrtc11.av.mdc2.mozilla.com
    - webrtc12.av.mdc2.mozilla.com
    - webrtc13.av.mdc2.mozilla.com
    - webrtc14.av.mdc2.mozilla.com
    - webrtc15.av.mdc2.mozilla.com
    - webrtc16.av.mdc2.mozilla.com
    - webrtc2.av.mdc1.mozilla.com
    - webrtc3.av.mdc1.mozilla.com
    - webrtc4.av.mdc1.mozilla.com
    - webrtc5.av.mdc1.mozilla.com
    - webrtc6.av.mdc1.mozilla.com
    - webrtc7.av.mdc1.mozilla.com
    - webrtc8.av.mdc1.mozilla.com
    - webrtc9.av.mdc1.mozilla.com
    tardata:
      san.vidyo.mozilla.com@263d9924.tar.gz:
        san.vidyo.mozilla.com@263d9924.crt: CRT
        san.vidyo.mozilla.com@263d9924.csr: CSR
        san.vidyo.mozilla.com@263d9924.key: KEY
    timestamp: Mon, 21 May 2018 16:30:19 GMT

Comment 8

[Scott Idler [:sidler] [:escote]]

currently this ^^^ is what the current cert has for SANs.  What specifically is missing?

Comment 9

[Mark Richards [:freshness]]

Reply to Comment 8: vrouter1.av.mdc1.mozilla.com is missing.  As well as the public hostnames, here's the updated list with vrouter1.av.mdc1.mozilla.com and the public hostnames required in the updated SANs.

    - v.allizom.org
    - v.mozilla.com
    - vgateway-beta1.av.mdc1.mozilla.com
    - vgateway1.av.mdc1.mozilla.com
    - vgateway2.av.mdc1.mozilla.com
    - vportal-beta1.av.mdc1.mozilla.com
    - vportal-beta1.corpdmz.mdc1.mozilla.com
    - vportal1.av.mdc1.mozilla.com
    - vportal2.av.mdc1.mozilla.com
    - vreplay.mozilla.com
    - vreplay1.av.mdc1.mozilla.com
    - vreplay2.av.mdc1.mozilla.com
    - vrouter1.av.pek2.mozilla.com
    - vrouter1.av.tpe1.mozilla.com
    - vrouter1.ber3.mozilla.com
    - vrouter1.lon2.mozilla.com
    - vrouter1.mdc1.mozilla.com
    - vrouter1.mtv2.mozilla.com
    - vrouter1.par1.mozilla.com
    - vrouter1.pdx1.mozilla.com
    - vrouter1.pocket1.mozilla.com
    - vrouter1.sfo1.mozilla.com
    - vrouter1.tor1.mozilla.com
    - vrouter1.yvr1.mozilla.com
    - vrouter1.av.mdc1.mozilla.com
    - vrouter2.av.mdc1.mozilla.com
    - vrouter3.av.mdc1.mozilla.com
    - vrouter4.av.mdc2.mozilla.com
    - vrouter5.av.mdc2.mozilla.com
    - webrtc-beta1.av.mdc1.mozilla.com
    - webrtc1.av.mdc1.mozilla.com
    - webrtc2.av.mdc1.mozilla.com
    - webrtc3.av.mdc1.mozilla.com
    - webrtc4.av.mdc1.mozilla.com
    - webrtc5.av.mdc1.mozilla.com
    - webrtc6.av.mdc1.mozilla.com
    - webrtc7.av.mdc1.mozilla.com
    - webrtc8.av.mdc1.mozilla.com
    - webrtc9.av.mdc1.mozilla.com
    - webrtc10.av.mdc1.mozilla.com
    - webrtc11.av.mdc2.mozilla.com
    - webrtc12.av.mdc2.mozilla.com
    - webrtc13.av.mdc2.mozilla.com
    - webrtc14.av.mdc2.mozilla.com
    - webrtc15.av.mdc2.mozilla.com
    - webrtc16.av.mdc2.mozilla.com
    - vrouter1.mdc1.mozilla.com
    - vrouter2.mdc1.mozilla.com
    - vrouter3.mdc1.mozilla.com
    - vrouter4.mdc2.mozilla.com
    - vrouter5.mdc2.mozilla.com
    - vgateway1.mdc1.mozilla.com
    - vgateway2.mdc1.mozilla.com

Comment 10

[Mark Richards [:freshness]]

   Removing webrtc-beta1.av.mdc1.mozilla.com (as it was decomm'd very recently) and adding webrtc pub hostnames


    - v.allizom.org
    - v.mozilla.com
    - vgateway-beta1.av.mdc1.mozilla.com
    - vgateway1.av.mdc1.mozilla.com
    - vgateway2.av.mdc1.mozilla.com
    - vportal-beta1.av.mdc1.mozilla.com
    - vportal-beta1.corpdmz.mdc1.mozilla.com
    - vportal1.av.mdc1.mozilla.com
    - vportal2.av.mdc1.mozilla.com
    - vreplay.mozilla.com
    - vreplay1.av.mdc1.mozilla.com
    - vreplay2.av.mdc1.mozilla.com
    - vrouter1.av.pek2.mozilla.com
    - vrouter1.av.tpe1.mozilla.com
    - vrouter1.ber3.mozilla.com
    - vrouter1.lon2.mozilla.com
    - vrouter1.mdc1.mozilla.com
    - vrouter1.mtv2.mozilla.com
    - vrouter1.par1.mozilla.com
    - vrouter1.pdx1.mozilla.com
    - vrouter1.pocket1.mozilla.com
    - vrouter1.sfo1.mozilla.com
    - vrouter1.tor1.mozilla.com
    - vrouter1.yvr1.mozilla.com
    - vrouter1.av.mdc1.mozilla.com
    - vrouter2.av.mdc1.mozilla.com
    - vrouter3.av.mdc1.mozilla.com
    - vrouter4.av.mdc2.mozilla.com
    - vrouter5.av.mdc2.mozilla.com
    - webrtc1.av.mdc1.mozilla.com
    - webrtc2.av.mdc1.mozilla.com
    - webrtc3.av.mdc1.mozilla.com
    - webrtc4.av.mdc1.mozilla.com
    - webrtc5.av.mdc1.mozilla.com
    - webrtc6.av.mdc1.mozilla.com
    - webrtc7.av.mdc1.mozilla.com
    - webrtc8.av.mdc1.mozilla.com
    - webrtc9.av.mdc1.mozilla.com
    - webrtc10.av.mdc1.mozilla.com
    - webrtc11.av.mdc2.mozilla.com
    - webrtc12.av.mdc2.mozilla.com
    - webrtc13.av.mdc2.mozilla.com
    - webrtc14.av.mdc2.mozilla.com
    - webrtc15.av.mdc2.mozilla.com
    - webrtc16.av.mdc2.mozilla.com

    - vrouter1.mdc1.mozilla.com
    - vrouter2.mdc1.mozilla.com
    - vrouter3.mdc1.mozilla.com
    - vrouter4.mdc2.mozilla.com
    - vrouter5.mdc2.mozilla.com
    - vgateway1.mdc1.mozilla.com
    - vgateway2.mdc1.mozilla.com
    - webrtc1.mdc1.mozilla.com
    - webrtc2.mdc1.mozilla.com
    - webrtc3.mdc1.mozilla.com
    - webrtc4.mdc1.mozilla.com
    - webrtc5.mdc1.mozilla.com
    - webrtc6.mdc1.mozilla.com
    - webrtc7.mdc1.mozilla.com
    - webrtc8.mdc1.mozilla.com
    - webrtc9.mdc1.mozilla.com
    - webrtc10.mdc1.mozilla.com
    - webrtc11.mdc2.mozilla.com
    - webrtc12.mdc2.mozilla.com
    - webrtc13.mdc2.mozilla.com
    - webrtc14.mdc2.mozilla.com
    - webrtc15.mdc2.mozilla.com
    - webrtc16.mdc2.mozilla.com

Comment 11

[Scott Idler [:sidler] [:escote]]

><(((º> ac create -o c -b 1462826 san.vidyo.mozilla.com --sans-file vidyo.sans -v2
certs:
- san.vidyo.mozilla.com@a8c52992:
    authority:
      digicert:
        order_id: 3184698
    bug: '1462826'
    common_name: san.vidyo.mozilla.com
    destinations: {}
    expiry: Tue, 16 Jul 2019 00:00:00 GMT
    modhash: a8c5299204cc5838a856e3bb9fbb006a
    sans:
    - v.allizom.org
    - v.mozilla.com
    - vgateway-beta1.av.mdc1.mozilla.com
    - vgateway1.av.mdc1.mozilla.com
    - vgateway2.av.mdc1.mozilla.com
    - vportal-beta1.av.mdc1.mozilla.com
    - vportal-beta1.corpdmz.mdc1.mozilla.com
    - vportal1.av.mdc1.mozilla.com
    - vportal2.av.mdc1.mozilla.com
    - vreplay.mozilla.com
    - vreplay1.av.mdc1.mozilla.com
    - vreplay2.av.mdc1.mozilla.com
    - vrouter1.av.pek2.mozilla.com
    - vrouter1.av.tpe1.mozilla.com
    - vrouter1.ber3.mozilla.com
    - vrouter1.lon2.mozilla.com
    - vrouter1.mdc1.mozilla.com
    - vrouter1.mtv2.mozilla.com
    - vrouter1.par1.mozilla.com
    - vrouter1.pdx1.mozilla.com
    - vrouter1.pocket1.mozilla.com
    - vrouter1.sfo1.mozilla.com
    - vrouter1.tor1.mozilla.com
    - vrouter1.yvr1.mozilla.com
    - vrouter1.av.mdc1.mozilla.com
    - vrouter2.av.mdc1.mozilla.com
    - vrouter3.av.mdc1.mozilla.com
    - vrouter4.av.mdc2.mozilla.com
    - vrouter5.av.mdc2.mozilla.com
    - webrtc1.av.mdc1.mozilla.com
    - webrtc2.av.mdc1.mozilla.com
    - webrtc3.av.mdc1.mozilla.com
    - webrtc4.av.mdc1.mozilla.com
    - webrtc5.av.mdc1.mozilla.com
    - webrtc6.av.mdc1.mozilla.com
    - webrtc7.av.mdc1.mozilla.com
    - webrtc8.av.mdc1.mozilla.com
    - webrtc9.av.mdc1.mozilla.com
    - webrtc10.av.mdc1.mozilla.com
    - webrtc11.av.mdc2.mozilla.com
    - webrtc12.av.mdc2.mozilla.com
    - webrtc13.av.mdc2.mozilla.com
    - webrtc14.av.mdc2.mozilla.com
    - webrtc15.av.mdc2.mozilla.com
    - webrtc16.av.mdc2.mozilla.com
    - vrouter1.mdc1.mozilla.com
    - vrouter2.mdc1.mozilla.com
    - vrouter3.mdc1.mozilla.com
    - vrouter4.mdc2.mozilla.com
    - vrouter5.mdc2.mozilla.com
    - vgateway1.mdc1.mozilla.com
    - vgateway2.mdc1.mozilla.com
    - webrtc1.mdc1.mozilla.com
    - webrtc2.mdc1.mozilla.com
    - webrtc3.mdc1.mozilla.com
    - webrtc4.mdc1.mozilla.com
    - webrtc5.mdc1.mozilla.com
    - webrtc6.mdc1.mozilla.com
    - webrtc7.mdc1.mozilla.com
    - webrtc8.mdc1.mozilla.com
    - webrtc9.mdc1.mozilla.com
    - webrtc10.mdc1.mozilla.com
    - webrtc11.mdc2.mozilla.com
    - webrtc12.mdc2.mozilla.com
    - webrtc13.mdc2.mozilla.com
    - webrtc14.mdc2.mozilla.com
    - webrtc15.mdc2.mozilla.com
    - webrtc16.mdc2.mozilla.com
    tardata:
      san.vidyo.mozilla.com@a8c52992.tar.gz:
        san.vidyo.mozilla.com@a8c52992.crt: CRT
        san.vidyo.mozilla.com@a8c52992.csr: CSR
        san.vidyo.mozilla.com@a8c52992.key: KEY
    timestamp: Wed, 11 Jul 2018 18:31:04 GMT

Comment 12

[Scott Idler [:sidler] [:escote]]

gpg'd this ^^^ cert to freshness

Comment 13

[Mark Richards [:freshness]]

Cert received and applied!

Good to revoke san.vidyo.mozilla.com@263d9924.crt

Comment 14

[Scott Idler [:sidler] [:escote]]

><(((º> autocert revoke -b 1462826 san.vidyo.mozilla.com@263d9924
certs:
- san.vidyo.mozilla.com@263d9924: Mon, 16 Jul 2018 16:26:22 GMT