Page MenuHomePhabricator

[puppet] Remove expired and unused certs from modules/profile/files/ssl/ and modules/base/files/ca
Open, HighPublic

Description

We have a bunch of expired intermediate certificates that we deploy on the machines (and cloudvps VMs), and that is making some ssl checks fail:

dcaro@tools-harbor-1:~$ echo | openssl s_client -connect 87.240.132.67:443 -showcerts 2>/dev/null                                                                                               
CONNECTED(00000003)                                             
---                                                                                           
Certificate chain                                               
 0 s:C = RU, ST = Saint Petersburg, L = Saint Petersburg, O = V Kontakte LLC, CN = *.vk.com  
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----                                       
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----                                       
 2 s:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
-----BEGIN CERTIFICATE-----                                     
...
-----END CERTIFICATE-----
---                      
Server certificate                                                                         
subject=C = RU, ST = Saint Petersburg, L = Saint Petersburg, O = V Kontakte LLC, CN = *.vk.com
                                                                                               
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
                                                                                               
---                                                             
No client certificate CA names sent                             
Peer signing digest: SHA256                                     
Peer signature type: ECDSA                                      
Server Temp Key: X25519, 253 bits                               
---                                                             
SSL handshake has read 4052 bytes and written 363 bytes         
Verification error: certificate has expired                     
---                                                             
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384                  
Server public key is 256 bit                                    
Secure Renegotiation IS NOT supported                           
Compression: NONE                                               
Expansion: NONE                                                 
No ALPN negotiated                                              
Early data was not sent                                         
Verify return code: 10 (certificate has expired)                
---

So this task is to remove any unused certificates from modules/profile/files/ssl/ that are expired, and then cleanup all the unused intermediate certificates under modules/base/files/ca.

From irc with bblack:

cleaning it up in the general case is a little tricky.  but we could start with cleaning up certs from files/ssl/ that are sufficiently expired, and then see if any remaining ones use the deployed intermediates that are expired, etc
16:53:10 most of those certs are internal ones signed from palladium
16:54:58 AFAICS, for this one particular case you mentioned: the only cert we have in there that uses it is "star.tools.wmflabs.org.crt", which itself expired in 2020
16:55:05 I'm guessing that's not deployed anywhere
16:55:52 (I don't see any refs in production puppet anyways, and it can't be useful)
16:56:20 so maybe do a patch to remove star.tools.wmflabs.org.crt, and then to remove the expired GlobalSign_Organization_Validation_CA_-_SHA256_-_G2.crt ?
16:57:49 note when removing the sslcert::ca part in base/certificates.pp, you should step through an ensure=>absent deployment first, so that it can clean up messes.

List of certs using intermediate:

Got one: modules/profile/files/ssl/digicert-2021-ecdsa-unified.crt
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt
Got one: modules/profile/files/ssl/digicert-2021-rsa-unified.crt
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
Got one: modules/profile/files/ssl/digicert-2022-ecdsa-unified.crt
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt
Got one: modules/profile/files/ssl/digicert-2022-rsa-unified.crt
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
Got one: modules/profile/files/ssl/digicert-2023-ecdsa-unified.crt
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crt
Got one: modules/profile/files/ssl/digicert-2023-rsa-unified.crt
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt
Got one: modules/profile/files/ssl/labvirt-star.codfw.wmnet.crt
        Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020
Got one: modules/profile/files/ssl/labvirt-star.eqiad.wmnet.crt
        Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020
Got one: modules/profile/files/ssl/ldap-corp.codfw.wikimedia.org.crt
        Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020
Got one: modules/profile/files/ssl/ldap-corp.eqiad.wikimedia.org.crt
        Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020
Got one: modules/profile/files/ssl/ldap-ro.codfw.wikimedia.org.crt
        Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = ldap-ro.codfw.wikimedia.org, emailAddress = root@wikimedia.org
Got one: modules/profile/files/ssl/ldap-ro.eqiad.wikimedia.org.crt
        Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = ldap-ro.eqiad.wikimedia.org, emailAddress = root@wikimedia.org
Got one: modules/profile/files/ssl/star.tools.wmflabs.org.crt
        Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
                CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt
Got one: modules/profile/files/ssl/star.wmflabs.org.crt
        Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
                CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt

List of expired intermediates:

=== DigiCert_High_Assurance_CA-3.crt Not After : Apr  3 00:00:00 2022 GMT
17:02:45 === GeoTrust_Global_CA.crt Not After : Aug 21 04:00:00 2018 GMT
17:02:45 === GlobalSign_Organization_Validation_CA_-_SHA256_-_G2.crt Not After : Aug  2 10:00:00 2022 GMT
17:02:48 === RapidSSL_SHA256_CA_-_G3.crt Not After : May 20 21:39:32 2022 GMT
17:02:50 === wmf_ca_2017_2020.crt Not After : Jul 18 20:43:26 2020 GMT
17:02:53 ^ all of these sslcert::ca intermediates are expired, FWIW