Page MenuHomeMiraheze

Automate the adding of SSL private keys to puppet3
Open, LowPublic

Description

I'd like to start by saying that I'm not sure how difficult or how feasible this would be, but a long time ago we (or at least I) thought having automatic SSL renewals pushed to GitHub would be extremely difficult and maybe not possible, but here we are!

By making an automated system where after generation the private key is automatically updated on puppet3, the puppet-users group can be eliminated, and MediaWiki Engineers would be able to generate SSL certificates without the need of the extra group. It would also of course make the custom domain process easier.

Event Timeline

Reception123 created this task.

@RhinosF1 has made some suggestions about how we could do this via IRC:

RhinosF1> I mean my understanding is the private keys will still all be kept in a folder
So we could scp them
Like regularly from jobrunner1 or have a script that detects the change
RhinosF1> I mean if we take jobrunner1 as canonical for certificates then if it's LE folder where they are is always up to date then we could have a cron that syncs that to a folder on puppet2 which syncs back out via puppet to the world

Note: jobrunner1 -> jobrunner3, puppet2 -> puppet3

remove SRE tag accidentally added by Herald (4!) times. And yes, the root issue with Herald has been fixed in the meantime

Reception123 renamed this task from Automate the adding of SSL private keys to puppet2 to Automate the adding of SSL private keys to puppet3.Feb 10 2021, 20:59

I've finally found the ticket, pasting my IRC comment here:
22:37:46 <+SPF|Cloud> @SRE, I can't recall who was talking about it (and where I read it), but I saw some messages regarding automating the addition of a new certificate (for https). have you considered https://wikitech.wikimedia.org/wiki/Acme-chief?

I've finally found the ticket, pasting my IRC comment here:
22:37:46 <+SPF|Cloud> @SRE, I can't recall who was talking about it (and where I read it), but I saw some messages regarding automating the addition of a new certificate (for https). have you considered https://wikitech.wikimedia.org/wiki/Acme-chief?

Since we don’t always have control over what SSL certificates are in use, this would only solve half the problem and we would then still need to solve the original problem regardless.

We essentially have our own built version on acme-chief, just without the necessary centralisation in a way MWEs can use it but for SRE, it’s already centralised just not fully automated from the start.

Therefore I don’t think acme-chief would be a useful additional for us.