843698 - Need an SSL cert for Tableau server

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Description

[Annie Elliott]

Currently, the Tableau (data visualisation) server is accessed as http://dataviz.mozilla.org

I need an ssl cert so that folks can access it as per https://bugzilla.mozilla.org/show_bug.cgi?id=841782

Comment 1

[Chris Turra [:cturra]]

Annie - i just did some digging and this appears to only be available internally. out of curiosity, what is the driver for https for this internal only service?


$ dig @8.8.8.8 +noauthority dataviz.mozilla.org           

; <<>> DiG 9.7.6-P1 <<>> @8.8.8.8 +noauthority dataviz.mozilla.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42053
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;dataviz.mozilla.org.		IN	A

;; ANSWER SECTION:
dataviz.mozilla.org.	333	IN	CNAME	tableau1.metrics.scl3.mozilla.com.

;; Query time: 85 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 21 15:45:49 2013
;; MSG SIZE  rcvd: 127


$ dig @8.8.8.8 +noauthority tableau1.metrics.scl3.mozilla.com                    

; <<>> DiG 9.7.6-P1 <<>> @8.8.8.8 +noauthority tableau1.metrics.scl3.mozilla.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11169
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;tableau1.metrics.scl3.mozilla.com. IN	A

;; Query time: 82 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 21 15:46:17 2013
;; MSG SIZE  rcvd: 105

Comment 2

[Annie Elliott]

It is "internal only" right now, if I understand your meaning of internal only, because it has been required to pass a security review before moving it out from behind the office vpns.

CUrrently, users must be onsite or usng, for instance Mozilla-MV-Office VPN to be able to access it.

The vpn measure is in place until the sec review is complete and any issues handled.

The only big issue coming out of the sec rev is the lack of a cert needed to switch this system over to SSL/https. The secrev bug is 841782 and is depended here. 

Once the cert is in place, https/ssl will be turned on/required to log in, and the VPN can be removed as it is for the legacy systems, as well as the mozilla intranet, mana, service now, etc.

Comment 3

[Chris Turra [:cturra]]

thanks for the background information. since i believe this is running on an mircosoft iis server, we're going to need to have you generate the certificate signing request (csr) and private key. once you have done this, can you please provide me with the csr?

for your reference, the following (shortened) url, likes to geotrust's instructions on how to generate a csr in iis 7.0:

  http://bit.ly/WWqQqO

Comment 4

[Annie Elliott]

Thank you, and thank you for the link. I will get that done. DO I need to make this bug more confidential to post the key here, or should I find you on IRC when it is done?

Comment 5

[Chris Turra [:cturra]]

Annie - all we need from you to get a public certificate is the csr. please keep the private key to yourself until we need it for any load balancer configurations. we will reach out to you to get that (with gpg or direct access to the windows server hosting this key).

Comment 6

[Chris Turra [:cturra]]

Annie - how are you making out with the certificate signing request?

Comment 7

[Chris Turra [:cturra]]

closing bug for now. Annie - please reopen if you still need a certificate signed. if/when you do, please also provide us with the certificate signing request (csr) from the Microsoft IIS server.

Comment 8

[Rick Bryce [:rbryce]]

Attachment: dataviz csr

Comment 9

[Rick Bryce [:rbryce]]

cturra-

Turns out tableau is not IIS after all. Its some built in web server.  Please see the openssl generated csr.  I have the private_key until need.

Comment 10

[Chris Turra [:cturra]]

:rbryce - as discussed on irc, i have re-generated the csr and private key on ssl1.private.phx1. 

below is the signed digital certificate along with geotrust's intermediate, which you will require.


-----BEGIN CERTIFICATE-----
MIIFEjCCA/qgAwIBAgIDAhpBMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEzMDMxODE3NDAxMFoXDTE1MDMyMDIxMjI1OFowgbMxKTAnBgNVBAUT
IFNpejhReHRLUnFlckZOc3NTMWFJRmlaRG9VUlhYSlFpMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEcMBoG
A1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjEQMA4GA1UECxMHTWV0cmljczEcMBoG
A1UEAxMTZGF0YXZpei5tb3ppbGxhLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMNND1EVQ9I6cCRKON9QzSuosNW3MsTmnDrGUK/7esdh7PEIARzF
kBKfrGeFQBMoOT5AfzvohP2sBjlfAh01LQyTxd/AcMEvVbT8BNJJxx4QiWgRXU2c
DIRT7ClRJPE+fgk1gAKz98eoN8Czl5KZtmblyP2n299wEPwOObGXoQ9t/S2M5elT
aeLISLDTZuOkK+wPoove9B5PG0InG7wjKos0AU3jTEZK49JOHDl2hbqJhMewBWuA
OaT+pWuQdXgTCguyfc1ZtXuaqfBu0LBXa6XTU6abEwV5dIRf0BTbZsP0XsEAsW7F
1SSsBPCN0QeMjiAc7YC/fFkNWlQ7qcLNvj8CAwEAAaOCAZ8wggGbMB8GA1UdIwQY
MBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHgYDVR0RBBcwFYITZGF0YXZpei5tb3pp
bGxhLm9yZzA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vZ3Rzc2wtY3JsLmdlb3Ry
dXN0LmNvbS9jcmxzL2d0c3NsLmNybDAdBgNVHQ4EFgQUtOJIHqsSsiIh3WXMDYy+
CAdXIeMwDAYDVR0TAQH/BAIwADBvBggrBgEFBQcBAQRjMGEwKgYIKwYBBQUHMAGG
Hmh0dHA6Ly9ndHNzbC1vY3NwLmdlb3RydXN0LmNvbTAzBggrBgEFBQcwAoYnaHR0
cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MEwGA1UdIARFMEMw
QQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0
LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBBQUAA4IBAQBNiFhkwgzesJzA
WINVh+Ho95sNvlPX5dQ9c+kPzPamHwx/Or7UnUpiFtptVGYNkU32YSn1vEvMS3Ae
wJKdOekrQq6tXuVdvvCGrGXoQfFR+c3gj7GFL+AQ8InFjoXUCSa4qzzOcvX353NB
leQyuLxnSetnWTUxIAYDLqe5TJqt1m63FJqbxoJGskTr2/Ltg89oDKcIYtX82V2p
m6vvw8dc6VAvSti9ynrEZM2z1KXkSg6YR2LGBqLOVMPRPIaUfzypzrhTlLqCraZD
zSRnP1vnbj9gPl/fMYyGDKJAjboX5v8H0bOVlD0DYVOJ0qCtaFDxFeWz8C79KEIE
RciX+xv9
-----END CERTIFICATE-----


INTERMEDIATE CA:
---------------------------------------

-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----

Comment 11

[Annie Elliott]

:rbryce What do I do with this?

Comment 12

[Rick Bryce [:rbryce]]

(In reply to Annie Elliott from comment #11)
> :rbryce What do I do with this?

We have to load the keys into the Tableau web server.  I can probably take care of this for you, but I will need to restart the Tableau webserver.  Is that ok?

Comment 13

[Annie Elliott]

That works for me! Thank you!

Comment 14

[Rick Bryce [:rbryce]]

Annie - I added the certs per the Tableau instructions.  However, we need to make some changes so that it listens on port 443.  Which gave me some trouble.  I didnt want to break anything, and would prefer to wait until you are around.  I can be available anytime (any timezone) to help you finish this up.