Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Renew star.jquery.com cert (expires 14 July 2023) #21

Closed
Krinkle opened this issue Jul 12, 2023 · 2 comments
Closed

Renew star.jquery.com cert (expires 14 July 2023) #21

Krinkle opened this issue Jul 12, 2023 · 2 comments
Assignees
@Krinkle
Labels
security Service: jQuery CDN code.jquery.com

Comments

@Krinkle
Copy link
Member

Krinkle commented Jul 12, 2023
edited

Previous renewal at https://github.com/jquery/infrastructure/issues/551, with previous testing methodology and results at https://github.com/jquery/infrastructure/issues/551.

Timeline:

For future reference, please note that the turnaround time was quick in part due to escalation by Benjamin Sternthal and in part because Christopher was already familiar with me and my public key from the year before. I would recommend if someone else requests these in the future, to pair the original request with your GPG public key, and make sure to confirm that you want to receive it on an email address matching your GPG key.

  • Tue 11 July 2023: Decrypted the .key file, and generated the .pem file as per the README instructions in /modules/jquery/files/cert/. And subsequently verify the file using the verify_certs.sh script before uploading anywhere else.
  • Tue 11 July 2023: Changed Cloudflare settings for one lower-traffic domain (https://learn.jquery.com) to disable proxying, so that we can expose the wp-01.ops.jquery.net droplet directly for that site, thus testing the new certificate. Confirm in a web browser that the used certificate is indeed the new one ("Valid not before" some recent date, "Valid not after" Next year).
  • Tue 11 July 2023: Invite people in #jquery_dev:gitter.im on Matrix to test against https://learn.jquery.com from their various devices and command-line clients.
  • Tue 11 July 2023: Upload the crt/key/ca-bundle files to Highwinds StrikeTracker without making it the default. Confirmed that Highwinds' own internal checks are all green.
Screenshot
  • Wed 12 July 2023: Wait at least 24h (preferably 48h) after the certificate's start date, to account for clients with broken clocks (as per README and referenced research paper by Google). The cert became valid July 11 00:00:00 UTC, so preferably live on or after July 13 00:00:00. On the other hand, in this case we're also very close to the expiry of 14 July 2023, which creates the inverse problem, so we're forced to make a compromise.
  • Wed 12 July 2023 16:00: After about 36 hours of the cert being valid, and still more than 24 hours before the old cert expires, I've toggled the new cert as the default in Highwinds configuration.
@Krinkle
Copy link
Member Author

Krinkle commented Jul 12, 2023
edited

Previous renewal at jquery/infrastructure#551, with previous testing methodology and results at #532 (comment).

Like last year, IE8/WinXP can only connect over HTTP. The cut off remains the same, starting at IE9/Win7.

@Krinkle Krinkle self-assigned this Jul 12, 2023
@Krinkle Krinkle closed this as completed Jul 21, 2023
@Krinkle Krinkle transferred this issue from another repository Aug 30, 2023
@Krinkle Krinkle transferred this issue from jquery/infrastructure-issues Aug 30, 2023
@Krinkle Krinkle mentioned this issue Sep 10, 2023
Closed
20 tasks
@timmywil
Copy link
Member

New docs for certs https://github.com/jquery/infrastructure-puppet/blob/staging/doc/cdn-cert.md

@timmywil timmywil mentioned this issue Jun 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Krinkle Krinkle

Labels
security Service: jQuery CDN code.jquery.com
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Krinkle @timmywil