Page MenuHomeMiraheze

Automate the adding of SSL private keys to puppet3
Closed, DeclinedPublic

Description

I'd like to start by saying that I'm not sure how difficult or how feasible this would be, but a long time ago we (or at least I) thought having automatic SSL renewals pushed to GitHub would be extremely difficult and maybe not possible, but here we are!

By making an automated system where after generation the private key is automatically updated on puppet3, the puppet-users group can be eliminated, and MediaWiki Engineers would be able to generate SSL certificates without the need of the extra group. It would also of course make the custom domain process easier.

Event Timeline

Reception123 created this task.

@RhinosF1 has made some suggestions about how we could do this via IRC:

RhinosF1> I mean my understanding is the private keys will still all be kept in a folder
So we could scp them
Like regularly from jobrunner1 or have a script that detects the change
RhinosF1> I mean if we take jobrunner1 as canonical for certificates then if it's LE folder where they are is always up to date then we could have a cron that syncs that to a folder on puppet2 which syncs back out via puppet to the world

Note: jobrunner1 -> jobrunner3, puppet2 -> puppet3

Unknown Object (User) removed a project: MediaWiki (SRE).Feb 1 2021, 01:39

remove SRE tag accidentally added by Herald (4!) times. And yes, the root issue with Herald has been fixed in the meantime

Reception123 renamed this task from Automate the adding of SSL private keys to puppet2 to Automate the adding of SSL private keys to puppet3.Feb 10 2021, 20:59
Unknown Object (User) updated the task description. (Show Details)Feb 13 2021, 16:36
Unknown Object (User) updated the task description. (Show Details)Feb 13 2021, 16:41

I've finally found the ticket, pasting my IRC comment here:
22:37:46 <+SPF|Cloud> @SRE, I can't recall who was talking about it (and where I read it), but I saw some messages regarding automating the addition of a new certificate (for https). have you considered https://wikitech.wikimedia.org/wiki/Acme-chief?

I've finally found the ticket, pasting my IRC comment here:
22:37:46 <+SPF|Cloud> @SRE, I can't recall who was talking about it (and where I read it), but I saw some messages regarding automating the addition of a new certificate (for https). have you considered https://wikitech.wikimedia.org/wiki/Acme-chief?

Since we don’t always have control over what SSL certificates are in use, this would only solve half the problem and we would then still need to solve the original problem regardless.

We essentially have our own built version on acme-chief, just without the necessary centralisation in a way MWEs can use it but for SRE, it’s already centralised just not fully automated from the start.

Therefore I don’t think acme-chief would be a useful additional for us.

Unknown Object (User) unsubscribed.Apr 3 2021, 19:58
Unknown Object (User) moved this task from Backlog to Infrastructure on the Goal-2021-Jul-Dec board.Jul 31 2021, 00:28
John claimed this task.

I am going to mark this as declined as redoing the whole system (the parent task) seems a better investment than trying to change how the system works, to then change how the system works again.

Utilising the path of https://github.com/miraheze/puppet/blob/d4573b12e6f1b6525800dd34f10f90316866d4fb/modules/letsencrypt/files/mirahezerenewssl.py and having a web service operate on puppet3 might be a good approach to handle verification requests and generation of certs straight on puppet3 rather than handling it on a mw* server, to then transmit via SCP to puppet3, to then have to some how trigger a process on puppet3 to commit a change to push the change to puppet3's master directory to then allow it go live - when a process on puppet3 can do all of this from start to finish (the master task).