Closed Bug 1670031 Opened 4 years ago Closed 4 years ago

hgmo SSL certificate renewal work (Oct 2020)

Categories

(Developer Services :: Mercurial: hg.mozilla.org, task)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sheehan, Assigned: sheehan)

References

Details

(Keywords: leave-open)

Attachments

(6 files)

configwizard: add new sha256 fingerprint (Bug 1670031) r?dhouse,zeid
47 bytes, text/x-phabricator-request
Details | Review
ansible/hg-web: update pinned SSL cert in hgrc template (Bug 1670031) r?dhouse,zeid
47 bytes, text/x-phabricator-request
Details | Review
configwizard: update the SHA1 fingerprint (Bug 1670031) r?dhouse,zeid
47 bytes, text/x-phabricator-request
Details | Review
docs: update standalone doc with SSL cert info (Bug 1670031) r?dhouse,zeid
47 bytes, text/x-phabricator-request
Details | Review
GitHub Pull Request
58 bytes, text/x-github-pull-request
Details | Review
Bug 1670031: update fallback fingerprint in `run-task` r?zeid
47 bytes, text/x-phabricator-request
Details | Review

Tracking bug for any work related to the SSL cert renewal on Monday, Oct 12.

Edit: copy-able config for manual updates to the hgrc:

[hostsecurity]
hg.mozilla.org:fingerprints = sha256:FF:E7:8D:93:E9:56:3C:C0:19:FC:00:4C:18:B9:86:E5:08:E5:10:F5:E2:EA:48:E8:22:D3:A3:3A:CA:99:C3:4C, sha256:17:38:aa:92:0b:84:3e:aa:8e:52:52:e9:4c:2f:98:a9:0e:bf:6c:3e:e9:15:ff:0a:29:80:f7:06:02:5b:e8:48

Add the new certificate to configwizard, so users can run
mach vcs-setup and have the new cert pinned in their hgrc.

Updates the fingerprints in the hgweb hgrc file.

Depends on D92968

This change will need to be landed post-swap since older clients
can't pin multiple SHA1 certs.

Bug 1670034 tracks removal of this feature altogether, but for now
it stays as-is.

Depends on D92969

Pushed by cosheehan@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/4a21d2b14392
configwizard: add new sha256 fingerprint r=dhouse,zeid
https://hg.mozilla.org/hgcustom/version-control-tools/rev/237f1bfdb051
ansible/hg-web: update pinned SSL cert in hgrc template r=dhouse,zeid

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Keywords: leave-open
Resolution: FIXED → ---
Attached file GitHub Pull Request (obsolete) (deleted) —
The content of attachment 9180540 [details] has been deleted for the following reason: test attachment - please disregard

Updated the hgfingerprint TC secret to include the fingerprint of the new certificate.

The new certificate is live.

Pushed by cosheehan@mozilla.com: https://hg.mozilla.org/hgcustom/version-control-tools/rev/fec47274ac0a configwizard: update the SHA1 fingerprint r=dhouse,zeid https://hg.mozilla.org/hgcustom/version-control-tools/rev/3d949575c04e docs: update standalone doc with SSL cert info r=dhouse,zeid
Regressions: 1670712
Regressions: 1670716

Can you please update FALLBACK_FINGERPRINT (in taskcluster/scripts/run-task) to the now correct value? I sent email about this to dev-platform and got no response.

Pushed by cosheehan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fe05e2b8652b update fallback fingerprint in `run-task` r=zeid

Thanks!

A try push based on very recent autoland (from this morning) is still showing a bunch of jobs erroring out with fingerprint errors: https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=b6ab677d0e1b44470483b3fd4d7d74564b6b0ca7&searchStr=windows%2C10%2Copt

The version-control-tools repo also has a signed version of the vcs-server-info file, which is referenced by the documentation; this is now out-of-date. It was signed with a key belonging to gps@mozilla.com, with the idea that it would eventually move to a more robust form of signing, but gps is no longer at Mozilla and the public key seems to have been removed from keyservers that allow deletion, so this has been somewhat broken for a while now.

Should I file a separate bug for updating or removing that file, or do you want to handle that as part of this bug?

(For context, I wasn't immediately affected by the cert change because I primarily use Git, but some tools like mach lint will clone from hg.m.o over https.)

Flags: needinfo?(sheehan)

(In reply to Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧ from comment #20)

The version-control-tools repo also has a signed version of the vcs-server-info file, which is [referenced by the documentation][docs]; this is now out-of-date. It was signed with a key belonging to gps@mozilla.com, with the idea that it would eventually move to a more robust form of signing, but gps is no longer at Mozilla and the public key seems to have been removed from keyservers that allow deletion, so this has been somewhat broken for a while now.

Should I file a separate bug for updating or removing that file, or do you want to handle that as part of this bug?

I'll remove these files and references in the docs as part of this bug. Thanks for bringing this up!

Flags: needinfo?(sheehan)
Pushed by cosheehan@mozilla.com: https://hg.mozilla.org/hgcustom/version-control-tools/rev/f82da5025556 docs: remove `vcs-server-info{.asc}` and docs references
Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: