Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HSTS blocks use of trusted.ci and cert.ci #3328

Closed
yaroslavafenkin opened this issue Jan 10, 2023 · 9 comments
Closed

HSTS blocks use of trusted.ci and cert.ci #3328

yaroslavafenkin opened this issue Jan 10, 2023 · 9 comments
Assignees
@dduportal @smerle33
Labels
cert.ci.jenkins.io trusted.ci.jenkins.io
Milestone
infra-team-sync-2...

Comments

@yaroslavafenkin
Copy link

Service(s)

cert.ci.jenkins.io

Summary

I'm getting TLS certificate errors when trying to access CERT CI instance. Previously there used to be an option to proceed anyway AFAIR, now it's not there.

Last line says:

You cannot visit cert.ci.jenkins.io right now because the website uses HSTS. 
Network errors and attacks are usually temporary, so this page will probably work later.

Reproduction steps

  1. Connect to jenkins-infra VPN
  2. Navigate to cert.ci.jenkins.io
@yaroslavafenkin yaroslavafenkin added the triage Incoming issues that need review label Jan 10, 2023
@daniel-beck
Copy link

Same with trusted.ci on Chrome.

Don't know whether existing certificate exceptions are honored in Firefox or whether it's Chrome specific.

Proposed solution: Don't set the subdomain flag.

@timja
Copy link
Member

timja commented Jan 10, 2023

I think it'll be from hitting the jenkins.io base domain which redirects to www.jenkins.io.

There's also:
#3091

@daniel-beck daniel-beck changed the title HSTS does not work with self-signed certificates HSTS blocks use of trusted.ci and cert.ci Jan 10, 2023
@dduportal dduportal added this to the infra-team-sync-2023-01-17 milestone Jan 10, 2023
@dduportal dduportal removed the triage Incoming issues that need review label Jan 10, 2023
@dduportal
Copy link
Contributor

+1 with @timja : rolling back the HSTS setting would be painful, while we (infra team) can fix the root problem by providing a real life valid certificate to both controllers.

I do not have Chrome, but I confirm that I do not have the issue on my Firefox (if it helps on short term?)

@daniel-beck
Copy link

rolling back the HSTS setting would be painful

Does this include just not including subdomains?

@dduportal
Copy link
Contributor

rolling back the HSTS setting would be painful

Does this include just not including subdomains?

I'm not sure to be honest. We need to check how much time it takes to the change to propagate (I remember HSTS settings having a loooong TTL making it not useful)

@dduportal
Copy link
Contributor

@lemeurherve @smerle33 on short term, while checking HSTS settings, I'm going to generate manually an initial LE certificate and install it on the machines to unblock the JenSec team.

Renewal automation will come after once they're not blocked anymore

@daniel-beck
Copy link

how much time it takes to the change to propagate

If this is a good solution that should not be a blocker IMO (assuming there's workarounds like clearing browser cache), given there's just a few people affected (only trusted.ci / cert.ci users).

@dduportal dduportal mentioned this issue Jan 11, 2023
Merged
dduportal added a commit to dduportal/jenkins-infra that referenced this issue Jan 11, 2023
@dduportal
feat(trusted.ci/cert.ci) specify static certificate until LE DNS is a…
359e1ba 
…utomated - ref. jenkins-infra/helpdesk#3328

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
dduportal added a commit to jenkins-infra/jenkins-infra that referenced this issue Jan 11, 2023
@dduportal
feat(trusted.ci/cert.ci) specify static certificate until LE DNS is a…
93f8635 
…utomated - ref. jenkins-infra/helpdesk#3328 (#2572)

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
@dduportal
Copy link
Contributor

dduportal commented Jan 11, 2023
edited
Loading

jenkins-infra/jenkins-infra#2572 show the "short term but persistent" change I've applied to configure Apache to use manually-generated LE certificates for both server using DNS challenge.

@yaroslavafenkin @daniel-beck is it working for you now with Chrome?

for the infra-team: we now have to configure renewal for both machines (e.g. setting up Azure API credential limited to the DNS zone, and set up the puppet letsencrypt module to automatically renew using Azure DNS and these credentials).

(edit) worst case: certbot renew on each machine in 2.5 months + update of the Azure TXT record.

@dduportal dduportal mentioned this issue Jan 12, 2023
Closed
@dduportal
Copy link
Contributor

Closing this issue as the Jenkins Security team confirmed they are unblocked.

Next steps:

@dduportal dduportal mentioned this issue Jan 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dduportal dduportal

@smerle33 smerle33

Labels
cert.ci.jenkins.io trusted.ci.jenkins.io
Projects
None yet
Milestone
infra-team-sync-2023-01-17
Development

No branches or pull requests
6 participants
@dduportal @daniel-beck @timja @yaroslavafenkin @lemeurherve @smerle33