Closed
Bug 1173928
Opened 9 years ago
Closed 9 years ago
load crash-stats/crash-reports SSL certs+keys into AWS
Categories
(Socorro :: Infra, task)
Socorro
Infra
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rhelmer, Assigned: jschneider)
References
Details
We need the SSL certs and keys for crash-stats, crash-reports, and crash-analysis loaded into AWS. The first two should work on both mozilla.org and .com, crash-analysis currently only works for .com (I think it'd be fine if it worked for both though!)
Then we need to provide the ARN of the certs to Terraform, in:
collector_cert
webapp_cert
analysis_cert
arn:aws:iam::000123:server-certificate/name-of-cert
Note that symbolapi.mozilla.org is currently HTTP-only so let's not worry about that one for now.
|
||
Comment 1•9 years ago
|
||
I think bug 1153508 also needs an additional (weaker) cert for crash-reports-xpsp2.
|
Assignee | |
Comment 2•9 years ago
|
||
Hi, pinging Richard on this per advice of fox2mike.
Flags: needinfo?(rsoderberg)
I can encrypt these certs to you if you can confirm your GPG public key for me (keyid, -----BEGIN PUBLIC KEY, etc).
Flags: needinfo?(rsoderberg)
|
|
Assignee | |
Comment 4•9 years ago
|
||
Ah, new job/laptop, so I'll have a new gpg key I'll push up to the keyserver in a moment.
So, here's the certs we have:
X509v3 Subject Alternative Name:
DNS:crash-stats.mozilla.com, DNS:crash-stats.mozilla.org, DNS:crash-analysis.mozilla.com, DNS:crash-analysis.mozilla.org
X509v3 Subject Alternative Name:
DNS:crash-reports.mozilla.com, DNS:crash-reports.mozilla.org
X509v3 Subject Alternative Name:
DNS:crash-reports-xpsp2.mozilla.com, DNS:crash-reports-xpsp2.mozilla.org
I'll package these up to :jp by GPG and let him handle deploying. Each of them will have two files, a '.private' which is the private key, and a '.public' which each contains the concatenated (in this order) signed server SSL certificate and intermediate SSL certificate(s).
Each of the above certs has been sent to :jp.
:jp, please file a bug for us to decom these endpoints in our Zeus cluster someday :) No rush, though.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Oh, this isn't in webops queue.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 8•9 years ago
|
||
SSL certs are loaded, thanks!
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
|
||
Comment 9•9 years ago
|
||
(In reply to JP Schneider [:jp] from comment #8)
> SSL certs are loaded, thanks!
Currently the Terraform config[0] for the unsafe endpoint uses the same certificate as the modern endpoint. This will have to be adjusted, no?
[0] https://github.com/mozilla/socorro-infra/blob/4ca8a239807ab90960afa6fa3b406e588aae793a/terraform/collector/main.tf#L127
Flags: needinfo?(jschneider)
|
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(jschneider)
|
|
Assignee | |
Comment 10•9 years ago
|
||
Since it's a SAN cert, both domains are SSL'd through the same cert, so we're good.
You need to log in
before you can comment on or make changes to this bug.
Description
•