Closed Bug 783689 Opened 12 years ago Closed 11 years ago

Need an SSL cert for beta.openbadges.org

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task, P4)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Platform:
x86_64
Windows 7
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chris, Assigned: cturra)

Details

(Whiteboard: [triaged 20120824]) 

beta isn't the final url though, if possible a wildcard cert for openbadges.org would be ideal.
Chris,

We are generally not doing wildcard SSL certs these days.  I will cc Michael Coates for his thoughts / approval for this.

In the mean time I have submitted a request to have the openbadges.org domain added to our authorized list of domains in Geotrust (our SSL cert provider) so I can get certs for this domain. This process typically takes about 2 business days and is necessary weather we get a wildcard cert or not.
Whiteboard: [waiting][Approval]
The domain has been added to Geotrust.  Just waiting for discussion / approval from security.
Do they know? Or am I supposed to contact them?
Chris,

I cc mcoates but if you contact someone directly it may speed up the process.  TBH I am not positive who is the decider for these things now only that mcoates probably knows who is.
cmac: can you just list a bunch of domains you want certs for?  AFAIK we're realy trying to phase out wildcards so the former way will go much faster i believe.  If we have a real need for a wildcard, list it here.
(In reply to David Ascher (:davida) from comment #5)
> cmac: can you just list a bunch of domains you want certs for?  AFAIK we're
> realy trying to phase out wildcards so the former way will go much faster i
> believe.  If we have a real need for a wildcard, list it here.

Would be great to do a subject alternate name cert where we list the domains specifically (as davida recommends). Let's chat more if this isn't possible.
Priority: -- → P3
Whiteboard: [waiting][Approval] → [triaged 20120824][waiting][Approval]
(In reply to Chris McAvoy from comment #0)
> beta isn't the final url though, if possible a wildcard cert for
> openbadges.org would be ideal.

I wouldn't block on the final name - cert's are overly expensive.  We can also re-issue SAN certs with new names without penalty.
Renormalizing priority levels... P4 is "normal" now.

I presume mrz meant certs are *not* overly expensive. SAN and wildcard certs do cost more than basic ones, though (just so we're on the same page).

@cmac: are we still okay to go ahead with a basic cert for beta.openbadges.org?


Where would this be hosted? The IP that beta.openbadges.org resolves to doesn't seem to go to our Zeus LBs, but it is a Mozilla-controlled IP. It's not a site I am familiar with...
Priority: P3 → P4
Whiteboard: [triaged 20120824][waiting][Approval] → [triaged 20120824][waiting][needinfo]
Hi all, I just realized that this ticket died with a ball in my court. Can I confirm that you all are waiting on 2 things from me, 1) a list of the sub-domains we want to be SSL'd, and 2) the location of the server?

Is that it? If so, I can get answers tomorrow morning...
(In reply to Chris McAvoy from comment #9)
> Hi all, I just realized that this ticket died with a ball in my court. Can I
> confirm that you all are waiting on 2 things from me, 1) a list of the
> sub-domains we want to be SSL'd, and 2) the location of the server?
> 
> Is that it? If so, I can get answers tomorrow morning...

Yes, please provide a list of the domains and we'll order a SAN certificate for them

Thanks!
beta.openbadges.org
staging.openbadges.org
api.openbadges.org
www.openbadges.org
openbadges.org

Thanks!
Assignee: server-ops-webops → cturra
SAN certificate ordered. waiting on approval process from our ca, which can take up to a couple business days.
Status: NEW → ASSIGNED
Whiteboard: [triaged 20120824][waiting][needinfo] → [triaged 20120824][pending ca approval]
you can find the key on ssl1.private.phx1. let me know if you need a hand with that.

X509v3 Subject Alternative Name: 
  DNS:www.openbadges.org, DNS:api.openbadges.org, DNS:staging.openbadges.org, DNS:beta.openbadges.org, DNS:openbadges.org


web server cert:
===

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIDAbDvMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEyMDkxODIwMDYwNloXDTE0MDkyMTIyMDYxN1owgbExKTAnBgNVBAUT
IEc4bS8wdUFWc1Z4L3pZMjdjUU9vRjhJaFBnc0tLWUNMMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEcMBoG
A1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjETMBEGA1UECxMKT3BlcmF0aW9uczEX
MBUGA1UEAxMOb3BlbmJhZGdlcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDjWKt3pPG9MH7XYaaa8qimPiA4O2o4gb0roNgBnwPTlEA+iGqdvuPz
HEy9TJAz0Xm/5L95xtKD4vQNSqmGhoPyxiiwJb4xvHxxKUiRQtIRac5/yfUokEJt
8DcaZUbYGbvD5Zq64wjHARB2LJBbzgUHUssUSwxTvJGFwyCu2EGg+2qP6hw9CENQ
7YE2KdfIDJ2InC+V5EgNe/UGenDCc2LbtJyllSUu4bl2py3NtsX0btRW/hwILmp5
LdysZBk3FMi5iKcQRG7iwSOiM3HsZuoHKBFGKgomQDi2as2+Q6cjwWJ0C9e7tBeq
FekViUTZYv7xuRsTlw5GdutMmNe93NmhAgMBAAGjggHvMIIB6zAfBgNVHSMEGDAW
gBRCeVQbYc1VKz5j1TxIV/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMG4GA1UdEQRnMGWCEnd3dy5vcGVuYmFkZ2Vz
Lm9yZ4ISYXBpLm9wZW5iYWRnZXMub3JnghZzdGFnaW5nLm9wZW5iYWRnZXMub3Jn
ghNiZXRhLm9wZW5iYWRnZXMub3Jngg5vcGVuYmFkZ2VzLm9yZzA9BgNVHR8ENjA0
MDKgMKAuhixodHRwOi8vZ3Rzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL2d0c3Ns
LmNybDAdBgNVHQ4EFgQUacPXaEvG9CODC/LlsxiK+/KUJLcwDAYDVR0TAQH/BAIw
ADBvBggrBgEFBQcBAQRjMGEwKgYIKwYBBQUHMAGGHmh0dHA6Ly9ndHNzbC1vY3Nw
Lmdlb3RydXN0LmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL2d0c3NsLWFpYS5nZW90
cnVzdC5jb20vZ3Rzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
MA0GCSqGSIb3DQEBBQUAA4IBAQBaQxrbLT89FxqsLs1MC9EXIv96l17YpxUn4xK2
7+3+pIsliAO+f/0x4BsejsrGztWbNbsSbP7JURL87dvlak38uJUMNQJEL26iL6dF
pW5vJ6BLdOpAd/f1yYpUcIGXvBlhDEV2GLk1GDruLxQ3dNmvFIGHvveqemRXCIEd
8hE6e1icWyPdQvx5bnJLtjZ/HYncoKXppqMrd23CDjhZbul8LOgS2M5X3S/hvmOj
+GGVer25IkGdU6/th4wrN+vdA4/A5s8rokvYafGhwJDx4Bzrc4qeZ26Dj/43KKoc
l6pSDL+3ThZJbRJFm5wasiT1/HRqifA8YCwadBNrmSHgnAdQ
-----END CERTIFICATE-----


geotrust intermediate cert:
===

-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [triaged 20120824][pending ca approval] → [triaged 20120824]
Hello,

I've just emailed Chris regarding acquiring the private keys for the san cert, but in the near term,can we please add backpack.openbadges.org to the SAN please.  Acknowledging that can take a couple days, the timeline we're looking at for launch is Thursday being in QA.  

I appreciate the help, many thanks!
JP
johns@mozillafoundation.org
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Flags: needinfo?
JP - i have completed the signing of a new SAN cert that includes this new alternative domain. during the process i had to generate a new csr/private key - you can find those are ss1l.private.phx1. ping :gozer for it if you do not have access.

-----BEGIN CERTIFICATE-----
MIIFezCCBGOgAwIBAgIDAgLAMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEzMDIxMTExMjgyMVoXDTE0MDkyMjIxMzEzNVowgbExKTAnBgNVBAUT
IHBXMG16ZEVlZHZOOEZ0T2pXNUZTWDVBNzRhWmstcVpFMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEcMBoG
A1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjETMBEGA1UECxMKT3BlcmF0aW9uczEX
MBUGA1UEAxMOb3BlbmJhZGdlcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC3jEIoBnri49t5s2wL3wHPM3UltoTB3FGcOwSkMT3AIZSHyaQDM9MJ
sAkGjE2SPEmjxjVuOP/Ryws7Mih1tkaUcyeo9v8MuKh4UFodEqs0w3NDNi5/K6zf
0xxM/HS7k0K0hBMMLJ481NkeUVk9eiZeKL++e7cI7FZwjAnJ3+0LigrNXVcXGM5M
KCNLf1PDJtbH9CdubwViMimksnRmsaG9mwYkcEh7JiBFjfjdWcd6LNwiWtyEQ+Hf
EdP60E3OzpV304I9BKglIKdO+TNesCPwu/iDmfh+1xiy8zbuuh2WOwHnQ8CNg/vG
iLgoYBmZFrPIqX/dooC7Kwr8t6W+XTGtAgMBAAGjggIKMIICBjAfBgNVHSMEGDAW
gBRCeVQbYc1VKz5j1TxIV/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGIBgNVHREEgYAwfoISd3d3Lm9wZW5iYWRn
ZXMub3JnghJhcGkub3BlbmJhZGdlcy5vcmeCFnN0YWdpbmcub3BlbmJhZGdlcy5v
cmeCE2JldGEub3BlbmJhZGdlcy5vcmeCF2JhY2twYWNrLm9wZW5iYWRnZXMub3Jn
gg5vcGVuYmFkZ2VzLm9yZzA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vZ3Rzc2wt
Y3JsLmdlb3RydXN0LmNvbS9jcmxzL2d0c3NsLmNybDAdBgNVHQ4EFgQUG+e4w+r/
XnPSLuVBIWo3auzb7wkwDAYDVR0TAQH/BAIwADBvBggrBgEFBQcBAQRjMGEwKgYI
KwYBBQUHMAGGHmh0dHA6Ly9ndHNzbC1vY3NwLmdlb3RydXN0LmNvbTAzBggrBgEF
BQcwAoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MEwG
A1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3
Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBBQUAA4IBAQAI
6HyV6cgOtQSz0JQCjiykfebLxm6EWdh1K2fYGCwpBK4D/OJzovHoMaTc6FEE136D
3o407pmIezVL4xl0F0yLgi5kpJNkFgdBIuXFIGaUY9+dFVj1MdL7NH4f8NTZZyiP
m9hiT7Qzrdna9y4reNxRX3d64/5Wp3n6fB5EhlGcBuCwiQhcI+TLG/+6XhDJTml1
yGsl/vdFx8op4VNnZ+AhLzcOXHevrxMcr1032ASOp1wJCyo7YxtPKtyNkmaediqy
4FnURsbNEJZEsdUhGDcj7IRRcVekf+LQXaDttCU5pbLdCAv/0M6cKbYDY4TibdOr
4REsvC8ThsbwLV1NOBJJ
-----END CERTIFICATE-----
Status: REOPENED → RESOLVED
Closed: 12 years ago11 years ago
Flags: needinfo?
Resolution: --- → FIXED
Key sent to jp
Sorry to reopen! Can we please to add  backpack.openbadges.org to the SAN?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Or, rather, verify it is on the list?
JP - this certificate already includes backpack.openbadges.org. you can see this using the following `openssl` command:

 $ openssl x509 -text -in <public_cert>
 ...
 X509v3 Subject Alternative Name: 
 DNS:www.openbadges.org, DNS:api.openbadges.org, DNS:staging.openbadges.org, DNS:beta.openbadges.org, DNS:backpack.openbadges.org, DNS:openbadges.org
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Ah, excellent trick thanks!  Also, gracias for verifying!
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.