Page MenuHomePhabricator
Create Task
Maniphest T134447

letsencrypt puppetization: upgrade for scalability
Closed, ResolvedPublic
Actions

Description

The current LE module/script works well-enough for small one-off cases, but it could use some general improvements, especially in the direction of scaling for large certs and large counts of certs. On my mind at present:

  • - 'id' parameter should be validated and <s>normalized</s> better
  • - 'subjects' should be validated, normalized (esp case), sorted, and the check-comparisons should be sort-invariant.
  • - better privkey management (re-generate when older than X+/-Y, but in sync with a cert renewal?)
  • - use configfiles in place of commandline args (global config + per-cert in conf.d/-like structure)
  • - refactor script to efficiently process all configs in a single run, in both self and acme modes
  • - build an abstraction around this for large subject counts across multiple auto-split certs (for secure direct case, and probably also beta cluster w/ limited lang subs?)

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+13 -2acme-setup: sort the subjects early
operations/puppetproduction+5 -0acme-setup: only accept '^[-a-zA-Z0-9_]+$' as unique cert ID
Customize query in gerrit

Related Objects
Search...

Event Timeline

BBlack created this task.May 4 2016, 9:46 PM
Restricted Application added a subscriber: Zppix. · View Herald TranscriptMay 4 2016, 9:46 PM
gerritbot added a subscriber: gerritbot.May 4 2016, 11:45 PM

Change 287032 had a related patch set uploaded (by Dzahn):
acme-setup: only accept ASCII letters as cert ID

https://gerrit.wikimedia.org/r/287032

gerritbot added a project: Patch-For-Review.May 4 2016, 11:45 PM
Paladox added a subscriber: Paladox.May 5 2016, 7:41 AM
Glaisher removed a subscriber: Glaisher.May 5 2016, 9:21 AM
gerritbot added a comment.May 12 2016, 4:43 PM

Change 287032 merged by Dzahn:
acme-setup: only accept '^[-a-zA-Z0-9_] $' as unique cert ID

https://gerrit.wikimedia.org/r/287032

Dzahn mentioned this in rOPUPa83b05c0414f: acme-setup: only accept '^[-a-zA-Z0-9_]+$' as unique cert ID.May 12 2016, 4:45 PM
Dzahn updated the task description. (Show Details)May 12 2016, 4:52 PM
Dzahn mentioned this in rOPUP198beda027c7: acme-setup: only accept '^[-a-zA-Z0-9_]+$' as unique cert ID.Jun 17 2016, 6:09 PM
Dzahn mentioned this in rOPUPa048cbe347a9: acme-setup: only accept ^[a-z0-9-_]+$' as unique cert ID.
Dzahn mentioned this in rOPUPc4e720cbcf25: acme-setup: only accept ASCII letters as unique cert ID.
Dzahn mentioned this in rOPUP0adfb6feb597: acme-setup: only accept ASCII letters as unique cert ID.
Dzahn mentioned this in rOPUP6af27d864a63: acme-setup: only accept ASCII letters as unique cert ID.
Dzahn mentioned this in rOPUP73cadbff7175: acme-setup: only accept ASCII letters as unique cert ID.
Dzahn mentioned this in rOPUP48c291529389: acme-setup: only accept ASCII letters as cert ID.
BBlack created subtask T141266: letsencrypt puppetization: add parallel rsa+ecdsa cert support.Jul 25 2016, 3:45 PM
gerritbot added a comment.Aug 15 2016, 4:23 PM

Change 304848 had a related patch set uploaded (by BBlack):
acme-setup: sort the subjects early

https://gerrit.wikimedia.org/r/304848

BBlack mentioned this in rOPUP2edcb89f2fc0: acme-setup: sort the subjects early.Aug 15 2016, 4:26 PM
gerritbot added a comment.Aug 15 2016, 4:30 PM

Change 304848 merged by BBlack:
acme-setup: sort the subjects early

https://gerrit.wikimedia.org/r/304848

BBlack mentioned this in rOPUPd2fea5052836: acme-setup: sort the subjects early.Aug 15 2016, 4:35 PM
BBlack updated the task description. (Show Details)Aug 15 2016, 6:10 PM
BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:40 PM
Krenair added a comment.Jul 8 2018, 7:50 PM

build an abstraction around this for large subject counts across multiple auto-split certs (for secure direct case, and probably also beta cluster w/ limited lang subs?)

Maybe but if we get DNS challenge support in our acme_tiny and good abstraction there, it'll be handled by T182927

Krenair added a comment.Sep 12 2018, 1:22 PM

are we going to do this as part of the letsencrypt puppetisation or is this getting made (mostly?) obsolete by certcentral?

Krenair added a comment.Oct 13 2018, 5:16 PM

@BBlack ?

Dzahn added a comment.Jan 3 2019, 8:13 PM

Was also wondering this. Is this ticket deprecated due to CertCentral work?

Krenair closed this task as Resolved.Jan 14 2019, 1:34 PM

I think at this point the route forward is certcentral and there's not much point keeping this particular ticket open. Feel free to reopen if you disagree.

Krenair closed subtask T141266: letsencrypt puppetization: add parallel rsa+ecdsa cert support as Resolved.Jan 14 2019, 1:34 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL