Page MenuHomeMiraheze

Create better system for managing SSL requests
Open, LowPublic

Description

Long planned. Here's a task.

Stage 1:

  • Update check_reverse_dns to check records present too.
  • Move SSL generation from mwtask111 to puppet111
  • Automate copying private keys
  • Automate pushing certificates from puppet111 to GitHub

Stage 2:

  • Update certbot cli to check rDNS is correct and either CNAME or NS record is present. Add argument to skip this.

Stage 3:

  • Create a web form to automate creating SSL tasks + checking validity - refuse to create if invalid.

Stage 4:

  • create a new wrapper for generating new ssl certs, include updating ManageWiki (puppet-user will be pointless at this point).

Stage 5:

  • Move all SSL requests to the new ssl self serve site and allow one click to do everything.

Event Timeline

RhinosF1 triaged this task as Low priority.Jul 3 2021, 08:49
RhinosF1 updated the task description. (Show Details)

I've created a script, will add it to puppet, deploy it everywhere later.

Icinga will now go off if the domain points in a manner we don't expect.

I'll send a PR tommorow for updating ssl-certificate to run the check too.

After that, I will start work on the beta site for creating new requests. There is a varnish config PR to force all requests via jobrunner3 for it.

Can we have an update on this goal please? Last update was on July 3rd.

Can we also have a plan for realistic completion or significant progress before this goal period is update December 31st please?

So far none. This is looking unlikely it'll be done this period.

I purpose that this task does not become a goal for the new goal period, as there was no progress on it last time, and does not seem that there is anyone who intends to work on it. Goals should ideally have someone fully committed to getting them done.

I purpose that this task does not become a goal for the new goal period, as there was no progress on it last time, and does not seem that there is anyone who intends to work on it. Goals should ideally have someone fully committed to getting them done.

While this is super late, I agree that tasks should not be goals unless there is a clear and expressed desire for someone (or multiple people) to work on it. However I think it's a shame that no one wants to work on this particular task which while not urgent (since we've been doing this for 6 years now) is important to allowing for quicker resolution of SSL-related tasks.

I propose that since maybe the extent of this task is what puts people off from doing it, we start with a simpler task which would just be to automate adding private keys to puppet111 (i.e. when using the script the key is added to puppet111 automatically) therefore allowing MWEs to generate SSLs, then further automation/user-integration can be done separately.

Since there is no progress, I propose we simply move ssl-certificate to puppet111 (since no mw-admins have done any SSL tasks in recent years anyway) and have the private keys automatically added.

SSL certificates are now generated on puppet111 directly and private keys are automatically copied.