Open Bug 1951502 Opened 15 days ago Updated 1 day ago

Renew aus5.mozilla.org 2025

Categories

(Cloud Services :: Operations: Balrog, task)

Product:
Cloud Services
Component:
Operations: Balrog
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: jbuck, Assigned: jbuck, NeedInfo)

References

Details

On 2025-06-01 the current certificate for aus5.mozilla.org is expiring. The certificate is currently a Digicert-issued certificate. Firefox 101+ GMP updates are no longer pinned to the DigiCert SHA2 Secure Server CA ICA.

Should we test renewing with Lets Encrypt this year?

Worth noting that the DigiCert Global Root CA will be distrusted as of April 15 2026, so if we want to renew using the DigiCert SHA2 Secure Server CA intermediate CA, we'll need to renew by April at the latest.

:bhearsum and I chatted about this and propose the following:

Context:

  • Firefox 100 pins to a Digicert intermediate CA for GMP updates. Firefox 101+ does not pin for GMP updates.
  • Firefox 100 pins to old root CA that will expire on March 14th

Therefore:

  • Wait until after old root CA expires on March 14th, where Firefox <= 100 can't receive any more updates from us
  • Try Lets Encrypt certificate starting on/after March 17th. We can do several known time periods and look at GMP telemetry for those time periods to ensure that the new certificate is working as expected. We expect it to work fine, we just want to make sure
  • On April 1st, make a decision as to keep using the Lets Encrypt certificate, or renew with Digicert for 1 last year
Assignee: nobody → jbuckley
Status: NEW → ASSIGNED

For completeness I'll mention that while looking at the GMP client side code, it appears that certificate pinning may still be used in the latest Firefox if a certain pref is unset, which is unfortunate. I don't know if we have telemetry to see how many users may be in this scenario, and what the impact might be. I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1951564 about removing that fallback.

Jim, how important is it that we avoid changing the intermediate (per https://bugzilla.mozilla.org/show_bug.cgi?id=1886799, there are still certain cases where we pin GMP updates to it).

Note that this is the last year we may be able to get an SSL certificate from this intermediate, and I don't think it's reasonable to continue pinning to a new intermediate. (The pain of maintaining these is well documented, and switching to Let's Encrypt is a much lower maintenance burden.)

If possible, I'd like for us to switch to Let's Encrypt this year if possible. If not, we'll have to do it next year.

If https://bugzilla.mozilla.org/show_bug.cgi?id=1886799 is not fixed when we switch, we can update the pins for new Firefoxes to keep that fallback mode working for them, but older Firefoxes would no longer work with the fallback.

Flags: needinfo?(jmathies)
You need to log in before you can comment on or make changes to this bug.