Page MenuHomePhabricator

acme-chief: Validate that configured certificates can be actually issued
Closed, ResolvedPublic

Description

non-canonical SNI list is highly volatile. Meaning that we can potentially lose control of one domain and with the current behaviour acme-chief would fail to issue the certificate where that domain is listed, affecting up to ~40 SNIs.

Taking into account that we're using dns-01 challenge for validation, we can programatically verify that we are able to fulfil challenges for a specific SNI before issuing the certificate.

Ideally instead of stopping the issuing/renewal process for the affected certificate, acme-chief should be able to ignore the affected SNIs and get a certificate for the still valid SNIs.

Related Objects

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 9 2019, 3:14 PM
Vgutierrez triaged this task as Medium priority.Apr 9 2019, 3:14 PM
Vgutierrez moved this task from Triage to TLS on the Traffic board.Apr 10 2019, 7:16 AM

Change 504510 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] config: Move ACMEChiefConfig to its own module

https://gerrit.wikimedia.org/r/504510

Change 504512 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] acme_chief: Prevalidate CN/SNI list

https://gerrit.wikimedia.org/r/504512

Change 504510 merged by jenkins-bot:
[operations/software/acme-chief@master] config: Move ACMEChiefConfig to its own module

https://gerrit.wikimedia.org/r/504510

Change 504512 merged by Vgutierrez:
[operations/software/acme-chief@master] acme_chief: Prevalidate CN/SNI list

https://gerrit.wikimedia.org/r/504512

Change 507026 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] Release 0.17

https://gerrit.wikimedia.org/r/507026

Change 507026 merged by Vgutierrez:
[operations/software/acme-chief@master] Release 0.17

https://gerrit.wikimedia.org/r/507026

Change 507801 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] config: Move ACMEChiefConfig to its own module

https://gerrit.wikimedia.org/r/507801

Change 507804 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] acme_chief: Prevalidate CN/SNI list

https://gerrit.wikimedia.org/r/507804

Change 507805 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] Release 0.17

https://gerrit.wikimedia.org/r/507805

Change 507801 merged by jenkins-bot:
[operations/software/acme-chief@debian] config: Move ACMEChiefConfig to its own module

https://gerrit.wikimedia.org/r/507801

Change 507804 merged by jenkins-bot:
[operations/software/acme-chief@debian] acme_chief: Prevalidate CN/SNI list

https://gerrit.wikimedia.org/r/507804

Change 507805 merged by jenkins-bot:
[operations/software/acme-chief@debian] Release 0.17

https://gerrit.wikimedia.org/r/507805

Change 512866 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] debian: Add release 0.17 to changelog

https://gerrit.wikimedia.org/r/512866

Change 512866 merged by Vgutierrez:
[operations/software/acme-chief@debian] debian: Add release 0.17 to changelog

https://gerrit.wikimedia.org/r/512866

Mentioned in SAL (#wikimedia-operations) [2019-05-28T08:47:47Z] <vgutierrez> uploaded acme-chief 0.17 to apt.wikimedia.org (buster) - T220518 T213820

Change 512871 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Enable SNI prevalidation for non-canonical certificates

https://gerrit.wikimedia.org/r/512871

Mentioned in SAL (#wikimedia-operations) [2019-06-03T14:20:52Z] <vgutierrez> upgrading acme-chief to version 0.17 in acme-chief production instances - T220518

Change 512871 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Enable SNI prevalidation for non-canonical certificates

https://gerrit.wikimedia.org/r/512871

Vgutierrez closed this task as Resolved.Jun 4 2019, 12:38 PM