Page MenuHomeMiraheze

RequestSSLProject
ActivePublic

Members (2)

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

Project for issues affecting the RequestSSL extension.

Recent Activity

Mon, Apr 1

Reception123 triaged T12013: When domain is set by RequestSSL, wiki cache isn't purged as Normal priority.
Mon, Apr 1, 07:39 · CreateWiki, OrangeStar, MediaWiki (SRE), RequestSSL

Sun, Mar 31

MacFan4000 added a project to T12013: When domain is set by RequestSSL, wiki cache isn't purged: CreateWiki.
Sun, Mar 31, 21:18 · CreateWiki, OrangeStar, MediaWiki (SRE), RequestSSL
OrangeStar moved T12013: When domain is set by RequestSSL, wiki cache isn't purged from Radar to Investigate on the OrangeStar board.
Sun, Mar 31, 21:17 · CreateWiki, OrangeStar, MediaWiki (SRE), RequestSSL
OrangeStar edited projects for T12013: When domain is set by RequestSSL, wiki cache isn't purged, added: OrangeStar; removed ManageWiki.

RequestSSL actually does not use anything from ManageWiki at all (other than the logs, which only exist properly if ManageWiki is loaded), all the servername change magic happens through CreateWiki.

Sun, Mar 31, 21:15 · CreateWiki, OrangeStar, MediaWiki (SRE), RequestSSL
MacFan4000 updated subscribers of T12013: When domain is set by RequestSSL, wiki cache isn't purged.
Sun, Mar 31, 20:18 · CreateWiki, OrangeStar, MediaWiki (SRE), RequestSSL
MacFan4000 added a project to T12013: When domain is set by RequestSSL, wiki cache isn't purged: ManageWiki.
Sun, Mar 31, 20:17 · CreateWiki, OrangeStar, MediaWiki (SRE), RequestSSL
MacFan4000 created T12013: When domain is set by RequestSSL, wiki cache isn't purged.
Sun, Mar 31, 20:17 · CreateWiki, OrangeStar, MediaWiki (SRE), RequestSSL

Mar 8 2024

Universal_Omega added a comment to T11699: Automate checking that the custom domain is pointed.

WHOIS unfortunately has no future; soon enough, there'll be no guarantee that gTLDs have a WHOIS server, only RDAP will be guaranteed to work with them by 2025 (https://www.icann.org/resources/pages/global-amendment-2023-en). Only problem currently is the low adoption rate of RDAP among ccTLDs since I think currently they don't have a requirement to have a RDAP server, but I think they'll follow suit sooner rather than later. RDAP also has a big advantage over WHOIS for our use case: it is machine readable JSON over HTTPS, much better than trying to parse WHOIS output (which is server-dependent). We should prepare for the future and support RDAP, therefore I still believe RequestSSL should use RDAP for this use case, and that we should write our own client library.

Mar 8 2024, 18:16 · MediaWiki (SRE), RequestSSL
OrangeStar added a comment to T11699: Automate checking that the custom domain is pointed.

WHOIS unfortunately has no future; soon enough, there'll be no guarantee that gTLDs have a WHOIS server, only RDAP will be guaranteed to work with them by 2025 (https://www.icann.org/resources/pages/global-amendment-2023-en). Only problem currently is the low adoption rate of RDAP among ccTLDs since I think currently they don't have a requirement to have a RDAP server, but I think they'll follow suit sooner rather than later. RDAP also has a big advantage over WHOIS for our use case: it is machine readable JSON over HTTPS, much better than trying to parse WHOIS output (which is server-dependent). We should prepare for the future and support RDAP, therefore I still believe RequestSSL should use RDAP for this use case, and that we should write our own client library.

Mar 8 2024, 17:34 · MediaWiki (SRE), RequestSSL

Mar 7 2024

Universal_Omega added a comment to T11699: Automate checking that the custom domain is pointed.

Unfortunately, while we can do that for CNAMEs (and will), we can't for NS.

Say you have the domain example.com, and want to point it via NS to have your Miraheze wiki there. So you point the nameservers to ns1 and ns2.

If we use dns_get_record, it will use the configured recursive nameservers for the system, which will actually ask the our nameservers when asked for the NS records for "example.com". Our nameservers don't like it when you ask them about domains we don't have a zonefile for, and will reply REFUSED.

localhost:~$ kdig @ns1.miraheze.org domainpointedwithnswithnozonefile.com
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 17265
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; domainpointedwithnswithnozonefile.com. 	IN	A

;; Received 55 B
;; Time 2024-03-07 20:48:23 CET
;; From 38.46.223.204@53(UDP) in 148.9 ms

This gets masked by the recursive nameservers as a SERVFAIL, thus we can't just query the DNS for this particular check.

Mar 7 2024, 20:24 · MediaWiki (SRE), RequestSSL
OrangeStar added a comment to T11699: Automate checking that the custom domain is pointed.

Unfortunately, while we can do that for CNAMEs (and will), we can't for NS.

Mar 7 2024, 19:49 · MediaWiki (SRE), RequestSSL
Universal_Omega added a comment to T11699: Automate checking that the custom domain is pointed.

I know how to check if we're the authoritative nameserver for a domain now. I'm going to use RDAP. I don't like any of the libraries that exist (only one exists which I don't really like, the rest are unmaintained), so I'll make one and upload it to Packagist. @Universal_Omega would it be OK to host the repo for this library on the Miraheze GitHub org or not?

Mar 7 2024, 17:55 · MediaWiki (SRE), RequestSSL
OrangeStar added a comment to T11699: Automate checking that the custom domain is pointed.

I know how to check if we're the authoritative nameserver for a domain now. I'm going to use RDAP. I don't like any of the libraries that exist (only one exists which I don't really like, the rest are unmaintained), so I'll make one and upload it to Packagist. @Universal_Omega would it be OK to host the repo for this library on the Miraheze GitHub org or not?

Mar 7 2024, 15:13 · MediaWiki (SRE), RequestSSL

Mar 6 2024

OrangeStar added a comment to T11699: Automate checking that the custom domain is pointed.

CNAME and rDNS checks are being done in https://github.com/miraheze/RequestSSL/pull/40. As of writing, the job currently supports CNAME checks, rDNS checks will be done soon. Still not yet sure how to approach checking that we're the authoritative nameserver of a domain.

Mar 6 2024, 09:38 · MediaWiki (SRE), RequestSSL

Mar 3 2024

OrangeStar renamed T11699: Automate checking that the custom domain is pointed from Automate checking that domain is pointed to Automate checking that the custom domain is pointed.
Mar 3 2024, 12:38 · MediaWiki (SRE), RequestSSL

Mar 2 2024

OrangeStar updated the task description for T11699: Automate checking that the custom domain is pointed.
Mar 2 2024, 15:59 · MediaWiki (SRE), RequestSSL

Feb 26 2024

OrangeStar added a comment to T11699: Automate checking that the custom domain is pointed.

Previous PR has been closed. I'm going to start over and leave the status changes for later (extension will just leave a comment for now). I'll be adding the configs mentioned on T11699#237771 after all.

Feb 26 2024, 10:36 · MediaWiki (SRE), RequestSSL

Feb 17 2024

OrangeStar updated subscribers of T11699: Automate checking that the custom domain is pointed.

During a conversation with @Universal_Omega on #miraheze-tech/#tech it was suggested to do these in the extension rather than using hooks. I will be rethinking my approach to this, will likely drop the proposed hook and add some more configs to RequestSSL, namely one where all subdomains under a domain can be exempted from DNS checks, and configs for CNAME and NS records that, if found, will mark the custom domain in the request as pointed.

Feb 17 2024, 19:06 · MediaWiki (SRE), RequestSSL

Feb 14 2024

Reception123 added a comment to T7582: Create automated system for managing SSL requests.

I can now confirm that since notifications are fixed (thanks @Universal_Omega !) RequestSSL is operational.
What remains to be done is to add a check on-wiki for whether CNAME or NS is pointed (@Universal_Omega has an idea for how to do that easily) and then for the puppet API

Feb 14 2024, 07:00 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)

Feb 10 2024

Reception123 added a comment to T7582: Create automated system for managing SSL requests.

@Reception123 If you want to get RequestSSL working right now, we could look at sending emails the way core does with Special:EmailUser

Feb 10 2024, 15:03 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)
OrangeStar added a comment to T7582: Create automated system for managing SSL requests.

@Reception123 If you want to get RequestSSL working right now, we could look at sending emails the way core does with Special:EmailUser

Feb 10 2024, 11:01 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)

Feb 3 2024

OrangeStar added a comment to T11770: Consider migrating to the Caddy webserver in our cache proxies.

It would be easier because you wouldn't need a command anymore, it would be fully automatic, which is the point of T11710. When Caddy sees a new domain name for the first time, it queries a HTTP server, and if it gets a 200 OK as a response, it generates a certificate for that domain. This all happens in the timespan of the first TLS ClientHello for that domain.

Feb 3 2024, 17:23 · Infrastructure (SRE), RequestSSL
Reception123 added a comment to T11770: Consider migrating to the Caddy webserver in our cache proxies.

I think I'm a bit confused with the terms here, since technically certificates are generated "automatically" (i.e. just with a command), so how would this make it easier for them to be generated based on a request sent by RequestSSL ?

Feb 3 2024, 16:16 · Infrastructure (SRE), RequestSSL
Reception123 triaged T11770: Consider migrating to the Caddy webserver in our cache proxies as Low priority.
Feb 3 2024, 16:12 · Infrastructure (SRE), RequestSSL
OrangeStar added a comment to T11770: Consider migrating to the Caddy webserver in our cache proxies.

https://github.com/caddyserver/nginx-adapter could make such a migration possible, but of course rewriting the config in JSON or Caddyfile would be best.

Feb 3 2024, 13:01 · Infrastructure (SRE), RequestSSL
OrangeStar edited P502 Theoretical lifecycle of custom domain requests with RequestSSL+Caddy.
Feb 3 2024, 12:48 · RequestSSL
OrangeStar edited P502 Theoretical lifecycle of custom domain requests with RequestSSL+Caddy.
Feb 3 2024, 12:48 · RequestSSL
OrangeStar added a comment to P502 Theoretical lifecycle of custom domain requests with RequestSSL+Caddy.

https://caddyserver.com/docs/caddyfile/options#on-demand-tls Caddy sends a ?domain=<domainname> GET parameter when querying whether it is okay to generate a certificate.

Feb 3 2024, 12:36 · RequestSSL
OrangeStar created P502 Theoretical lifecycle of custom domain requests with RequestSSL+Caddy.
Feb 3 2024, 12:34 · RequestSSL
OrangeStar updated the task description for T11770: Consider migrating to the Caddy webserver in our cache proxies.
Feb 3 2024, 12:09 · Infrastructure (SRE), RequestSSL
OrangeStar added a comment to T11770: Consider migrating to the Caddy webserver in our cache proxies.

Adding the RequestSSL tag since, while this is Miraheze-specific, it is of interest to me as a developer. If this is done it will define how I approach the Miraheze-specific hook handlers related to RequestSSL.

Feb 3 2024, 12:06 · Infrastructure (SRE), RequestSSL
OrangeStar created T11770: Consider migrating to the Caddy webserver in our cache proxies.
Feb 3 2024, 12:06 · Infrastructure (SRE), RequestSSL

Jan 21 2024

OrangeStar added a comment to T11710: Automate certificate generation.

I will probably do a RequestSSLRequestComplete hook and we can do the requests to Puppet there, making the extension more generic and not have to do Puppet requests in the extension.

Jan 21 2024, 18:57 · MediaWiki (SRE), Infrastructure (SRE), RequestSSL
OrangeStar added a comment to T11699: Automate checking that the custom domain is pointed.

SQL will need regenerating with that PR.

Jan 21 2024, 18:37 · MediaWiki (SRE), RequestSSL
OrangeStar added a comment to T11699: Automate checking that the custom domain is pointed.

ready for review https://github.com/miraheze/RequestSSL/pull/24

Jan 21 2024, 18:35 · MediaWiki (SRE), RequestSSL
OrangeStar added a comment to T7582: Create automated system for managing SSL requests.

Regarding step 4:

This is too Miraheze-specific for inclusion in the RequestSSL codebase in my opinion. It is better suited as part of T11710. In the Miraheze-specific setup of this extension, once RequestSSL sends the request to puppet, the server program receiving the request should take care of determining if we should add new DNS zones. So I think steps 4 and 5 should be merged together.

Just to be clear, what you propose is the following? In my example, the domain is pointed via NS.
1: User requests SSL
2: RequestSSL checks (with puppet181's help) whether domain is pointed or not
3: RequestSSL submitted
4: ssl-certificate script once again checks whether domain is pointed and if it's pointed via NS, adds zone to GitHub
5: RequestSSL marked as completed

EDIT: in the fully automated version, steps 2 and 4 would probably be repetitive and would need merging

Jan 21 2024, 18:33 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)
Reception123 added a comment to T7582: Create automated system for managing SSL requests.

Regarding step 4:

This is too Miraheze-specific for inclusion in the RequestSSL codebase in my opinion. It is better suited as part of T11710. In the Miraheze-specific setup of this extension, once RequestSSL sends the request to puppet, the server program receiving the request should take care of determining if we should add new DNS zones. So I think steps 4 and 5 should be merged together.

Jan 21 2024, 18:01 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)
Reception123 triaged T11709: Write mediawiki.org page for RequestSSL as Low priority.

I did consider writing one before like we did for ImportDump but I thought that currently it does too little to 'market it' on MW.org so we'll wait until full automation

Jan 21 2024, 18:00 · RequestSSL
OrangeStar added a comment to T7582: Create automated system for managing SSL requests.

Regarding step 4:

Jan 21 2024, 15:45 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)
Reception123 added a comment to T7582: Create automated system for managing SSL requests.

I’m not sure that ssl-admins should be decommissioned, as cert removals would still be done manually, and this would allow us to investigate should something go wrong, and also somebody might not want letsencrypt.

Jan 21 2024, 14:46 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)
MacFan4000 added a comment to T7582: Create automated system for managing SSL requests.

I’m not sure that ssl-admins should be decommissioned, as cert removals would still be done manually, and this would allow us to investigate should something go wrong, and also somebody might not want letsencrypt.

Jan 21 2024, 14:44 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)
Reception123 triaged T11710: Automate certificate generation as Low priority.
Jan 21 2024, 13:42 · MediaWiki (SRE), Infrastructure (SRE), RequestSSL
OrangeStar moved T7582: Create automated system for managing SSL requests from Backlog to Currently blocked on the RequestSSL board.
Jan 21 2024, 12:11 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)
OrangeStar moved T11709: Write mediawiki.org page for RequestSSL from Backlog to Currently blocked on the RequestSSL board.
Jan 21 2024, 12:05 · RequestSSL
OrangeStar moved T11710: Automate certificate generation from Backlog to Pending work on the RequestSSL board.
Jan 21 2024, 12:01 · MediaWiki (SRE), Infrastructure (SRE), RequestSSL
OrangeStar added a subtask for T7582: Create automated system for managing SSL requests: T11710: Automate certificate generation.
Jan 21 2024, 12:00 · RequestSSL, Goal-2023-Jan-Jun, SRE Automation, Goal-2021-Jul-Dec, SSL, MediaWiki (SRE)
OrangeStar added a parent task for T11710: Automate certificate generation: T7582: Create automated system for managing SSL requests.
Jan 21 2024, 12:00 · MediaWiki (SRE), Infrastructure (SRE), RequestSSL
OrangeStar added a parent task for T11699: Automate checking that the custom domain is pointed: T11710: Automate certificate generation.
Jan 21 2024, 11:59 · MediaWiki (SRE), RequestSSL
OrangeStar added a subtask for T11710: Automate certificate generation: T11699: Automate checking that the custom domain is pointed.
Jan 21 2024, 11:59 · MediaWiki (SRE), Infrastructure (SRE), RequestSSL
OrangeStar added a comment to T11710: Automate certificate generation.

From the point of view of RequestSSL, all we would need to do is probably send a HTTP POST to some server and forget about it. The real magic happens on the puppet server.

Jan 21 2024, 11:59 · MediaWiki (SRE), Infrastructure (SRE), RequestSSL