cergen should include the cert's name in SAN too
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	fgiunchedi
	Dec 13 2021, 1:22 PM

Description

While investigating T291946 I noticed that karthoterian doesn't have its discovery name in SAN but only as Common Name instead.

msg="Error for HTTP request" err="Get https://10.2.2.13:443/osm-intl/6/23/24.png: x509: certificate is valid for kartotherian.svc.eqiad.wmnet, kartotherian.svc.codfw.wmnet, maps.wikimedia.org, not kartotherian.discovery.wmnet"

Karto's cergen entry looks like this:

kartotherian.discovery.wmnet:
  authority: puppet_ca
  expiry: null
  alt_names: [kartotherian.svc.eqiad.wmnet,kartotherian.svc.codfw.wmnet,maps.wikimedia.org]
  key:
     passwork: foo
     algorithm: ec

Checking Common Name is deprecated, I think cergen should add the cert's name to alt_names if not there already (we have a few cases where we already duplicate the .discovery.wmnet entry manually in alt_names). What do you think @Ottomata ?

Details

Project	Branch	Lines +/-	Subject
operations/puppet	production	+23 -23	ssl: update kartotherian cert
cergen	master	+4 -3	Make sure CN is included in SAN
cergen	master	+2 -2	tox: test on oldstable python version

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		fgiunchedi	T291946 Move service::catalog checks (“monitoring” section) to blackbox exporter and Alertmanager
		Resolved		fgiunchedi	T297604 cergen should include the cert's name in SAN too

Event Timeline

fgiunchedi created this task.Dec 13 2021, 1:22 PM

I have some vague feeling that there was a reason not to do this, but I can't recall why and I can't find any docs by my past self to indicate that it was (which I usually do if intentional).

I'm ok with it! But, I wonder if it is better to be explicit about this and manually add it to the list of alt_names instead of always doing it? Perhaps there is some reason to not have the CN in the SAN?

In T297604#7566367, @Ottomata wrote:

I have some vague feeling that there was a reason not to do this, but I can't recall why and I can't find any docs by my past self to indicate that it was (which I usually do if intentional).

I'm ok with it! But, I wonder if it is better to be explicit about this and manually add it to the list of alt_names instead of always doing it? Perhaps there is some reason to not have the CN in the SAN?

AFAIK there's no downside to it, and I think it is handy to not have to repeat ourselves. However I'm fine either way, so far the case I found is kartotherian, there might be others.

Change 746892 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[cergen@master] Make sure CN is included in SAN

https://gerrit.wikimedia.org/r/746892

gerritbot added a project: Patch-For-Review.Dec 13 2021, 4:18 PM

fgiunchedi moved this task from Backlog to Doing on the User-fgiunchedi board.Dec 15 2021, 10:07 AM

Change 751411 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[cergen@master] tox: test on oldstable + stable python versions

https://gerrit.wikimedia.org/r/751411

fgiunchedi moved this task from FY2021/2022-Q2 to FY2021/2022-Q3 on the SRE Observability board.Jan 17 2022, 1:56 PM

fgiunchedi edited projects, added SRE Observability (FY2021/2022-Q3); removed SRE Observability (FY2021/2022-Q2).

fgiunchedi mentioned this in T291946: Move service::catalog checks (“monitoring” section) to blackbox exporter and Alertmanager.Jan 18 2022, 1:41 PM

Change 751411 merged by Filippo Giunchedi: