Closed Bug 515963 Opened 16 years ago Closed 16 years ago

*.mozilla.org SSL cert renewal

Categories

(mozilla.org Graveyard :: Server Operations, task)

All
Other
task
Not set
blocker

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mrz, Assigned: dmoore)

Details

(Whiteboard: [expires 12/10/2009])

Expires 12/10/2009
Assignee: server-ops → mrz
Group: infra
Severity: minor → trivial
Whiteboard: [expires 12/10/2009]
Severity: trivial → enhancement
Need a CSR.
Assignee: mrz → server-ops
Severity: enhancement → major
This might be a good time to get a cert with subjectAltName of DNS:*.mozilla.org,DNS:mozilla.org. :)
Oh no, that means a non-geotrust/verisign cert :(
GeoTrust and VeriSign both support subjectAltName. Sometimes they make you enter the hosts during enrollment rather than actually extracting them from the CSR, but they most definitely support it. It's one of the most common SSL extensions used.
I'll clarify - geotrust/verisign do not support SAN on their wildcard certs. See mozillalabs.com.
(In reply to comment #5) > I'll clarify - geotrust/verisign do not support SAN on their wildcard certs. > See mozillalabs.com. I don't have any background on mozillalabs.com, as bug 526813 is not public, but that definitely seems weird to me. I assume you contacted both companies? If so, I know that thawte.com supports SAN in wildcard certs, as it's what Google is currently using. They have a good reputation, so might be worth looking into... Thawte and GeoTrust are both owned by VeriSign, which makes this all very humorous.
Reed, assume I'm not making this up. If a wildcard SAN cert is required, I can't use the exiting vendors we have. Inclined to go with digicert again because they already did the Mozilla Corporation vetting. Either way, need a CSR.
(In reply to comment #7) > Reed, assume I'm not making this up. Please don't get me wrong... I never assumed anything of the sort, and I know from past experience that you most likely called them up to confirm it. I just find it amusing that one VeriSign company allows this while two others don't. :)
Assignee: server-ops → thardcastle
21 days until it expires, bumping up sev. Need a CSR with SAN entries.
Severity: major → critical
About two weeks now, bumping sev. Whole lot of stuff is going to break if this isn't handled. chizu, what's the delay here? It's like a 2 min task.
Severity: critical → blocker
13 days...
-----BEGIN CERTIFICATE REQUEST----- MIIDUjCCAjoCAQAwgbMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBv cmF0aW9uMRowGAYDVQQLExFTZWN1cmUgV2ViIFNlcnZlcjEWMBQGA1UEAxQNKi5t b3ppbGxhLm9yZzElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBtb3ppbGxhLmNv bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgtDzsTXvuEpEDV9MOw PQwsOulhIux0rFaOjGqKDHzJP4TSW3Kb5YNM+9GJVSt7jVsRnzGEGgN4bdd983x7 S0lt/EToF9/ea5CNqd5dr4F/kuMZsi+5gz1ZgH79ihwtFChey8swqwsNHt74hFhG tCtG1G4IRqGN6hY4EjPFqV11bV7NHzdleCpri8WxXnViVKfFuUWMnBqztWxQ7nJL fQj2WtU7pffIvnHEHqDRNSonK62IeDy5VC4jtbSMWJKTtGJLMDobQ1yW+QWdSANA mGuuf49an9r40kgq0as5aQ1sP+euNT1Dxe2uoVLh8TXPfNd9dqJ3vyiNMSr/CyjP 8xUCAwEAAaBZMFcGCSqGSIb3DQEJDjFKMEgwEQYJYIZIAYb4QgEBBAQDAgZAMAwG A1UdEwEB/wQCMAAwJQYDVR0RBB4wHIINKi5tb3ppbGxhLm9yZ4ILbW96aWxsYS5v cmcwDQYJKoZIhvcNAQEFBQADggEBAJl/7xXGSxpfMlYt1+s7eAEzefcSrOKQUHhf yKRFK8Q7S0Ban3jwjw+Hkrf27bFzXPp/erpAOQBukzzNfmE12X4kFQsRQ30lNNVZ JvyTqkFXeYvCPWQDXq+X7bgigqGFKYVENyy/3qMJh6M7RxLpPK3/st0KPWv8CrWP xaPYs0/M5hvRSzUn2sx75quskkiFb5877GK1F/hzV0nGaZnWBGtfj7kqzhF8RvoA aD8lxhcfLnBZ9yRTY0Q6JslYPdKU8KsUquQDgv7G4GwzibLUHk4EaBmT7S6ImARQ a0NAKXWWUvmhaMExwt8Gt1uiJ52YV4dPWacsO9L+oIWXQaVk4Is= -----END CERTIFICATE REQUEST-----
https://www.digicert.com/easy-csr/openssl.htm for reference or mradm01:~/root-ca has tools.
(In reply to comment #13) > https://www.digicert.com/easy-csr/openssl.htm for reference or > mradm01:~/root-ca has tools. Is the above CSR not correct?
I pasted that before I saw the csr :)
Assignee: thardcastle → mrz
chizu, where's the key for this?
Your Web Server Certificate for *.mozilla.org -----BEGIN CERTIFICATE----- MIIDsTCCAxqgAwIBAgIDDiWmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkxMjAxMDM0MjU0WhcNMTExMjAyMTA1NTI3 WjCBtzEpMCcGA1UEBRMgdmhpQ24ya2JIVnhtelNLZVI2ZEtacU9LLzE4N25uRDAx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3Vu dGFpbiBWaWV3MRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMRowGAYDVQQL ExFTZWN1cmUgV2ViIFNlcnZlcjEWMBQGA1UEAxQNKi5tb3ppbGxhLm9yZzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKgtDzsTXvuEpEDV9MOwPQwsOulh Iux0rFaOjGqKDHzJP4TSW3Kb5YNM+9GJVSt7jVsRnzGEGgN4bdd983x7S0lt/ETo F9/ea5CNqd5dr4F/kuMZsi+5gz1ZgH79ihwtFChey8swqwsNHt74hFhGtCtG1G4I RqGN6hY4EjPFqV11bV7NHzdleCpri8WxXnViVKfFuUWMnBqztWxQ7nJLfQj2WtU7 pffIvnHEHqDRNSonK62IeDy5VC4jtbSMWJKTtGJLMDobQ1yW+QWdSANAmGuuf49a n9r40kgq0as5aQ1sP+euNT1Dxe2uoVLh8TXPfNd9dqJ3vyiNMSr/CyjP8xUCAwEA AaOBrjCBqzAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0OBBYEFNMPXIpWNtbhP53+ZWdN IHMCzlYRMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29t L2NybHMvc2VjdXJlY2EuY3JsMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOY kJ/UMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUF AAOBgQCyyxWHaCeEug/UBfgIqs7ICPFG6/X8H/DsvJe5WjvTogdTpghi51YL0un9 DpBIYQKNe5M8rkGc04H5WFw514jhSexm+RJfnarEuTJHbXzdVDrzIG4x1K52agKP rWy71cs2zar0FGth5FYMmGrHhHalMiAnM0/urBw/o2ll1u0tAA== -----END CERTIFICATE-----
20:43 < chizu> mrz: mradm01:root-ca/wildcard.mozilla.org.key Needs to be loaded on any host currently using the *.mozilla.org cert.
Assignee: mrz → server-ops
Assignee: server-ops → dmoore
We'll start rolling these in tomorrow, 12/01 Puppet will handle the majority, but there are a few exceptions (nagios seems to be uncovering them)
Updated on Zeus and Netscalers.
Assignee: dmoore → server-ops
Assignee: server-ops → dmoore
didn't mean to make this page...
Looks like someone has already updated the netscaler
All remaining certs identified and updated.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.