Page MenuHomePhabricator

Renew RESTBase self-signed root certificate authority
Closed, ResolvedPublic

Description

The root CA will need to be renewed/replaced by no later than September 18, when it expires.

See also: T120662: Track/alert cassandra certs expiration

NOTE: During the ops-services-syncup meeting today (2016-08-18), @faidon suggested that the root CA be replaced by one with a 5 year expiration.

Event Timeline

Eevans created this task.Aug 15 2016, 8:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2016, 8:08 PM
Eevans updated the task description. (Show Details)
Eevans moved this task from Backlog to Next on the Cassandra board.
Eevans triaged this task as Medium priority.Aug 18 2016, 2:01 PM
Eevans updated the task description. (Show Details)Aug 18 2016, 4:00 PM
Eevans added a subscriber: faidon.

the procedure to rollover / extend expiration is outlined at https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates

we can change cassandra-ca-manager to issue CA certs with default expiration of 5yr and issue a new CA cert

The proposed solution to monitoring certificate expiration (https://gerrit.wikimedia.org/r/#/c/305633), acts remotely using the encrypted inter-node messaging port (7001), and so is testing the server certificate only. This still leaves open the question of monitoring the root CA for expiration.

It has already been suggested that we increase the root CA expiration from 1 year to 5. I wonder, is there much of a difference, security-wise, between 5 years and say 50 (where 50 years is arbitrary, something that for this purpose seems indefinite)? Should we just make the expiration long enough that we'll never have to worry about it expiring?

@faidon, @MoritzMuehlenhoff, @dpatrick ?

Dzahn added a subscriber: Dzahn.Aug 19 2016, 7:18 PM

We can check that with existing "check_ssl_certfile" or a slight variation of it.

"via NRPE. It runs "openssl x509 -checkend 324000 -noout -in $1 on the cert file. "

T120662#1881511
T116332

This is if we do want it to expire and monitor that.

Mentioned in SAL [2016-09-08T14:36:39Z] <godog> bounce restbase-test2001 cassandra-a instance T143044

Mentioned in SAL [2016-09-08T16:13:07Z] <godog> roll-restart cassandra instances on restbase-test cluster T143044

this is complete with a 50y CA in the restbase test cluster, production cluster to follow monday week

root@cerium:/etc/cassandra-a/tls# keytool -list -keystore server.key 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

cerium-a, Sep 8, 2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): EA:B9:2C:EB:1E:57:BA:1F:71:84:70:11:12:E6:62:BF:E8:B9:48:AA
mykey, Sep 8, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): B6:97:AF:B9:94:C5:21:A0:C2:FE:82:DC:9B:64:06:AC:16:35:EF:7C

note we'll need to renew some instance certs in codfw as part of this as they are about to expire anyway

Mentioned in SAL [2016-09-12T15:15:57Z] <godog> drain and restart cassandra instances on restbase2001 with new CA - T143044

Mentioned in SAL [2016-09-12T15:41:21Z] <godog> roll-restart cassandra in codfw with new CA and certs T143044

Mentioned in SAL [2016-09-12T17:29:30Z] <godog> roll-restart cassandra in eqiad with new CA and certs T143044

fgiunchedi closed this task as Resolved.Sep 13 2016, 8:31 AM
fgiunchedi claimed this task.

Completed, both CAs for restbase production and staging cluster have been renewed and new certs issued.