Page MenuHomeMiraheze

Automate the adding of SSL private keys to puppet3
Open, LowPublic

Description

I'd like to start by saying that I'm not sure how difficult or how feasible this would be, but a long time ago we (or at least I) thought having automatic SSL renewals pushed to GitHub would be extremely difficult and maybe not possible, but here we are!

By making an automated system where after generation the private key is automatically updated on puppet3, the puppet-users group can be eliminated, and MediaWiki Engineers would be able to generate SSL certificates without the need of the extra group. It would also of course make the custom domain process easier.

Event Timeline

Reception123 created this task.

@RhinosF1 has made some suggestions about how we could do this via IRC:

RhinosF1> I mean my understanding is the private keys will still all be kept in a folder
So we could scp them
Like regularly from jobrunner1 or have a script that detects the change
RhinosF1> I mean if we take jobrunner1 as canonical for certificates then if it's LE folder where they are is always up to date then we could have a cron that syncs that to a folder on puppet2 which syncs back out via puppet to the world

Note: jobrunner1 -> jobrunner3, puppet2 -> puppet3

remove SRE tag accidentally added by Herald (4!) times. And yes, the root issue with Herald has been fixed in the meantime

Reception123 renamed this task from Automate the adding of SSL private keys to puppet2 to Automate the adding of SSL private keys to puppet3.Wed, Feb 10, 20:59