Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate Authority Authorization to secure certificate delivery #3083

Closed
smerle33 opened this issue Aug 2, 2022 · 5 comments
Closed

Certificate Authority Authorization to secure certificate delivery #3083

smerle33 opened this issue Aug 2, 2022 · 5 comments
Assignees
@dduportal
Labels
dns jenkins.io jenkinsistheway security security-hardening
Milestone
infra-team-sync-2...

Comments

@smerle33
Copy link
Contributor

smerle33 commented Aug 2, 2022

Service(s)

Other

Summary

In order to add security to certificate delivery we should ensure that we got a domain CAA record as per https://letsencrypt.org/docs/caa/

Reproduction steps

https://caatest.co.uk/jenkins.io
@smerle33 smerle33 added triage Incoming issues that need review jenkins.io labels Aug 2, 2022
@smerle33 smerle33 added this to the infra-team-sync-2022-08-02 milestone Aug 2, 2022
@timja
Copy link
Member

timja commented Aug 2, 2022
edited

Be careful with this and make sure all places that could issue certificates are covered.

i.e. repo.jenkins-ci.org (not sure if any others don't use let's encrypt)

@smerle33 smerle33 modified the milestones: infra-team-sync-2022-08-02, infra-team-sync-2022-08-09 Aug 2, 2022
@dduportal dduportal self-assigned this Aug 8, 2022
@dduportal dduportal removed the triage Incoming issues that need review label Aug 8, 2022
@dduportal
Copy link
Contributor

As per https://sslmate.com/caa/ + https://www.certificate-transparency.org/:

  • jenkins.io uses certificates delivered by "amazon.com", "globalsign.com" and "letsencrypt.org"
  • jenkins-ci.org uses certificates delivered by "amazon.com", "godaddy.com" and "letsencrypt.org"
  • jenkinsistheway.io uses certificates deliverez by "godaddy.com" and "letsencrypt.org"

The CAA records to be created (with a minimal TTL):

| Name               | Type   | Value                       |
|--------------------|--------|-----------------------------|
| jenkins.io.        | CAA    | 0 issue "amazon.com"        |
|                    |        | 0 issue "globalsign.com"    |
|                    |        | 0 issue "letsencrypt.org"   |
|                    |        | 0 issue "godaddy.com"       |
| -------------      | ------ | --------------------------- |
| jenkins-ci.org.    | CAA    | 0 issue "amazon.com"        |
|                    |        | 0 issue "globalsign.com"    |
|                    |        | 0 issue "letsencrypt.org"   |
|                    |        | 0 issue "godaddy.com"       |
| -------------      | ------ | --------------------------- |
| jenkinsistheway.io | CAA    | 0 issue "amazon.com"        |
|                    |        | 0 issue "globalsign.com"    |
|                    |        | 0 issue "letsencrypt.org"   |
|                    |        | 0 issue "godaddy.com"       |

@dduportal
Copy link
Contributor

Ping @Wadeck @daniel-beck @MarkEWaite @timja does it looks good to you?

@Wadeck
Copy link

Wadeck commented Aug 8, 2022

Not enough DNS expert to reply :)

@dduportal
Copy link
Contributor

Done:

✔ All looks good
---
0 issue "amazon.com"
0 issue "globalsign.com"
0 issue "letsencrypt.org"
0 issue "godaddy.com"
✔ All looks good
---
0 issue "amazon.com"
0 issue "globalsign.com"
0 issue "letsencrypt.org"
0 issue "godaddy.com"
✔ All looks good
---
0 issue "amazon.com"
0 issue "globalsign.com"
0 issue "letsencrypt.org"
0 issue "godaddy.com"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dduportal dduportal

Labels
dns jenkins.io jenkinsistheway security security-hardening
Projects
None yet
Milestone
infra-team-sync-2022-08-09
Development

No branches or pull requests
4 participants
@dduportal @Wadeck @timja @smerle33