Page MenuHomePhabricator

Track/notify cert expiries better
Closed, ResolvedPublic

Description

  1. Our current GlobalSign certs are generally configured with a single individual's email address to notify us on expiry.
  2. Even if that's fixed, we shouldn't be relying on them to notify us. We should have our own tracking.

We have check_sslxNN in icinga which is checking at least the critical unified cert, which (in addition to other things) tracks cert expiry, but we haven't actually extended that kind of checking to every cert we're using (notably, we missed the impending loss of wmfusercontent.org). We have several smaller certs like that, some of which are even hosted in 3rd party services as well. Should we monitor the 3rd parties in these cases as well?

It might make more sense if we had some generic system in place for tracking long-term expiration events in general, so that we could enter every cert we purchase into that system when it's purchased. Such a system could be useful for other purposes as well (warranties, contracts, etc?). Is there an existing thing like this available already?

Event Timeline

BBlack raised the priority of this task from to Needs Triage.
BBlack updated the task description. (Show Details)
BBlack added projects: acl*sre-team, HTTPS, Traffic.
BBlack added subscribers: BBlack, RobH, faidon, mark.
Dzahn triaged this task as Medium priority.Sep 14 2015, 11:08 PM
Dzahn added a subscriber: Dzahn.

We've recently changed the policy on ordering ssl certificates to put in the ssl_renewals alias for all ssl cert info.

Additionally, we should see if we can change the backend contact info for all existing globalsign certs without reissuing (since its renewal info, not cert info, it shouldnt need reissue.)

It seems like we've made a lot of progress on this front since late 2015. Should we consider this resolved now? @RobH?

All certificates are now tracked in icinga so I think this can indeed be resolved. (We've also transitioned over to LE for the bulk of non-wildcards!)

BBlack claimed this task.

There are (seperate) Icinga checks for the *.planet.wikimedia.org and the *.wmfusercontent.org cert that recently alerted on upcoming expiry of the main unified cert. They have been added before these certs were added to the unified cert i believe. Maybe that means they should be removed as redundant. (but they also serve as https check in general, it just additionally checks the cert, so maybe not :)