Page MenuHomePhabricator
Create Task
Maniphest T369014

Stop using SSLCertificateChainFile on RSA+EC setups
Closed, ResolvedPublic
Actions

Description

As noticed while debugging T369008 we have some httpd misconfigured across the entire fleet. As already noted in Apache documentation SSLCertificateChainFile won't work on dual stack setups:

But be careful: Providing the certificate chain works only if you are using a single RSA or DSA based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation.

a quick git grep shows the following offenders:

  • icinga
  • karma
  • klaxon
  • librenms
  • mirrors
  • orchestrator
  • gerrit

SSLCertificateChainFile+ SSLCertificateFile combo should be dropped in favor of a single SSLCertificateFile pointing to the chained flavor of the crt:

SSLCertificateFile /etc/acmecerts/${'cert_name'}/live/ec-prime256v1.chained.crt
SSLCertificateFile /etc/acmecerts/${'cert_name'}/live/rsa-2048.chained.crt

Details

SubjectRepoBranchLines +/-
gerrit: Stop using SSLCertificateChainFileoperations/puppetproduction+2 -4
mirrors: Stop using SSLCertificateChainFileoperations/puppetproduction+2 -4
orchestrator: Stop using SSLCertificateChainFileoperations/puppetproduction+2 -4
o11y: serve LE chained certificatesoperations/puppetproduction+8 -16
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Tue, Jul 2, 9:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Jul 2, 9:22 AM
Vgutierrez triaged this task as High priority.Tue, Jul 2, 9:22 AM
Vgutierrez added a subtask: T369008: librenms cert chain validation failure.Tue, Jul 2, 9:27 AM
Vgutierrez updated the task description. (Show Details)
gerritbot added a comment.Tue, Jul 2, 9:34 AM

Change #1051301 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] o11y: serve LE chained certificates

https://gerrit.wikimedia.org/r/1051301

gerritbot added a project: Patch-For-Review.Tue, Jul 2, 9:34 AM
Vgutierrez updated the task description. (Show Details)Tue, Jul 2, 9:34 AM
gerritbot added a comment.Tue, Jul 2, 9:38 AM

Change #1051304 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] gerrit: Stop using SSLCertificateChainFile

https://gerrit.wikimedia.org/r/1051304

gerritbot added a comment.Tue, Jul 2, 9:39 AM

Change #1051301 merged by Filippo Giunchedi:

[operations/puppet@production] o11y: serve LE chained certificates

https://gerrit.wikimedia.org/r/1051301

fgiunchedi closed subtask T369008: librenms cert chain validation failure as Resolved.Tue, Jul 2, 9:40 AM
gerritbot added a comment.Tue, Jul 2, 9:40 AM

Change #1051307 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] mirrors: Stop using SSLCertificateChainFile

https://gerrit.wikimedia.org/r/1051307

Vgutierrez added a project: Data-Persistence.Tue, Jul 2, 9:44 AM
gerritbot added a comment.Tue, Jul 2, 9:45 AM

Change #1051310 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] orchestrator: Stop using SSLCertificateChainFile

https://gerrit.wikimedia.org/r/1051310

fgiunchedi updated the task description. (Show Details)Tue, Jul 2, 9:45 AM
Vgutierrez added a project: Infrastructure-Foundations.Tue, Jul 2, 9:49 AM
gerritbot added a comment.Tue, Jul 2, 12:01 PM

Change #1051310 merged by Vgutierrez:

[operations/puppet@production] orchestrator: Stop using SSLCertificateChainFile

https://gerrit.wikimedia.org/r/1051310

gerritbot added a comment.Tue, Jul 2, 12:03 PM

Change #1051307 merged by Vgutierrez:

[operations/puppet@production] mirrors: Stop using SSLCertificateChainFile

https://gerrit.wikimedia.org/r/1051307

Vgutierrez updated the task description. (Show Details)Tue, Jul 2, 12:07 PM
Marostegui subscribed.Tue, Jul 2, 12:12 PM

Orchestrator looking fine after a reload of its apache

gerritbot added a comment.Tue, Jul 2, 12:28 PM

Change #1051304 merged by Vgutierrez:

[operations/puppet@production] gerrit: Stop using SSLCertificateChainFile

https://gerrit.wikimedia.org/r/1051304

Maintenance_bot removed a project: Patch-For-Review.Tue, Jul 2, 12:30 PM
Vgutierrez closed this task as Resolved.Tue, Jul 2, 12:59 PM
Vgutierrez updated the task description. (Show Details)
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits