Page MenuHomePhabricator
Create Task
Maniphest T10629

Rotate the `secure.phabricator.com` SSL certificate
Closed, ResolvedPublic
Actions

Description

The certificate for this host expires on March 28, so it needs to be rotated in the next ~week.

This may also be a good opportunity to change how traffic is routed to this host and tackle T9745.

Revisions and Commits

Restricted Diffusion Commit
Restricted Diffusion Commit

Related Objects

Event Timeline

epriestley created this task.Mar 19 2016, 12:29 PM
epriestley added a comment.Mar 19 2016, 1:00 PM

We use secure.phabricator.com for both HTTP/HTTPS and SSH traffic and ELB can't currently forward port 22 -- except the docs now say EC2-VPC LBs can? So I need to figure out what's going on with that.

If ELBs still can't forward port 22, we need secure.phabricator.com to resolve to something we can put 22 on, so I'll probably put phurl.io on a separate ELB and then fiddle with the server config, but this won't impact where the certificate is so it doesn't block/impact this.

If ELBs can forward port 22, I may try to move the certificate to an ELB, which would make phurl.io straightforward.

epriestley added a comment.Mar 19 2016, 1:35 PM

I renewed the certificate and launched a new VPC load balancer, which can forward port 22 traffic:

$ ssh slb001-1579991418.us-west-1.elb.amazonaws.com
Warning: Permanently added the RSA host key for IP address '52.9.155.118' to the list of known hosts.
PTY allocation request failed on channel 0
phabricator-ssh-exec: Welcome to Phabricator.

You are logged in as epriestley.

You haven't specified a command to run. This means you're requesting an interactive shell, but Phabricator does not provide an interactive shell over SSH.

Usually, you should run a command like `git clone` or `hg push` rather than connecting directly with SSH.

Supported commands are: conduit, git-lfs-authenticate, git-receive-pack, git-upload-pack, hg, svnserve.
Connection to slb001-1579991418.us-west-1.elb.amazonaws.com closed.

This might let us simplify other parts of the cluster eventually, but I'll see if I can move everything up to the LB and stop terminating HTTPS on-host for now.

epriestley added a comment.Mar 24 2016, 2:16 AM

This is a little bit tricky because notifications use the same hostname, we don't have a wildcard certificate, and we can't (apparently) terminate SSL on the load balancer and pass it through with websockets.

There's an article here which suggests it's possible to use some magic and kind of get things working, but that seems very complicated:

https://blog.jverkamp.com/2015/07/20/configuring-websockets-behind-an-aws-elb/

But I can pass notification traffic through untouched and let the machine continue terminating it for now.

epriestley added a commit: Restricted Diffusion Commit.Mar 24 2016, 2:17 AM
epriestley added a commit: Restricted Diffusion Commit.
epriestley added a comment.Mar 24 2016, 2:19 AM

I'm going to deploy this host with rSERVICES + cluster awareness so it can accept SSL-terminated traffic. If I got something wrong, we may be down for a few minutes.

epriestley added a comment.Mar 24 2016, 2:34 AM

This appears to have deployed cleanly. I'm going to test notifications and SSH, and then I'll rebind DNS if they look good.

epriestley added a comment.Mar 24 2016, 2:36 AM

Seems OK. Swapping DNS shortly.

epriestley added a comment.Mar 24 2016, 2:44 AM

Something on the CDN side has grown deeply unhappy, looking into it.

epriestley added a comment.Mar 24 2016, 2:58 AM

CDN stuff is maybe-sorted.

epriestley closed this task as Resolved.Mar 24 2016, 3:11 AM

I've probably updated the notification server certificate, too?

This host/tier can now accept SSL-terminated traffic and we should be in reasonable shape to set up phurl.io.

epriestley mentioned this in T9745: Configure phurl.io against secure.phabricator.com.Mar 24 2016, 3:11 AM
chad added a comment.Mar 24 2016, 3:31 AM

(•ω•)

epriestley added a comment.Mar 24 2016, 4:31 AM

c( ⁰ 〰 ⁰ )੭

Phabricator · Built by Phacility