Page MenuHomePhabricator

letsencrypt puppetization: upgrade for scalability
Closed, ResolvedPublic

Description

The current LE module/script works well-enough for small one-off cases, but it could use some general improvements, especially in the direction of scaling for large certs and large counts of certs. On my mind at present:

  • - 'id' parameter should be validated and <s>normalized</s> better
  • - 'subjects' should be validated, normalized (esp case), sorted, and the check-comparisons should be sort-invariant.
  • - better privkey management (re-generate when older than X+/-Y, but in sync with a cert renewal?)
  • - use configfiles in place of commandline args (global config + per-cert in conf.d/-like structure)
  • - refactor script to efficiently process all configs in a single run, in both self and acme modes
  • - build an abstraction around this for large subject counts across multiple auto-split certs (for secure direct case, and probably also beta cluster w/ limited lang subs?)

Related Objects

Event Timeline

BBlack created this task.May 4 2016, 9:46 PM
Restricted Application added a subscriber: Zppix. · View Herald TranscriptMay 4 2016, 9:46 PM

Change 287032 had a related patch set uploaded (by Dzahn):
acme-setup: only accept ASCII letters as cert ID

https://gerrit.wikimedia.org/r/287032

Paladox added a subscriber: Paladox.May 5 2016, 7:41 AM
Glaisher removed a subscriber: Glaisher.May 5 2016, 9:21 AM

Change 287032 merged by Dzahn:
acme-setup: only accept '^[-a-zA-Z0-9_] $' as unique cert ID

https://gerrit.wikimedia.org/r/287032

Dzahn updated the task description. (Show Details)May 12 2016, 4:52 PM

Change 304848 had a related patch set uploaded (by BBlack):
acme-setup: sort the subjects early

https://gerrit.wikimedia.org/r/304848

Change 304848 merged by BBlack:
acme-setup: sort the subjects early

https://gerrit.wikimedia.org/r/304848

BBlack updated the task description. (Show Details)Aug 15 2016, 6:10 PM
BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:40 PM

build an abstraction around this for large subject counts across multiple auto-split certs (for secure direct case, and probably also beta cluster w/ limited lang subs?)

Maybe but if we get DNS challenge support in our acme_tiny and good abstraction there, it'll be handled by T182927

are we going to do this as part of the letsencrypt puppetisation or is this getting made (mostly?) obsolete by certcentral?

Dzahn added a comment.Jan 3 2019, 8:13 PM

Was also wondering this. Is this ticket deprecated due to CertCentral work?

Krenair closed this task as Resolved.Jan 14 2019, 1:34 PM

I think at this point the route forward is certcentral and there's not much point keeping this particular ticket open. Feel free to reopen if you disagree.