Page MenuHomePhabricator
Create Task
Maniphest T158684

update SSL certificate for benefactorevents.wikimedia.org by 2017-03-02
Closed, ResolvedPublic
Actions

Description

We need to renew the SSL cert for benefactorevents.wikimedia.org by 2017-03-02, the original certificate was requested in T107059.

We should consider switching this certificate from the existing CA to Let's Encrypt (https://letsencrypt.org) which is what we're doing for many of our domains. This approach would be self-serve and automatable for Trilogy, instead of having to redo the renewal shuffle with WMF staff annually.

Related Objects

Event Timeline

Jgreen created this task.Feb 21 2017, 6:23 PM
Restricted Application added a project: Traffic. · View Herald TranscriptFeb 21 2017, 6:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Jgreen added a comment.Feb 21 2017, 6:24 PM

@EWilfong_WMF are you the right point of contact for Trilogy for this?

RobH added a comment.Feb 21 2017, 6:26 PM

Please note that some potential details for this are also on private task T156849. However, relevant info has been copied to this task.

EWilfong_WMF added a comment.Feb 21 2017, 8:23 PM

@Jgreen Yes, I will be the point of contact for this update. This domain is hosted using Azure's App Service which requires us to manually upload a PFX cert file to update the cert. While we could certainly do this with Let's Encrypt, because of the short-lived expiration (90 days) of those certs we would be making this manual update regularly. We would prefer to stick with the previous cert vendor for now to limit updates to once per year.

CaitVirtue added subscribers: DKaufman, LeanneS.Feb 22 2017, 5:17 PM

Added Danny as a subscriber, as he's the event lead.

EWilfong_WMF added a comment.Feb 22 2017, 7:19 PM

@Jgreen @RobH - Checking in on our next steps here. I would love to get the new cert in place this week so we're not pushing up against the March 2 deadline.

RobH added a comment.Feb 22 2017, 7:22 PM

@EWilfong_WMF: Just wanted to check, we'll be generating the private key, csr, and ordering the certificate.

In the past, you provided your gpg key to send over the files to you:

In T107059#1503135, @EWilfong_WMF wrote:

Sure. Here's my public PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Encryption Desktop 10.3.2 (Build 15917) - not licensed for commercial use: www.pgp.com

mQGiBEJK+9wRBADOc1nXGtBXScwCCW0wrlz/cGxIq960N3Ig1DXTC2p9yZMKPJ+C
ANl71mr+vZJu9ldT3g8Oev/hRSTwR90xMKCyPOy7oxFlm6WXx5M+fBc0IVaEiV8T
lXOUsOAELTolxfoAaQoqpKq3rMPtsem5Yuc1a7tO/YAjsWbqGTdxh+dsdwCg/8le
NchIags3fHShb7unf9E4dW0D/3bfAdz432AskVX0gRkNhUKqF50S1+2DmvvpmcjO
ytE47ua2HWkZ+RkJ+oEscgXu1rpE1jh17yUc/luqUer9jcs+Ff41UQ2MKs45zq1c
voXKs1fybsonWV8jbIJR784kRXXU7/ILJGcSMobr+5w0fTex9WnBlhx1Gamn8EeX
VsgBBAC61+I3eFCjIL1GrfXZa7MJi6cQp89KbDujLQEsLfvSgU7Gby/wkP0w3aZ4
8vzqnr+G6r1B0ssZoCAjDgk+ekNcsZUxWjvPYxjgzb9K3r2COJaycPRKtR0WtSVL
zTmhNdiF8vchPL5mxBmnKSu+AQndesPCOb89pB4hl96omE5YvrQsRXJpYyBXaWxm
b25nIDxld2lsZm9uZ0BtYXlmaWVsZHN0cmF0ZWd5LmNvbT6JAHwEEBECADwFAk1Z
mkUHCwkIBwMCCgIZABkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29tBRsDAAAABR4B
AAAABBUICQoACgkQvbeFpHWitKsGAACfeJG0Wm2/UP0heQV74yZqcx5miyYAoI51
uuQKumonvVz9rqDJlv7PafO6iQEiBBABAgAMBQJOHJyTBQMAEnUAAAoJEJcQuJvK
V618Bs8IAK6QuhbB56UdUcZivWgyQs39RtJZeFvPFzIkWoEJtVEhT+MkqIAq0jma
7ABcs/pDT5wOHxasENyoMkgAQNNPviDDwwth4ITrA3MkjmUWieXTgm/SFZXk+ibI
3XncZR/u+7UGSFrnrZnVk9JV9771vjGaQV/xyGJyzAlQ7LaSPpBiMjz7D1KbAtta
0JCrerYlTneLDlCfHMn7mihlmS3dZpn2H6D1O8fhZqrfLyBWVT6dAL0I9KZNf5nI
gxyz0ZzJT2TG2f8pOiMJMCWBFbeYexI+6OdhmCghoiuLgMYt3w0vh4+y4OwBhwRb
tQNOVWcVZ3i1gktvH/fX3PIVuHuqypO0JUVyaWMgV2lsZm9uZyA8ZXJpY0BkeW5h
bWljc3RyaXBlLmNvbT6JAHwEEBECADwFAk1ZmCQHCwkIBwMCCgIZABkYbGRhcDov
L2tleXNlcnZlci5wZ3AuY29tBRsDAAAABR4BAAAABBUICQoACgkQvbeFpHWitKsV
mQCbBRmfC/3Ig/kfY505WE7vIUBcLBsAn0fqI0jf8aJhB2NEK+QtHMEU+jDliQEi
BBABAgAMBQJOPuZ9BQMAEnUAAAoJEJcQuJvKV618u5kH/A+4SI93yATvGWRO/ZaK
9XYJ/uiC8DYsK4eOiEhpdfbEA0G9krqoQxCcvQhP5traYJPGX8doLXbnLbXqTMKr
B4WKQEn9T0wwNDtya6rlATLR+bfQpTWt/Ij4n9wx+hFGP3Bv0b3rpTArMaiB55KX
05ZpsrdIBibcv6nr3pG0H4boXaPe2/3f8nVqawAA/qw0yeF9xPgwO0Ylhav7/7OJ
AfEOjuVuhXw28RKaAsdmmC25vn4JeCWA8TSWBhiNmTUAANGhVK7OtpQH60SzRtci
ntKj5FdvMuOvEmWcEMj23NZRSysLGIo4MKctSaXiB8h8CIH/eYOOzeKlUEdGOxxY
zMS0LkVyaWMgV2lsZm9uZyA8ZXdpbGZvbmdAdHJpbG9neWludGVyYWN0aXZlLmNv
bT6JAHwEEBECADwFAlA2oDUHCwkIBwMCCgIZARkYbGRhcDovL2tleXNlcnZlci5w
Z3AuY29tBRsDAAAABR4BAAAABBUICQoACgkQvbeFpHWitKt3/wCg6ebALQQ2qEcM
nGEf1k3TdOLQo5EAn3vq5HbDIpIOVkr10npAytOQvBVZiQEiBBABAgAMBQJQxEoO
BQMAEnUAAAoJEJcQuJvKV618vd4IAI+0rO0sbCyY5KhfayQJIHEBPteFNtTDODpv
XqA0pH9gswP/nVJiYY6YXOZUHc9zf4BtjMpXL7Bd060eZOTnPLwiQdCOpkVqdYh/
HQoXXW4upD4SCi4hkSxQUo9qET7ru64dB9OV4QNR69T1UkaQQkJpV2HGs7cNiWeP
Eb2Wnkwn2E31StxEkLirrg6ifE6GPw9CXOQhKGVWmSXaEJii5pwAOzD8bCqBvonQ
XEhW5EmdpdPEZqbS3sHimHeWdF21leXr8uSmQ2v03KrzQYrHIxNbIy5Nj/LH9U1V
hb8WrqmHtwSPxkyoH2d3qKPvSr5eGoonoVsnMsxbtlQirTy5VgW5Ag0EQkr73RAI
APZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mU
rfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VH
MGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2
azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMh
LLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+c
fL2JSyIZJrqrol7DVekyCzsAAgIIAIdM7RLRJ04s+vnhd35mTWxP5AVlYBs0uvfp
CcyjsRGCf7wZCfXPqDYEdNF5OIz4TTleO2TFGeTj2eNJRSF/+8nmsBMjq8chnCrF
8bA1mRrVcj02JdoIbZhvYIvY2QpfzOu3DUw5/B35wKm5h5uvW9RW5VYq0efc+1X9
sH12Mu11+4S0JKjdd0TpV6R74iLQ6WSFrzZ955DP1weZjqIbERKwpZDimYs8CcKq
nL2qX3YFxnnqelUNcKUvebLJghgTLVbMkWbUPrzncmr0Pnj025iDK3IgGGTD0PkT
HiBJn6IvkgvpHbuF2eUSXnn72tkK1xbzzd9I59ZsZSKi7xBhQYGJAEwEGBECAAwF
AkJK+90FGwwAAAAACgkQvbeFpHWitKuX1wCeNUHHfepvnoVVJMohVdSlgl2sKEcA
mQHsjcumlg3yYUA15VJdV00CwcYQ
=AhoQ
-----END PGP PUBLIC KEY BLOCK-----

Can you advise what email we should send things to?

EWilfong_WMF added a comment.Feb 22 2017, 7:24 PM

Perfect. ewilfong@trilogyinteractive.com

RobH claimed this task.Feb 22 2017, 7:58 PM

I'll handle key/csr generation and cert ordering. Then I'll pgp encrypt and email the key over to Eric @ Trilogy (with the public cert attached as well.)

Additionally, we will store a copy of these in the fundraising key/ssl store.

RobH added a comment.Feb 23 2017, 9:00 PM

I've emailed the new public cert and private key file (the key being pgp encrypted) over to @EWilfong_WMF.

EWilfong_WMF added a comment.Feb 23 2017, 10:06 PM

Thanks, @RobH, the new cert is in place on benefactorevents.wikimedia.org.

RobH closed this task as Resolved.Feb 23 2017, 10:06 PM
RobH mentioned this in Unknown Object (Task).
Dwisehaupt moved this task from Triage to Done on the fundraising-tech-ops board.Feb 13 2020, 9:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL