Page MenuHomePhabricator
Create Task
Maniphest T100831

replace librenms's sha1 cert with sha256
Closed, ResolvedPublic
Actions

Description

Tracking task to replace librenms's sha1 cert with sha256, in multiple steps:

  • - reissue certificate in sha256
  • - update configuration to use new certificate
  • - push changes live
  • - revoke old sha1 certificate

Details

SubjectRepoBranchLines +/-
apache generic_vhost: add SSLCertificateChainFileoperations/puppetproduction+3 -0
replace librenms's sha1 cert with sha256operations/puppetproduction+26 -28
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedRobHT73156 Replace SHA1 certificates with SHA256
 ResolvedDzahnT100831 replace librenms's sha1 cert with sha256

Event Timeline

RobH created this task.May 29 2015, 7:22 PM
RobH raised the priority of this task from to High.
RobH updated the task description. (Show Details)
RobH added projects: acl*sre-team, HTTPS.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 29 2015, 7:22 PM
gerritbot subscribed.May 29 2015, 7:22 PM

Change 214676 had a related patch set uploaded (by RobH):
replace librenms's sha1 cert with sha256

https://gerrit.wikimedia.org/r/214676

gerritbot added a project: Patch-For-Review.May 29 2015, 7:23 PM
RobH mentioned this in T73156: Replace SHA1 certificates with SHA256.May 29 2015, 7:30 PM
chasemp assigned this task to RobH.Jun 2 2015, 5:23 PM
chasemp subscribed.

Don't shoot me Robh, it just seems like this is your deal :)

chasemp lowered the priority of this task from High to Medium.Jun 2 2015, 5:24 PM
Dzahn claimed this task.Jun 2 2015, 8:15 PM
Dzahn added a subscriber: RobH.
Dzahn removed Dzahn as the assignee of this task.Jun 2 2015, 8:32 PM
Dzahn subscribed.

librenms doesn't use an individual .erb template for the Apache config.

instead it uses @webserver::apache::site which uses templates/apache/generic_vhost.erb which includes:

SSLCACertificatePath /etc/ssl/certs

but we want to change that and just specify the chained file, but that would affect other services, which is a drawback to using a generic template for everything

gerritbot added a comment.Jun 4 2015, 1:30 AM

Change 215840 had a related patch set uploaded (by Dzahn):
apache generic_vhost: add SSLCertificateChainFile

https://gerrit.wikimedia.org/r/215840

Dzahn claimed this task.Jun 4 2015, 7:26 PM
gerritbot added a comment.Jun 4 2015, 8:18 PM

Change 214676 merged by Dzahn:
replace librenms's sha1 cert with sha256

https://gerrit.wikimedia.org/r/214676

Dzahn mentioned this in rOPUP56e67ecc33e4: replace librenms's sha1 cert with sha256.Jun 4 2015, 8:18 PM
Dzahn added a comment.Jun 4 2015, 8:24 PM

replaced cert without making an additional config change

signature algorithm is now SHA256withRSA

grade A- https://www.ssllabs.com/ssltest/analyze.html?d=librenms.wikimedia.org

the - in A- is because not supporting PFS which is because this uses Apache 2.2 which is because netmon1001 is precise

Dzahn closed this task as Resolved.Jun 4 2015, 8:24 PM
Dzahn updated the task description. (Show Details)Jun 4 2015, 8:46 PM
Dzahn set Security to None.
gerritbot added a comment.Jun 19 2015, 7:24 PM

Change 215840 abandoned by Dzahn:
apache generic_vhost: add SSLCertificateChainFile

https://gerrit.wikimedia.org/r/215840

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL