Closed Bug 990717 Opened 10 years ago Closed 10 years ago

reissue ssl certificate for git.mozilla.org

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cturra, Assigned: fubar)

References

Details

(Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/203] [expires Jun 30 21:30:24 2014 GMT]) 

the ssl certificate for git.mozilla.org is set to expire in ~90 days. adding :bkero and :fuba to the /cc list so we can co-ordinate the certificate change.

i expect we'll want to reach out to the development/release groups to make them aware of this change.

this was last issued in bug 769610.
Adding Hal, too. I don't *think* git has the same fingerprint pinning mechanism that hg can use, so devs shouldn't have to worry about changing anything.
Git doesn't allow such fine grained control ;)

We will want to give advance notice to the dev groups, sheriffs, and release in advance (1wk if possible to get announced in weekly eng meetings). At the time of cert roll, an announcement should be made in #releng so the sheriffs can spot any fallout quicker.
(In reply to Hal Wine [:hwine] (use needinfo) from comment #2)
> Git doesn't allow such fine grained control ;)
> 
> We will want to give advance notice to the dev groups, sheriffs, and release
> in advance (1wk if possible to get announced in weekly eng meetings). At the
> time of cert roll, an announcement should be made in #releng so the sheriffs
> can spot any fallout quicker.

There's no rush IIRC (we have 80+ days), this can be done at the next tree closing window to avoid any major breakages?
aiui, this shouldn't cause any issues, so it would be better to do during business hours, so any bizarre exception is noticed immediately. The notification is just "principle of least surprise".

If this will take the git server offline for any length of time, or the cert change is an opportunity to test fail over processes, then we should schedule for the next TCW. That will be May 17.
Whiteboard: [expires Jun 30 21:30:24 2014 GMT] → [kanban:https://kanbanize.com/ctrl_board/4/203] [expires Jun 30 21:30:24 2014 GMT]
New cert generated and installed on zeus (scl3 and phx1) as git.mozilla.org-2017. Will coordinate switch to new cert w/ Hal for early next week.
Assignee: server-ops-webops → klibby
Deployed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.