Closed Bug 1899899 Opened 2 years ago Closed 2 years ago

Renew aus5.mozilla.org 2024

Categories

(Cloud Services :: Operations: Balrog, task)

Product:
Cloud Services
Component:
Operations: Balrog
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jbuck, Assigned: jbuck)

References

Details

On 2024-06-23 the current certificate for aus5.mozilla.org is expiring. The certificate is currently a Digicert-issued certificate. Firefox 101+ GMP updates are no longer pinned to the DigiCert SHA2 Secure Server CA ICA.

Should we try renewing with Lets Encrypt this year?

Worth noting that the DigiCert Global Root CA will be distrusted as of April 15 2026, so when we do the 2025 version of this renewal, that'll be the last time we can use the DigiCert SHA2 Secure Server CA intermediate CA.

No longer blocks: 1834817
Depends on: 1834817

Order # 771440235 submitted for renewal

Assignee: nobody → jbuckley
Status: NEW → ASSIGNED

Context from Slack for why we rolled with Digicert for renewal this year:

bhearsum: After all the authenticode fun we just had I'd like to avoid any chance at a repeat. Let's go with DigiCert, and if possible, could we get a cert that's valid for longer than a year? (The longer we wait to switch to Let's Encrypt, the lower the chance of impact is. AIUI, DRM will break for users on Firefox <100 due to the pinning requirements).
jbuck: it’s not possible to get a certificate that’s valid for longer than a year since 2020-09-01, but yes, we can use digicert this year
bhearsum: Is switching to LE just a cost thing? Or does it make it easier for y'all as well?
jbuck: both - renewal is done completely automatically. no manual steps required
jbuck: 2025 may be a good time to test lets encrypt, to understand how older clients behave
Yeah, I think we can consider it next year. Let's try to start this conversation a couple of months ahead of expiration though, if possible.

https://crt.sh/?id=13238335617 is the new certificate

Need to update docs on https://mozilla-balrog.readthedocs.io/en/latest/client_domains.html once we land this change

PR has been applied and merged

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Blocks: 1951502
You need to log in before you can comment on or make changes to this bug.