Certificate expiry 18 January 2022 #2811
Comments
|
This is via gogetssl.com btw. I've just logged in and there's no option to renew, says it's got 58 days remaining and there's only an option to "Reissue". I think maybe we're too early—perhaps it'll start warning us at 40 or 30 days. But good to keep an eye on! |
|
Thanks Rod, will you need anything more than a two year wildcard on this
one?
Not sure if there's a specific need for gogetssl.com as the provider, but
if not, do you want me to have LF IT issue a new wildcard cert for you in a
few weeks?
…On Mon, Nov 22, 2021 at 3:31 AM Rod Vagg ***@***.***> wrote:
This is via gogetssl.com btw. I've just logged in and there's no option
to renew, says it's got 58 days remaining and there's only an option to
"Reissue". I think maybe we're too early—perhaps it'll start warning us at
40 or 30 days. But good to keep an eye on!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2811 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOVQJVEKFZ2OASOU73ILHTUNH5XZANCNFSM5IMRX65Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
--
*Brian Warner*
The Linux Foundation
***@***.***
+1 724 301-6171
|
|
No specific need for gogetssl, it's just the provider we ended up at because they were a good broker doing discounts for major providers. |
|
Oh, in that case, I'd just try turning on SSL at Cloudflare at some point
in the next month and see if it works. We're using their wildcard SSL with
jQuery and its related projects, and it has worked really well and we've
almost entirely eliminated static certs. The only exceptions are sites that
can't run let's encrypt for technical reasons, and the jQuery CDN (the
provider requires a user-provided cert). It was as easy as clicking a
button, and a lot more predictable than manually maintaining certs.
Worst case, if it doesn't work after a few minutes you can just turn it off
again and we can go through the process.
…On Mon, Nov 22, 2021 at 8:03 PM Rod Vagg ***@***.***> wrote:
No specific need for gogetssl, it's just the provider we ended up at
because they were a good broker doing discounts for major providers.
We're using letsencrypt on all our other sites, but nodejs.org is a
little more complicated where reissuing every 3 months isn't an
option—although IIRC that's only because of our use of cloudflare, who
issue their own certificates these days, so it may be possible for us to
use CF for the main nodejs.org certificates and letsencrypt for the other
subdomains that we don't shunt through CF (like ci and ci-release). But,
that's yet more work!
So yes @brianwarner <https://github.com/brianwarner>, a new wildcard from
a provider that gives us a long expiry would be nice. LF IT may have some
difficulty validating ownership of the domain since we do DNS through
CloudFlare, so it might end up being easier to use gogetssl for renewal. I
think I gave you the login for that last time we renewed and I just did the
initial setup, so we could just do that again.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2811 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOVQJXR7DGGP66XS2R67TLUNLR5JANCNFSM5IMRX65Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
--
*Brian Warner*
The Linux Foundation
***@***.***
+1 724 301-6171
|
|
I'm not so worried about nodejs.org, but all the other sites we use the wildcard for. Just requires a bit of work to get through everything and make sure we have them set up properly. But we'd have to manually replace the cert anyway so we have work ahead of us regardless! |
|
Yeah, good point. I will say that I've been minimizing the number of things
that require their own bespoke certs on the jQuery side (because there are
some that are just required) and that alone has really helped. Just a bunch
less things to worry about because renewals are someone else's problem.
Anything I can help with here?
…On Tue, Nov 23, 2021 at 2:21 AM Rod Vagg ***@***.***> wrote:
I'm not so worried about nodejs.org, but all the other sites we use the
wildcard for. Just requires a bit of work to get through everything and
make sure we have them set up properly. But we'd have to manually replace
the cert anyway so we have work ahead of us regardless!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2811 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOVQJT6MLIAOXDQLRIZ5E3UNM6HXANCNFSM5IMRX65Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
--
*Brian Warner*
The Linux Foundation
***@***.***
+1 724 301-6171
|
|
@rvagg can you see the renewal option now? |
|
@mhdawson and I have spent my afternoon (re)figuring out what needs to be done, writing stuff up as we go (once we're done we'll add the instructions either here or add to secrets). I've done https://unencrypted.nodejs.org/ (we picked a low-volume site that we felt confident we could restore (i.e. backup the existing files on the server so they could be copied back) if anything went wrong) to do first, which now reports certificate valid until February 2023:
It appears that even though we went for 60 months (5 years) the certificates are issued for 13 months but can be reissued unlimited times during the ordered period (i.e. the 60 months) so we'll still need to update the machines yearly: https://www.gogetssl.com/wiki/general/multi-year-subscription-ssl/ |
|
Updated https://ci.nodejs.org/ and https://direct.nodejs.org/
@mhdawson It looks like https://nodejs.org/ is still showing the old certificate which suggests that is what the Cloudflare setting we found affects (i.e. it's used for the sites that are proxied/load balanced):
I'm leaving updating https://ci-release.nodejs.org/ and updating Cloudflare to @mhdawson (we agreed beforehand -- https://ci-release.nodejs.org/ so that he can run through some instruction I have written to validate). |
|
hmm. Maybe something isn't right... although the updated sites work in my web browser trying to use $ curl -v https://direct.nodejs.org
* Rebuilt URL to: https://direct.nodejs.org/
* Trying 138.197.224.240...
* TCP_NODELAY set
* Connected to direct.nodejs.org (138.197.224.240) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ |
|
Okay... it looks like one of the emails we got containing the certificate has three |
|
Right, so this comes down to what's in the chained cert file .. it'd be worth checking the star chained that's in https://github.com/nodejs-private/secrets/pull/198 to see whether the other certs match what we have now and whether there's enough of them (or too many?). We'd had a bunch of problems with either having too many or not enough in our chained cert file! Some clients need more, some complain at more. |
|
@richardlau we should probably add @rvagg 's suggestions to the documentation as additional verification steps after an update. Running https://www.ssllabs.com/ssltest/ the major complaint is that we allow TLS 1.0 and 1.1 which caps the grade at B. I can' remember any discussions around whether we should force TLS 1.2 or higher in the past? It also shows as not having CAA as an issue we could probably address - https://blog.qualys.com/product-tech/2017/03/13/caa-mandated-by-cabrowser-forum?_ga=2.90215386.175395475.1642194769-1593607923.1642194769 It also shows a number of TLS 1.2 protocols that we allows which are weak as well although they look to be symmetric algs and do we have anything that is actually confidential on the site? The only other thing that shows as orange is I guess the thing that suggested running in the first place was to look at the certificates and that shows as 100% on the report. ` |
|
Cert is expired now: nodejs/help#3686 (comment) |
|
@andig Everything I have access to is successfully validating the new certificate (with As @mhdawson mentioned, https://www.ssllabs.com/ssltest/ which is reporting 100 on certificates, including trusted certification paths: https://www.ssllabs.com/ssltest/analyze.html?d=nodejs.org |
|
@richardlau sorry for the confusion, please mark my comment as OT. For what it's worth, getting this response on fully patch OSX Monterey- seems the Root CA is missing in OSX? |
Add notes on website certificate renewal based on what was done the last time we updated in January 2022. Refs: nodejs#2811
Add notes on website certificate renewal based on what was done the last time we updated in January 2022. Refs: nodejs#2811
Add notes on website certificate renewal based on what was done the last time we updated in January 2022. Refs: #2811
The Sectigo certificate we use on nodejs.org (including the two Jenkins servers) is due to expire on 18 January 2022.
From the previous renewal (#1901) I guess this is one for @brianwarner?
cc @nodejs/build-infra
(It's on my radar to get some sort of automated checking/warning for this (and the code signing certs) but that shouldn't block getting the certificates renewed.)
Tasks
The text was updated successfully, but these errors were encountered: