Page MenuHomePhabricator

Renew Digicert Unified in 2019
Closed, ResolvedPublic

Description

Our big Digicert unified certificate expires at 2019-01-24T12:00:00 UTC . See also related GlobalSign ticket recently resolved at T206804

Same very basic rules apply as usual:

  • Fresh private keys
  • ECDSA+RSA
  • ~1yr validity
  • Embedded SCTs
  • Minimim 10 days of clock skew room between the new one's start date and the old one's expiry

This means the start date on the new cert must be no later than 2019-01-14T12:00:00 UTC. Ideally, if we can, we should aim for an end date out in Feb/Mar 2020 somewhere, so that we can further increase the current 63-day spread between GlobalSign and Digicert expiries and avoid Holiday-related issues next time around, even if that means the validity on this one is a bit longer than a year (e.g. ~13-14 months). An alternative strategy that would fix the same process issues would be to get this one as a ~6-month cert.

Given there's only two weeks between everyone coming back from various holidays and our maximal start date, we should try to get the purchasing process cleaned up between now and mid-December, so that the funding is ready-to-go from the vendor's POV before the start of the new year, and we just have technical processes to take care of during early January. I'm not sure if that's going to complicate things on our end or theirs, crossing the purchase over a CY boundary like that, but I wouldn't think so.

We may eventually add LetsEncrypt as a 3rd redundant certificate sometime during 2019, and we may then also eventually choose to drop one of our two commercial vendors later if we're happy with how LE is working out, but none of those things are certain enough by Jan 2019 to impact our planning or renewal process here in any way.

Details

Related Gerrit Patches:
operations/puppet : productionDeploy digicert-2019 to esams
operations/puppet : productionTest digicert-2019 on cp3030 and cp3034
operations/puppet : productionDeploy inactive digicert 2019 unified certs
labs/private : masteradd dummy SSL keys for digicert-2019-{rsa,ecdsa}-unified
operations/puppet : productionAdd Digicert 2019 unified certs
operations/puppet : productionesams/eqsin: flip unified to globalsign-2018

Event Timeline

BBlack triaged this task as Normal priority.Nov 14 2018, 5:35 PM
BBlack created this task.
Restricted Application added a project: Operations. · View Herald TranscriptNov 14 2018, 5:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
BBlack updated the task description. (Show Details)Nov 14 2018, 5:37 PM
BBlack added a comment.EditedNov 14 2018, 5:48 PM

Also, we should pre-downtime the unified ssl checks in icinga for cp3NNN and cp5NNN early next week before the US Thanksgiving holidays, so that nobody's pestered by a spam of WARNING alerts, which I believe are set to trigger 60 days out from expiry.

ema moved this task from Triage to TLS on the Traffic board.Nov 15 2018, 10:06 AM

Downtimes set, we shouldn't get cert alerts in icinga

Change 485179 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] esams/eqsin: flip unified to globalsign-2018

https://gerrit.wikimedia.org/r/485179

Change 485179 merged by BBlack:
[operations/puppet@production] esams/eqsin: flip unified to globalsign-2018

https://gerrit.wikimedia.org/r/485179

RobH closed subtask Unknown Object (Task) as Resolved.Oct 1 2019, 5:33 PM
Krenair added a subscriber: Krenair.Oct 1 2019, 7:21 PM

Change 540469 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Add Digicert 2019 unified certs

https://gerrit.wikimedia.org/r/540469

Change 540470 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Deploy inactive digicert 2019 unified certs

https://gerrit.wikimedia.org/r/540470

Change 540469 merged by BBlack:
[operations/puppet@production] Add Digicert 2019 unified certs

https://gerrit.wikimedia.org/r/540469

Change 540522 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[labs/private@master] add dummy SSL keys for digicert-2019-{rsa,unified}-unified

https://gerrit.wikimedia.org/r/540522

Change 540522 merged by Vgutierrez:
[labs/private@master] add dummy SSL keys for digicert-2019-{rsa,ecdsa}-unified

https://gerrit.wikimedia.org/r/540522

Change 540470 merged by BBlack:
[operations/puppet@production] Deploy inactive digicert 2019 unified certs

https://gerrit.wikimedia.org/r/540470

RobH removed a subscriber: RobH.Oct 3 2019, 3:54 PM

Change 543900 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Test digicert-2019 on cp3030 and cp3034

https://gerrit.wikimedia.org/r/543900

Change 543901 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Deploy digicert-2019 to esams

https://gerrit.wikimedia.org/r/543901

Change 543900 merged by BBlack:
[operations/puppet@production] Test digicert-2019 on cp3030 and cp3034

https://gerrit.wikimedia.org/r/543900

Change 543901 merged by BBlack:
[operations/puppet@production] Deploy digicert-2019 to esams

https://gerrit.wikimedia.org/r/543901

BBlack closed this task as Resolved.Thu, Oct 17, 5:35 PM

Digicert-2019 is now in live use at the esams edge and we have full normal redundancy (for now) among commercial cert vendors.

Random status update on other related bits: We're a few puppetization changes out from properly supporting LE as our third cert option and deploying that to eqsin over in T234803 -> T230687 . Globalsign renewal is coming up fast (procurement in T234061 , expires Nov 22). We anticipate that by the time the next Digicert + GlobalSign renewals come around in 2020, we'll be fully comfortable with just LE plus one commercial vendor instead of two.