Page MenuHomePhabricator
Create Task
Maniphest T112521

Track/notify cert expiries better
Closed, ResolvedPublic
Actions

Description

  1. Our current GlobalSign certs are generally configured with a single individual's email address to notify us on expiry.
  2. Even if that's fixed, we shouldn't be relying on them to notify us. We should have our own tracking.

We have check_sslxNN in icinga which is checking at least the critical unified cert, which (in addition to other things) tracks cert expiry, but we haven't actually extended that kind of checking to every cert we're using (notably, we missed the impending loss of wmfusercontent.org). We have several smaller certs like that, some of which are even hosted in 3rd party services as well. Should we monitor the 3rd parties in these cases as well?

It might make more sense if we had some generic system in place for tracking long-term expiration events in general, so that we could enter every cert we purchase into that system when it's purchased. Such a system could be useful for other purposes as well (warranties, contracts, etc?). Is there an existing thing like this available already?

Related Objects
Search...

Event Timeline

BBlack created this task.Sep 14 2015, 12:35 PM
BBlack raised the priority of this task from to Needs Triage.
BBlack updated the task description. (Show Details)
BBlack added projects: acl*sre-team, HTTPS, Traffic.
BBlack added subscribers: BBlack, RobH, faidon, mark.
Restricted Application added subscribers: Matanya, Aklapper. · View Herald TranscriptSep 14 2015, 12:35 PM
Dzahn triaged this task as Medium priority.Sep 14 2015, 11:08 PM
Dzahn subscribed.
RobH added a subtask: T112542: audit all SSL certificates expiry on ops tracking gcal.Oct 14 2015, 3:49 PM

We've recently changed the policy on ordering ssl certificates to put in the ssl_renewals alias for all ssl cert info.

Additionally, we should see if we can change the backend contact info for all existing globalsign certs without reissuing (since its renewal info, not cert info, it shouldnt need reissue.)

Ricordisamoa subscribed.Oct 14 2015, 8:37 PM
Dzahn moved this task from Backlog to Certificates on the HTTPS board.Dec 4 2015, 8:44 PM
BBlack moved this task from Backlog to TLS on the Traffic board.Sep 30 2016, 1:44 PM
BBlack added a comment.Oct 23 2017, 3:18 PM

It seems like we've made a lot of progress on this front since late 2015. Should we consider this resolved now? @RobH?

RobH added a comment.Oct 23 2017, 3:20 PM

All certificates are now tracked in icinga so I think this can indeed be resolved. (We've also transitioned over to LE for the bulk of non-wildcards!)

BBlack closed this task as Resolved.Oct 23 2017, 3:50 PM
BBlack claimed this task.
Dzahn added a comment.Oct 23 2017, 5:01 PM

There are (seperate) Icinga checks for the *.planet.wikimedia.org and the *.wmfusercontent.org cert that recently alerted on upcoming expiry of the main unified cert. They have been added before these certs were added to the unified cert i believe. Maybe that means they should be removed as redundant. (but they also serve as https check in general, it just additionally checks the cert, so maybe not :)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL