Page MenuHomePhabricator

replace librenms's sha1 cert with sha256
Closed, ResolvedPublic

Description

Tracking task to replace librenms's sha1 cert with sha256, in multiple steps:

  • - reissue certificate in sha256
  • - update configuration to use new certificate
  • - push changes live
  • - revoke old sha1 certificate

Event Timeline

RobH raised the priority of this task from to High.
RobH updated the task description. (Show Details)
RobH added projects: acl*sre-team, HTTPS.

Change 214676 had a related patch set uploaded (by RobH):
replace librenms's sha1 cert with sha256

https://gerrit.wikimedia.org/r/214676

chasemp added a subscriber: chasemp.

Don't shoot me Robh, it just seems like this is your deal :)

chasemp lowered the priority of this task from High to Medium.Jun 2 2015, 5:24 PM
Dzahn added a subscriber: RobH.
Dzahn removed Dzahn as the assignee of this task.Jun 2 2015, 8:32 PM
Dzahn added a subscriber: Dzahn.

librenms doesn't use an individual .erb template for the Apache config.

instead it uses @webserver::apache::site which uses templates/apache/generic_vhost.erb which includes:

SSLCACertificatePath /etc/ssl/certs

but we want to change that and just specify the chained file, but that would affect other services, which is a drawback to using a generic template for everything

Change 215840 had a related patch set uploaded (by Dzahn):
apache generic_vhost: add SSLCertificateChainFile

https://gerrit.wikimedia.org/r/215840

Change 214676 merged by Dzahn:
replace librenms's sha1 cert with sha256

https://gerrit.wikimedia.org/r/214676

replaced cert without making an additional config change

signature algorithm is now SHA256withRSA

grade A- https://www.ssllabs.com/ssltest/analyze.html?d=librenms.wikimedia.org

the - in A- is because not supporting PFS which is because this uses Apache 2.2 which is because netmon1001 is precise

Dzahn set Security to None.

Change 215840 abandoned by Dzahn:
apache generic_vhost: add SSLCertificateChainFile

https://gerrit.wikimedia.org/r/215840