2010145 - regenerate test certificates for 2026

Status: RESOLVED FIXED

(Core :: Security: PSM, task)

Description

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

The test certificates expire on 2026-02-04 and security/manager/ssl/tests/unit/test_cert_expiration_canary.js will 3 weeks before on 2026-01-14 - tomorrow.

Comment 1

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Attachment: Bug 2010145 - renew test certificates for 2026. r=keeler

Comment 2

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Attachment: Bug 2010145 - disable canary check for expiring certificates until they have been renewed

Test will start failing on 2026-01-14 - 3 weeks before the checked certificate
expires.

Comment 3

[Pulsebot]

Pushed by archaeopteryx@coole-files.de:
https://github.com/mozilla-firefox/firefox/commit/12e86db03f44
https://hg.mozilla.org/integration/autoland/rev/ca95bcbae2d3
disable canary check for expiring certificates until they have been renewed r=keeler

Comment 4

[Cristina Horotan [:chorotan]]

https://hg.mozilla.org/mozilla-central/rev/ca95bcbae2d3

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Attachment: Bug 2010145 - extend documentation how to update in-tree test certificates. r=keeler

Comment 6

[Pulsebot]

Pushed by archaeopteryx@coole-files.de:
https://github.com/mozilla-firefox/firefox/commit/107d0e5deb84
https://hg.mozilla.org/integration/autoland/rev/84f3c12d1177
renew test certificates for 2026. r=keeler,necko-reviewers,extension-reviewers,kershaw,robwu

Comment 7

[Pulsebot]

Pushed by archaeopteryx@coole-files.de:
https://github.com/mozilla-firefox/firefox/commit/c8f5936b1d5e
https://hg.mozilla.org/integration/autoland/rev/22ee091b6bc6
extend documentation how to update in-tree test certificates. r=keeler

Comment 8

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/84f3c12d1177
https://hg.mozilla.org/mozilla-central/rev/22ee091b6bc6

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Attachment: Bug 2010145 - renew test certificates for 2026.

Certificates expire on 2027-02-04.

Extended with the instructions in security/manager/ssl/tests/unit/test_cert_expiration_canary.js

If this test and only this test fails, do the following:

1. Create a bug for the issue in "Core :: Security: PSM".
2. Write a patch to temporarily disable the test.
3. Land the patch.
4. Write a patch to reenable the test but don't land it.
5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component
   in the bug.
6. Patches to update certificates get created.
   6.1. Update certificates in security/manager/ssl/tests/unit with
   ./mach generate-test-certs
   6.2. Update more certificates with
   ./mach python build/pgo/genpgocert.py
   6.3. Temporarily uncomment the code in security/manager/ssl/tests/unit/test_signed_apps/moz.build,
   build Firefox with |./mach build| and copy the relevant non-build files
   from the related object directory folder into this folder.
   6.4. Update the certificate fingerprints mentioned in
   security/manager/ssl/tests/unit/test_cert_override_read.js with
   openssl x509 -noout -fingerprint -sha256 -in security/manager/ssl/tests/unit/bad_certs/certName.pem
   6.5. Update the base64 encoded serial numbers of test-int.pem and other-test-ca.pem in
   security/manager/ssl/tests/unit/test_cert_storage.js
   6.5.1. Get the serial number value
   openssl x509 -noout -in security/manager/ssl/tests/unit/bad_certs/test-int.pem -serial
   6.5.2. base64 encode the hex value without the prefix
   6.5.3. Update base64 encoded value in the test file.
7. Commit the changes: Mention the year of the update, the date of the
   next expiration and add these instructions to the commit message.
8. Test the patches with a Try push.
9. Land the patches on all trees whose code will still be used when the
   certificates expire in 3 weeks.

Original Revision: https://phabricator.services.mozilla.com/D278888

Comment 11

[Phabricator Automation]

firefox-beta Uplift Approval Request

• User impact if declined: no user impact but automated tests in our CI will start to fail on Feb 4
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing:
• Risk associated with taking this patch: low
• Explanation of risk level: Does not affect the build we ship
• String changes made/needed: no
• Is Android affected?: no

Comment 12

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Attachment: Bug 2010145 - extend documentation how to update in-tree test certificates.

Original Revision: https://phabricator.services.mozilla.com/D279185

Comment 13

[Pulsebot]

https://github.com/mozilla-firefox/firefox/commit/fc77c0880f23
https://hg.mozilla.org/releases/mozilla-beta/rev/8dc830686d66
https://github.com/mozilla-firefox/firefox/commit/4ef558f881ba
https://hg.mozilla.org/releases/mozilla-beta/rev/534b701fff92

Comment 14

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Attachment: Bug 2010145 - renew test certificates for 2026.

Certificates expire on 2027-02-04.

Extended with the instructions in security/manager/ssl/tests/unit/test_cert_expiration_canary.js

If this test and only this test fails, do the following:

1. Create a bug for the issue in "Core :: Security: PSM".
2. Write a patch to temporarily disable the test.
3. Land the patch.
4. Write a patch to reenable the test but don't land it.
5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component
   in the bug.
6. Patches to update certificates get created.
   6.1. Update certificates in security/manager/ssl/tests/unit with
   ./mach generate-test-certs
   6.2. Update more certificates with
   ./mach python build/pgo/genpgocert.py
   6.3. Temporarily uncomment the code in security/manager/ssl/tests/unit/test_signed_apps/moz.build,
   build Firefox with |./mach build| and copy the relevant non-build files
   from the related object directory folder into this folder.
   6.4. Update the certificate fingerprints mentioned in
   security/manager/ssl/tests/unit/test_cert_override_read.js with
   openssl x509 -noout -fingerprint -sha256 -in security/manager/ssl/tests/unit/bad_certs/certName.pem
   6.5. Update the base64 encoded serial numbers of test-int.pem and other-test-ca.pem in
   security/manager/ssl/tests/unit/test_cert_storage.js
   6.5.1. Get the serial number value
   openssl x509 -noout -in security/manager/ssl/tests/unit/bad_certs/test-int.pem -serial
   6.5.2. base64 encode the hex value without the prefix
   6.5.3. Update base64 encoded value in the test file.
7. Commit the changes: Mention the year of the update, the date of the
   next expiration and add these instructions to the commit message.
8. Test the patches with a Try push.
9. Land the patches on all trees whose code will still be used when the
   certificates expire in 3 weeks.

Comment 15

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Attachment: Bug 2010145 - extend documentation how to update in-tree test certificates. r=keeler

Original Revision: https://phabricator.services.mozilla.com/D279185

Comment 16

[Phabricator Automation]

firefox-release Uplift Approval Request

• User impact if declined: no user impact but automated tests in our CI will start to fail on Feb 4
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing:
• Risk associated with taking this patch: low
• Explanation of risk level: Does not affect the build we ship
• String changes made/needed: no
• Is Android affected?: no

Comment 17

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Attachment: Bug 2010145 - renew test certificates for 2026. r=keeler

Certificates expire on 2027-02-04.

Extended with the instructions in security/manager/ssl/tests/unit/test_cert_expiration_canary.js

If this test and only this test fails, do the following:

1. Create a bug for the issue in "Core :: Security: PSM".
2. Write a patch to temporarily disable the test.
3. Land the patch.
4. Write a patch to reenable the test but don't land it.
5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component
   in the bug.
6. Patches to update certificates get created.
   6.1. Update certificates in security/manager/ssl/tests/unit with
   ./mach generate-test-certs
   6.2. Update more certificates with
   ./mach python build/pgo/genpgocert.py
   6.3. Temporarily uncomment the code in security/manager/ssl/tests/unit/test_signed_apps/moz.build,
   build Firefox with |./mach build| and copy the relevant non-build files
   from the related object directory folder into this folder.
   6.4. Update the certificate fingerprints mentioned in
   security/manager/ssl/tests/unit/test_cert_override_read.js with
   openssl x509 -noout -fingerprint -sha256 -in security/manager/ssl/tests/unit/bad_certs/certName.pem
   6.5. Update the base64 encoded serial numbers of test-int.pem and other-test-ca.pem in
   security/manager/ssl/tests/unit/test_cert_storage.js
   6.5.1. Get the serial number value
   openssl x509 -noout -in security/manager/ssl/tests/unit/bad_certs/test-int.pem -serial
   6.5.2. base64 encode the hex value without the prefix
   6.5.3. Update base64 encoded value in the test file.
7. Commit the changes: Mention the year of the update, the date of the
   next expiration and add these instructions to the commit message.
8. Test the patches with a Try push.
9. Land the patches on all trees whose code will still be used when the
   certificates expire in 3 weeks.

Comment 18

[Pulsebot]

https://github.com/mozilla-firefox/firefox/commit/aad09f354777
https://hg.mozilla.org/releases/mozilla-release/rev/796e8d7dde5d
https://github.com/mozilla-firefox/firefox/commit/ada6c85e3dac
https://hg.mozilla.org/releases/mozilla-release/rev/08588e6a0e42