Page MenuHomeSoftware Heritage
Create Task
Maniphest T979

Migrate TLS certificates away from the *.softwareheritage.org wildcards
Closed, MigratedEdits Locked
Actions

Description

Our wildcard certificates are expiring in October 2018.

We're going to need to replace those certificates, probably with Let's Encrypt.

Here's the domains that are currently doing TLS:

pergamon:

  • annex.softwareheritage.org
  • debian.softwareheritage.org
  • docs.softwareheritage.org
  • stats.export.softwareheritage.org
  • icinga.softwareheritage.org
  • grafana.softwareheritage.org

tate:

  • forge.softwareheritage.org
  • git.softwareheritage.org
  • intranet.softwareheritage.org
  • wg.softwareheritage.org
  • wiki.softwareheritage.org

moma:

  • archive.softwareheritage.org
  • deposit.softwareheritage.org

gandi:

  • sponsors.softwareheritage.org
  • sponsorship.softwareheritage.org
  • testimonials.softwareheritage.org
  • www.softwareheritage.org
  • www-dev.softwareheritage.org
  • softwareheritage.org

status.io:

  • status.softwareheritage.org (done via cloudfront)

Related Objects
Search...

Event Timeline

olasd triaged this task as Low priority.Mar 1 2018, 2:43 PM
olasd created this task.
ftigeot claimed this task.Sep 12 2018, 3:39 PM
ftigeot added a parent task: T1175: renews SSL certificats for {www,}softwareheritage.org.
olasd raised the priority of this task from Low to High.Sep 12 2018, 5:50 PM

Changing priority due to the impending deadline.

douardda added a subscriber: douardda.Nov 19 2018, 3:28 PM

What's the status of this task? October is long gone now, so either the problem has been (temporarily) fixed or it was not really a problem (?)

I guess in both cases, this task priority could be reduced. And the description explicitly modified to 'migrate to letsencrypt/dehydrated' or so.

ftigeot lowered the priority of this task from High to Wishlist.EditedNov 23 2018, 3:04 PM

I did some experiments with Letsencrypt but other things were more urgent during the September-October 2018 period and in the end a wildcard Digicert certificate was used again instead.

Most of our SSL servers currently use a single wildcard certificate and this should probably be changed independently of a move to a Letsencrypt/non-Digicert solution.

olasd changed the task status from Open to Work in Progress.Jul 3 2019, 8:19 PM
olasd claimed this task.
olasd added a subscriber: ftigeot.

After some puppet work:

The infrastructure is the following:

  • Certificates are generated on the puppet master using the certbot client. This is configured in the profile::letsencrypt puppet class.
    • The list of certificates is in the letsencrypt::certificates hiera variable
    • The (DNS) challenge is done via a python script using Gandi's LiveDNS API (profile::letsencrypt::gandi_livedns_hook class)
    • Renewal is done through the systemd timer built into the Debian package
    • Certificates in /etc/letsencrypt/live are exported by a certbot deploy_hook into /var/lib/puppet/letsencrypt_exports, and made readable by the puppet master user
  • Certificates are pulled on the servers via the profile::letsencrypt::certificate puppet defined type (which will replace the previous profile::ssl class)
    • This retrieves the certs from the puppet master into the files pointed at by the profile::letsencrypt::certificate_paths function

This means that the renewed certificates will only reach the servers when puppet is run on them.

This also means that when adding a new vhost to a server, we need to:

  1. update the puppet config
  2. run puppet on pergamon to generate the new cert
  3. run puppet on the appropriate server
  4. run puppet on pergamon again to pick up the monitoring-related exported resources

These multiple interlocked steps make me feel that we should start cronning puppet on servers rather than running it by hand.

Now that the Let's Encrypt scaffolding is in place, we should be able to replace the wildcard certificates gradually.

Finally, to solve the www.softwareheritage.org certificate question, I've quickly looked at the Gandi APIs, but I couldn't find the API to upload TLS certificates to simple hosting instances. I haven't looked too hard yet, I'm sure it's doable.

olasd updated the task description. (Show Details)Jul 3 2019, 8:20 PM
olasd added a comment.Jul 4 2019, 9:14 AM

After swapping in some memories from the Gandi simple hosting stuff, it's possible to upload certificates to Gandi using the legacy XML-RPC API. There's no explicit linking of certificates between the certificates API and the PaaS API, and ISTR that the PaaS stuff just picks up certificates automatically once uploaded.

olasd updated the task description. (Show Details)Jul 4 2019, 5:52 PM
In T979#34731, @olasd wrote:

After swapping in some memories from the Gandi simple hosting stuff, it's possible to upload certificates to Gandi using the legacy XML-RPC API. There's no explicit linking of certificates between the certificates API and the PaaS API, and ISTR that the PaaS stuff just picks up certificates automatically once uploaded.

Looks like that worked, www-dev.softwareheritage.org presents a brand new Let's Encrypt cert!

olasd updated the task description. (Show Details)Jul 8 2019, 7:00 PM

I've now started work on refactoring the way we do Apache Virtual hosts in puppet, but it's still somewhat of a mess with the number of settings that still vary across hosts.

I've also updated the description to add status.softwareheritage.org, which was missed in the original survey (and for which we just got a cert expiration notice).

olasd closed subtask T1916: Fix invalid status.s.o certificate as Resolved.Jan 6 2020, 4:18 PM
olasd updated the task description. (Show Details)Jan 6 2020, 5:59 PM
olasd removed a subscriber: ftigeot.
olasd mentioned this in rSPSITE32cf95933480: Move annex.softwareheritage.org to Let's Encrypt.Jul 16 2020, 7:49 PM
olasd mentioned this in rSPSITE79eeb45c0660: Move debian.softwareheritage.org to Let's Encrypt.
olasd mentioned this in rSPSITE6f1657deaad6: Move docs.softwareheritage.org to Let's Encrypt.
olasd mentioned this in rSPSITEe99f10e5215a: Move icinga.softwareheritage.org to Let's Encrypt.
olasd mentioned this in rSPSITE999c5b535fd5: Move mediawiki to Let's Encrypt.
olasd mentioned this in rSPSITE316f153bd748: Move rewrite domains to Let's Encrypt.
olasd mentioned this in rSPSITEae8f2c1fd43e: Move forge.softwareheritage.org to Let's Encrypt.
olasd updated the task description. (Show Details)Jul 16 2020, 8:16 PM
olasd closed this task as Resolved.Jul 16 2020, 9:02 PM

All domains using the existing wildcard certs have been migrated to Let's Encrypt.

Some domains listed don't have any https (yet), but will be handled via gandi.

gitlab-migration changed the task status from Resolved to Migrated.Oct 19 2022, 5:53 PM
gitlab-migration claimed this task.
gitlab-migration added a subscriber: gitlab-migration.

This task has been migrated to GitLab.

gitlab-migration changed the status of subtask T1916: Fix invalid status.s.o certificate from Resolved to Migrated.Oct 19 2022, 5:56 PM
About · Developer information · Legal