Closed Bug 515963 Opened 15 years ago Closed 15 years ago

*.mozilla.org SSL cert renewal

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
All
Other
Type:
task
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mrz, Assigned: dmoore)

Details

(Whiteboard: [expires 12/10/2009]) 

Expires 12/10/2009
Assignee: server-ops → mrz
Group: infra
Severity: minor → trivial
Whiteboard: [expires 12/10/2009]
Severity: trivial → enhancement
Need a CSR.
Assignee: mrz → server-ops
Severity: enhancement → major
This might be a good time to get a cert with subjectAltName of DNS:*.mozilla.org,DNS:mozilla.org. :)
Oh no, that means a non-geotrust/verisign cert :(
GeoTrust and VeriSign both support subjectAltName. Sometimes they make you enter the hosts during enrollment rather than actually extracting them from the CSR, but they most definitely support it. It's one of the most common SSL extensions used.
I'll clarify - geotrust/verisign do not support SAN on their wildcard certs.  See mozillalabs.com.
(In reply to comment #5)
> I'll clarify - geotrust/verisign do not support SAN on their wildcard certs. 
> See mozillalabs.com.

I don't have any background on mozillalabs.com, as bug 526813 is not public, but that definitely seems weird to me.

I assume you contacted both companies? If so, I know that thawte.com supports SAN in wildcard certs, as it's what Google is currently using. They have a good reputation, so might be worth looking into...

Thawte and GeoTrust are both owned by VeriSign, which makes this all very humorous.
Reed, assume I'm not making this up.  If a wildcard SAN cert is required, I can't use the exiting vendors we have.  Inclined to go with digicert again because they already did the Mozilla Corporation vetting.

Either way, need a CSR.
(In reply to comment #7)
> Reed, assume I'm not making this up.

Please don't get me wrong... I never assumed anything of the sort, and I know from past experience that you most likely called them up to confirm it. I just find it amusing that one VeriSign company allows this while two others don't. :)
Assignee: server-ops → thardcastle
21 days until it expires, bumping up sev.  Need a CSR with SAN entries.
Severity: major → critical
About two weeks now, bumping sev.  Whole lot of stuff is going to break if this isn't handled.  

chizu, what's the delay here?  It's like a 2 min task.
Severity: critical → blocker
13 days...
 -----BEGIN CERTIFICATE REQUEST-----
MIIDUjCCAjoCAQAwgbMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBv
cmF0aW9uMRowGAYDVQQLExFTZWN1cmUgV2ViIFNlcnZlcjEWMBQGA1UEAxQNKi5t
b3ppbGxhLm9yZzElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBtb3ppbGxhLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgtDzsTXvuEpEDV9MOw
PQwsOulhIux0rFaOjGqKDHzJP4TSW3Kb5YNM+9GJVSt7jVsRnzGEGgN4bdd983x7
S0lt/EToF9/ea5CNqd5dr4F/kuMZsi+5gz1ZgH79ihwtFChey8swqwsNHt74hFhG
tCtG1G4IRqGN6hY4EjPFqV11bV7NHzdleCpri8WxXnViVKfFuUWMnBqztWxQ7nJL
fQj2WtU7pffIvnHEHqDRNSonK62IeDy5VC4jtbSMWJKTtGJLMDobQ1yW+QWdSANA
mGuuf49an9r40kgq0as5aQ1sP+euNT1Dxe2uoVLh8TXPfNd9dqJ3vyiNMSr/CyjP
8xUCAwEAAaBZMFcGCSqGSIb3DQEJDjFKMEgwEQYJYIZIAYb4QgEBBAQDAgZAMAwG
A1UdEwEB/wQCMAAwJQYDVR0RBB4wHIINKi5tb3ppbGxhLm9yZ4ILbW96aWxsYS5v
cmcwDQYJKoZIhvcNAQEFBQADggEBAJl/7xXGSxpfMlYt1+s7eAEzefcSrOKQUHhf
yKRFK8Q7S0Ban3jwjw+Hkrf27bFzXPp/erpAOQBukzzNfmE12X4kFQsRQ30lNNVZ
JvyTqkFXeYvCPWQDXq+X7bgigqGFKYVENyy/3qMJh6M7RxLpPK3/st0KPWv8CrWP
xaPYs0/M5hvRSzUn2sx75quskkiFb5877GK1F/hzV0nGaZnWBGtfj7kqzhF8RvoA
aD8lxhcfLnBZ9yRTY0Q6JslYPdKU8KsUquQDgv7G4GwzibLUHk4EaBmT7S6ImARQ
a0NAKXWWUvmhaMExwt8Gt1uiJ52YV4dPWacsO9L+oIWXQaVk4Is=
-----END CERTIFICATE REQUEST-----
https://www.digicert.com/easy-csr/openssl.htm for reference or mradm01:~/root-ca has tools.
(In reply to comment #13)
> https://www.digicert.com/easy-csr/openssl.htm for reference or
> mradm01:~/root-ca has tools.

Is the above CSR not correct?
I pasted that before I saw the csr :)
Assignee: thardcastle → mrz
chizu, where's the key for this?
Your Web Server Certificate for *.mozilla.org

-----BEGIN CERTIFICATE-----
MIIDsTCCAxqgAwIBAgIDDiWmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkxMjAxMDM0MjU0WhcNMTExMjAyMTA1NTI3
WjCBtzEpMCcGA1UEBRMgdmhpQ24ya2JIVnhtelNLZVI2ZEtacU9LLzE4N25uRDAx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3Vu
dGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMRowGAYDVQQL
ExFTZWN1cmUgV2ViIFNlcnZlcjEWMBQGA1UEAxQNKi5tb3ppbGxhLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgtDzsTXvuEpEDV9MOwPQwsOulh
Iux0rFaOjGqKDHzJP4TSW3Kb5YNM+9GJVSt7jVsRnzGEGgN4bdd983x7S0lt/ETo
F9/ea5CNqd5dr4F/kuMZsi+5gz1ZgH79ihwtFChey8swqwsNHt74hFhGtCtG1G4I
RqGN6hY4EjPFqV11bV7NHzdleCpri8WxXnViVKfFuUWMnBqztWxQ7nJLfQj2WtU7
pffIvnHEHqDRNSonK62IeDy5VC4jtbSMWJKTtGJLMDobQ1yW+QWdSANAmGuuf49a
n9r40kgq0as5aQ1sP+euNT1Dxe2uoVLh8TXPfNd9dqJ3vyiNMSr/CyjP8xUCAwEA
AaOBrjCBqzAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0OBBYEFNMPXIpWNtbhP53+ZWdN
IHMCzlYRMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29t
L2NybHMvc2VjdXJlY2EuY3JsMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOY
kJ/UMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUF
AAOBgQCyyxWHaCeEug/UBfgIqs7ICPFG6/X8H/DsvJe5WjvTogdTpghi51YL0un9
DpBIYQKNe5M8rkGc04H5WFw514jhSexm+RJfnarEuTJHbXzdVDrzIG4x1K52agKP
rWy71cs2zar0FGth5FYMmGrHhHalMiAnM0/urBw/o2ll1u0tAA==
-----END CERTIFICATE-----
20:43 < chizu> mrz: mradm01:root-ca/wildcard.mozilla.org.key

Needs to be loaded on any host currently using the *.mozilla.org cert.
Assignee: mrz → server-ops
Assignee: server-ops → dmoore
We'll start rolling these in tomorrow, 12/01

Puppet will handle the majority, but there are a few exceptions (nagios seems to be uncovering them)
Updated on Zeus and Netscalers.
Assignee: dmoore → server-ops
Assignee: server-ops → dmoore
didn't mean to make this page...
Looks like someone has already updated the netscaler
All remaining certs identified and updated.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.