Taskcluster/Update SSL Certificates: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Add a link to the mana page for this.)
(Replaced content with "= This is now documented at https://mana.mozilla.org/wiki/display/TAS/Update+SSL+Certificates =")
Line 1: Line 1:
= This is now documented at https://mana.mozilla.org/wiki/display/TAS/Update+SSL+Certificates =
= This is now documented at https://mana.mozilla.org/wiki/display/TAS/Update+SSL+Certificates =
= Issuing =
Generally you'll be updating an existing SAN cert to add or remove a domain.  File a bug for it, and use the bug number as a nice stable identifier for the new certificate, to avoid confusion.
To do that, you'll need to be someone with digicert access, or be nice to someone who has it.  You'll need a CSR for the original certificate.  Then login to digicert, find the certificate, click the "Reissue" button, and paste the CSR.  Include a reference to the bug in the notes.  Then edit the list of hostnames, and make the request.  Once the request is approved and the reissue is complete, you'll be able to download a new certificate.
In all this, you won't see the key -- it hasn't changed.  So you'll need to find a copy of that in someone's secrets.  Once you have the new certificate and the old key, you're almost ready to go.  You'll also need DigiCertCA.crt from DigiCert.
= Updating =
If you are adding a domain, note that the old certificates will not be automatically revoked, so you have all the time in the world to upgrade the various services.  However, if you are removing a domain, the old certificate will soon be revoked in 24-72 hours, so you will need to deploy the updated certificate within a day.
If you are adding a new domain that will not be used for a Heroku app, add the domain name of the app to the `taskcluster-dummy` app's list of domains, so that it cannot be used by another Heroku account.
== Heroku ==
With Heroku, the SSL endpoint we're using is tied to the taskcluster-auth service.  Check the existing cert with
    dustin@dustin-tc-devel ~/tmp $ heroku certs:info -a taskcluster-auth
    Fetching SSL Endpoint toyama-73636.herokussl.com info for taskcluster-auth... done
    Certificate details:
    Common Name(s): auth.taskcluster.net
                    aws-provisioner.taskcluster.net
                    ...
                    tools.taskcluster.net
   
    Expires At:    2019-03-22 12:00 UTC
    Issuer:        /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
    Starts At:      2016-03-17 00:00 UTC
    Subject:        /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/CN=auth.taskcluster.net
    SSL certificate is verified by a root authority.
then put the new certificate and key in `tc.crt` and `tc.key`, respectively, and run
    dustin@dustin-tc-devel ~/tmp $ heroku certs:update -a taskcluster-auth tc.crt tc.key
    Resolving trust chain... done
   
    !    WARNING: Potentially Destructive Action
    !    This command will change the certificate of endpoint toyama-73636.herokussl.com on taskcluster-auth.
    !    To proceed, type "taskcluster-auth" or re-run this command with --confirm taskcluster-auth
   
follow those instructions.  That's it!
== CloudFront ==
For CloudFront, you'll need AWS console access as well as access from the CLI.  To upload the new key (`tc.key`), cert (`tc.crt`), and `DigiCertCA.crt`, use
    aws iam upload-server-certificate --server-certificate-name taskcluster_net_bugABC123 \
        --certificate-body file://tc.crt \
        --private-key file://tc.key \
        --certificate-chain file://DigiCertCA.crt \
        --path /cloudfront/
replacing the bug number as appropriate.  Once that's complete, login to https://console.aws.amazon.com/cloudfront/home?region=us-east-1 and edit each distribution that is using the old key to use the new key (identified with the bug number).
== Docker Cloud ==
For Docker cloud, login to https://cloud.docker.com as moztc.  Use the classic UI as the new UI is broken.
Some apps are deployed as stacks, but some are deployed as services, so you'll need to hunt around.  Also, the certs are formatted differently for different apps.  It's fun.  Note that if you *edit* an environment variable, newlines will be folded to whitespace, whereas if you delete an environment variable and add a new one, you can paste newlines in.
For stacks that use an haproxy frontend, you'll find the certificate in the load balancer service.  Edit the service, and click "Next" to see the environment variables.  Near the top you will find DEFAULT_SSL_CERT or the like.  Edit that.
For cloud-mirror (which is currently in Heroku, so this is historical information), format the certificates as follows:
* concatenate the certificate, the key, and the DigiCert CA Certificate
* replace newlines with "\n"
Insert this single (one-line) string into the environment value.
..continuing: Redeploy the service.
For other stacks, like for statsum, the values are in other environment variables.  Format the new certs the same way as the old.
To test, hit https://cloud-mirror.taskcluster.net/v1/ping and verify that you don't get a certificate error.

Revision as of 14:20, 1 December 2016

This is now documented at https://mana.mozilla.org/wiki/display/TAS/Update+SSL+Certificates

Retrieved from "https://wiki.allizom.org/index.php?title=Taskcluster/Update_SSL_Certificates&oldid=1156251"