Taskcluster/Update SSL Certificates: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "= Issuing = Generally you'll be updating an existing SAN cert to add or remove a domain. File a bug for it, and use the bug number as a nice stable identifier for the new cer...")
 
m (Callek moved page TaskCluster/Update SSL Certificates to Taskcluster/Update SSL Certificates: Pinged directly by :dustin to do this)
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Issuing =
= This is now documented at https://mana.mozilla.org/wiki/display/TAS/Update+SSL+Certificates =
Generally you'll be updating an existing SAN cert to add or remove a domain.  File a bug for it, and use the bug number as a nice stable identifier for the new certificate, to avoid confusion.
 
To do that, you'll need to be someone with digicert access, or be nice to someone who has it.  You'll need a CSR for the original certificate.  Then login to digicert, find the certificate, click the "Reissue" button, and paste the CSR.  Include a reference to the bug in the notes.  Then edit the list of hostnames, and make the request.  Once the request is approved and the reissue is complete, you'll be able to download a new certificate.
 
In all this, you won't see the key -- it hasn't changed.  So you'll need to find a copy of that in someone's secrets.  Once you have the new certificate and the old key, you're almost ready to go.  You'll also need DigiCertCA.crt from DigiCert.
 
= Updating =
 
== Heroku ==
 
With Heroku, the SSL endpoint we're using is tied to the taskcluster-auth service.  Check the existing cert with
 
    dustin@dustin-tc-devel ~/tmp $ heroku certs:info -a taskcluster-auth
    Fetching SSL Endpoint toyama-73636.herokussl.com info for taskcluster-auth... done
    Certificate details:
    Common Name(s): auth.taskcluster.net
                    aws-provisioner.taskcluster.net
                    cloud-mirror.taskcluster.net
                    cors-proxy.taskcluster.net
                    events.taskcluster.net
                    github.taskcluster.net
                    grafana.taskcluster.net
                    hooks.taskcluster.net
                    index.taskcluster.net
                    login.taskcluster.net
                    public-artifacts.taskcluster.net
                    purge-cache.taskcluster.net
                    queue.taskcluster.net
                    scheduler.taskcluster.net
                    secrets.taskcluster.net
                    stats.taskcluster.net
                    statsum.taskcluster.net
                    tools.taskcluster.net
 
    Expires At:    2019-03-22 12:00 UTC
    Issuer:        /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
    Starts At:      2016-03-17 00:00 UTC
    Subject:        /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/CN=auth.taskcluster.net
    SSL certificate is verified by a root authority.
 
then put the new certificate and key in `tc.crt` and `tc.key`, respectively, and run
 
    dustin@dustin-tc-devel ~/tmp $ heroku certs:update -a taskcluster-auth tc.crt tc.key
    Resolving trust chain... done
 
    !    WARNING: Potentially Destructive Action
    !    This command will change the certificate of endpoint toyama-73636.herokussl.com on taskcluster-auth.
    !    To proceed, type "taskcluster-auth" or re-run this command with --confirm taskcluster-auth
   
follow those instructions.  That's it!
 
== CloudFront ==
 
For CloudFront, you'll need AWS console access as well as access from the CLI.  To upload the new key (`tc.key`), cert (`tc.crt`), and `DigiCertCA.crt`, use
 
    aws iam upload-server-certificate --server-certificate-name taskcluster_net_bugABC123 --certificate-body file://tc.crt --private-key file://tc.key --certificate-chain file://DigiCertCA.crt --path /cloudfront/
 
replacing the bug number as appropriate.  Once that's complete, login to https://console.aws.amazon.com/cloudfront/home?region=us-east-1 and edit each distribution that is using the old key to use the new key (identified with the bug number).

Latest revision as of 18:41, 3 July 2017

This is now documented at https://mana.mozilla.org/wiki/display/TAS/Update+SSL+Certificates

Retrieved from "https://wiki.mozilla.org/index.php?title=Taskcluster/Update_SSL_Certificates&oldid=1175031"