Taskcluster/Update SSL Certificates

From MozillaWiki
Jump to navigation Jump to search

Issuing

Generally you'll be updating an existing SAN cert to add or remove a domain. File a bug for it, and use the bug number as a nice stable identifier for the new certificate, to avoid confusion.

To do that, you'll need to be someone with digicert access, or be nice to someone who has it. You'll need a CSR for the original certificate. Then login to digicert, find the certificate, click the "Reissue" button, and paste the CSR. Include a reference to the bug in the notes. Then edit the list of hostnames, and make the request. Once the request is approved and the reissue is complete, you'll be able to download a new certificate.

In all this, you won't see the key -- it hasn't changed. So you'll need to find a copy of that in someone's secrets. Once you have the new certificate and the old key, you're almost ready to go. You'll also need DigiCertCA.crt from DigiCert.

Updating

Heroku

With Heroku, the SSL endpoint we're using is tied to the taskcluster-auth service. Check the existing cert with 

   dustin@dustin-tc-devel ~/tmp $ heroku certs:info -a taskcluster-auth
   Fetching SSL Endpoint toyama-73636.herokussl.com info for taskcluster-auth... done
   Certificate details:
   Common Name(s): auth.taskcluster.net
                   aws-provisioner.taskcluster.net
                    ...
                   tools.taskcluster.net
   
   Expires At:     2019-03-22 12:00 UTC
   Issuer:         /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   Starts At:      2016-03-17 00:00 UTC
   Subject:        /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/CN=auth.taskcluster.net
   SSL certificate is verified by a root authority.

then put the new certificate and key in `tc.crt` and `tc.key`, respectively, and run 

   dustin@dustin-tc-devel ~/tmp $ heroku certs:update -a taskcluster-auth tc.crt tc.key
   Resolving trust chain... done
   
    !    WARNING: Potentially Destructive Action
    !    This command will change the certificate of endpoint toyama-73636.herokussl.com on taskcluster-auth.
    !    To proceed, type "taskcluster-auth" or re-run this command with --confirm taskcluster-auth

follow those instructions. That's it!

CloudFront

For CloudFront, you'll need AWS console access as well as access from the CLI. To upload the new key (`tc.key`), cert (`tc.crt`), and `DigiCertCA.crt`, use 

   aws iam upload-server-certificate --server-certificate-name taskcluster_net_bugABC123 \
       --certificate-body file://tc.crt \
       --private-key file://tc.key \
       --certificate-chain file://DigiCertCA.crt \
       --path /cloudfront/

replacing the bug number as appropriate. Once that's complete, login to https://console.aws.amazon.com/cloudfront/home?region=us-east-1 and edit each distribution that is using the old key to use the new key (identified with the bug number).

Docker Cloud

For Docker cloud, login to https://cloud.docker.com as moztc.

For stacks that use an haproxy frontend, you'll find the certificate in the load balancer service. Edit the service, and click "Next" to see the environment variables. Near the top you will find DEFAULT_SSL_CERT or the like. Edit that.

Format the certificates as follows:

  • concatenate the certificate, the key, and the DigiCert CA Certificate
  • replace newlines with "\n"

Insert this single (one-line) string into the environment value.

Redeploy the service.

To test, hit https://cloud-mirror.taskcluster.net/v1/ping and verify that you don't get a certificate error.

Retrieved from "https://wiki.mozilla.org/index.php?title=Taskcluster/Update_SSL_Certificates&oldid=1126153"