Page MenuHomePhabricator
Create Task
Maniphest T213737

Allow specifying a custom period of time before deploying a newly issued certificate
Closed, ResolvedPublic
Actions

Description

Let's Encrypt issues the certificates one hour in the past to attempt to minimize clock skew issues. While this is enough for the non big-public sites (icinga, phabricator...) the global unified wildcard certificate needs to be issued days before being deployed.

This needs to be configurable per certificate on certcentral.

Details

ProjectBranchLines +/-Subject
operations/software/certcentraldebian+2 -2Release 0.9 This release includes the following changes: * Implement staging time * Rename certcentral to acme-chief
operations/software/certcentraldebian+115 -9certcentral: Implement staging time
operations/software/certcentralmaster+2 -2Release 0.9 This release includes the following changes: * Implement staging time * Rename certcentral to acme-chief
operations/software/certcentralmaster+115 -9certcentral: Implement staging time
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez triaged this task as Medium priority.Jan 14 2019, 5:13 PM
Vgutierrez created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2019, 5:13 PM
gerritbot added a subscriber: gerritbot.Jan 21 2019, 9:06 AM

Change 485594 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Implement staging time

https://gerrit.wikimedia.org/r/485594

gerritbot added a project: Patch-For-Review.Jan 21 2019, 9:06 AM
Vgutierrez mentioned this in rOSCCa6fb46fc5f1e: certcentral: Implement staging time.Jan 21 2019, 9:18 AM
Vgutierrez mentioned this in rOSCC0c804db36018: certcentral: Implement staging time.
Vgutierrez mentioned this in rOSCCd7a33928526b: certcentral: Implement staging time.Jan 21 2019, 9:47 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 11:04 PM
Vgutierrez mentioned this in rOSCC808aa227f1b8: certcentral: Implement staging time.Feb 5 2019, 3:15 PM
Vgutierrez mentioned this in rOSCC3fa7a5d8572b: certcentral: Implement staging time.Feb 7 2019, 12:29 PM
gerritbot added a comment.Feb 11 2019, 4:27 PM

Change 485594 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Implement staging time

https://gerrit.wikimedia.org/r/485594

gerritbot added a comment.Feb 12 2019, 8:13 AM

Change 489988 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Implement staging time

https://gerrit.wikimedia.org/r/489988

Vgutierrez mentioned this in rOSCC5ec2b0e98c6f: certcentral: Implement staging time.Feb 12 2019, 8:18 AM
gerritbot added a comment.Feb 12 2019, 10:10 AM

Change 490006 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.9 This release includes the following changes: * Implement staging time * Rename certcentral to acme-chief

https://gerrit.wikimedia.org/r/490006

Vgutierrez mentioned this in rOSCCdee531a87473: Release 0.9 This release includes the following changes: * Implement….Feb 12 2019, 10:13 AM
gerritbot added a comment.Feb 12 2019, 10:14 AM

Change 490006 merged by jenkins-bot:
[operations/software/certcentral@master] Release 0.9 This release includes the following changes: * Implement staging time * Rename certcentral to acme-chief

https://gerrit.wikimedia.org/r/490006

gerritbot added a comment.Feb 12 2019, 10:25 AM

Change 490011 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.9 This release includes the following changes: * Implement staging time * Rename certcentral to acme-chief

https://gerrit.wikimedia.org/r/490011

Vgutierrez mentioned this in rOSCCe5b41ec8c032: Release 0.9 This release includes the following changes: * Implement….Feb 12 2019, 10:26 AM
gerritbot added a comment.Feb 12 2019, 11:01 AM

Change 489988 merged by jenkins-bot:
[operations/software/certcentral@debian] certcentral: Implement staging time

https://gerrit.wikimedia.org/r/489988

gerritbot added a comment.Feb 12 2019, 11:02 AM

Change 490011 merged by jenkins-bot:
[operations/software/certcentral@debian] Release 0.9 This release includes the following changes: * Implement staging time * Rename certcentral to acme-chief

https://gerrit.wikimedia.org/r/490011

Stashbot mentioned this in T207389: Rename the Certcentral project to Acme-chief.Feb 12 2019, 1:39 PM
Stashbot added a subscriber: Stashbot.

Mentioned in SAL (#wikimedia-operations) [2019-02-12T13:39:41Z] <vgutierrez> uploaded acme-chief 0.9 to apt.wikimedia.org (stretch) - T207389 T213737

Krenair added a subscriber: Krenair.Feb 22 2019, 12:42 PM

Is this resolved now? Also, duplicate of T204997: certcentral: delay deployment of renewed certs to wait out skewed client clocks ?

Vgutierrez closed this task as Resolved.Feb 22 2019, 12:43 PM

yes, this has been included as part of the latest release

Krenair mentioned this in T204997: certcentral: delay deployment of renewed certs to wait out skewed client clocks.Feb 22 2019, 12:45 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL