Certificate expiry 18 January 2022

[richardlau]

The Sectigo certificate we use on nodejs.org (including the two Jenkins servers) is due to expire on 18 January 2022.

From the previous renewal (#1901) I guess this is one for @brianwarner?

cc @nodejs/build-infra

(It's on my radar to get some sort of automated checking/warning for this (and the code signing certs) but that shouldn't block getting the certificates renewed.)

---

Tasks

• Obtain new certificate
• update www / direct.nodejs.org
• update unencrypted.nodejs.org (this is the failover/load balanced website)
• update ci.nodejs.org
• update ci-release.nodejs.org
• update CloudFlare
• Update certificate and private key in secrets
• Add documentation on how to renew/update the certificate doc: add certificate update notes #2932

[rvagg]

This is via gogetssl.com btw. I've just logged in and there's no option to renew, says it's got 58 days remaining and there's only an option to "Reissue". I think maybe we're too early—perhaps it'll start warning us at 40 or 30 days. But good to keep an eye on!

[brianwarner]

Thanks Rod, will you need anything more than a two year wildcard on this one? Not sure if there's a specific need for gogetssl.com as the provider, but if not, do you want me to have LF IT issue a new wildcard cert for you in a few weeks?

…

On Mon, Nov 22, 2021 at 3:31 AM Rod Vagg ***@***.***> wrote: This is via gogetssl.com btw. I've just logged in and there's no option to renew, says it's got 58 days remaining and there's only an option to "Reissue". I think maybe we're too early—perhaps it'll start warning us at 40 or 30 days. But good to keep an eye on! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2811 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOVQJVEKFZ2OASOU73ILHTUNH5XZANCNFSM5IMRX65Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

-- *Brian Warner* The Linux Foundation ***@***.*** +1 724 301-6171

[rvagg]

No specific need for gogetssl, it's just the provider we ended up at because they were a good broker doing discounts for major providers.
We're using letsencrypt on all our other sites, but nodejs.org is a little more complicated where reissuing every 3 months isn't an option—although IIRC that's only because of our use of cloudflare, who issue their own certificates these days, so it may be possible for us to use CF for the main nodejs.org certificates and letsencrypt for the other subdomains that we don't shunt through CF (like ci and ci-release). But, that's yet more work!
So yes @brianwarner, a new wildcard from a provider that gives us a long expiry would be nice. LF IT may have some difficulty validating ownership of the domain since we do DNS through CloudFlare, so it might end up being easier to use gogetssl for renewal. I think I gave you the login for that last time we renewed and I just did the initial setup, so we could just do that again.

[brianwarner]

Oh, in that case, I'd just try turning on SSL at Cloudflare at some point in the next month and see if it works. We're using their wildcard SSL with jQuery and its related projects, and it has worked really well and we've almost entirely eliminated static certs. The only exceptions are sites that can't run let's encrypt for technical reasons, and the jQuery CDN (the provider requires a user-provided cert). It was as easy as clicking a button, and a lot more predictable than manually maintaining certs. Worst case, if it doesn't work after a few minutes you can just turn it off again and we can go through the process.

…

On Mon, Nov 22, 2021 at 8:03 PM Rod Vagg ***@***.***> wrote: No specific need for gogetssl, it's just the provider we ended up at because they were a good broker doing discounts for major providers. We're using letsencrypt on all our other sites, but nodejs.org is a little more complicated where reissuing every 3 months isn't an option—although IIRC that's only because of our use of cloudflare, who issue their own certificates these days, so it may be possible for us to use CF for the main nodejs.org certificates and letsencrypt for the other subdomains that we don't shunt through CF (like ci and ci-release). But, that's yet more work! So yes @brianwarner <https://github.com/brianwarner>, a new wildcard from a provider that gives us a long expiry would be nice. LF IT may have some difficulty validating ownership of the domain since we do DNS through CloudFlare, so it might end up being easier to use gogetssl for renewal. I think I gave you the login for that last time we renewed and I just did the initial setup, so we could just do that again. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2811 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOVQJXR7DGGP66XS2R67TLUNLR5JANCNFSM5IMRX65Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

-- *Brian Warner* The Linux Foundation ***@***.*** +1 724 301-6171

[rvagg]

I'm not so worried about nodejs.org, but all the other sites we use the wildcard for. Just requires a bit of work to get through everything and make sure we have them set up properly. But we'd have to manually replace the cert anyway so we have work ahead of us regardless!

[brianwarner]

Yeah, good point. I will say that I've been minimizing the number of things that require their own bespoke certs on the jQuery side (because there are some that are just required) and that alone has really helped. Just a bunch less things to worry about because renewals are someone else's problem. Anything I can help with here?

…

On Tue, Nov 23, 2021 at 2:21 AM Rod Vagg ***@***.***> wrote: I'm not so worried about nodejs.org, but all the other sites we use the wildcard for. Just requires a bit of work to get through everything and make sure we have them set up properly. But we'd have to manually replace the cert anyway so we have work ahead of us regardless! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2811 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAOVQJT6MLIAOXDQLRIZ5E3UNM6HXANCNFSM5IMRX65Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

-- *Brian Warner* The Linux Foundation ***@***.*** +1 724 301-6171

[mhdawson]

@rvagg can you see the renewal option now?

[richardlau]

@mhdawson and I have spent my afternoon (re)figuring out what needs to be done, writing stuff up as we go (once we're done we'll add the instructions either here or add to secrets).

I've done https://unencrypted.nodejs.org/ (we picked a low-volume site that we felt confident we could restore (i.e. backup the existing files on the server so they could be copied back) if anything went wrong) to do first, which now reports certificate valid until February 2023:

It appears that even though we went for 60 months (5 years) the certificates are issued for 13 months but can be reissued unlimited times during the ordered period (i.e. the 60 months) so we'll still need to update the machines yearly: https://www.gogetssl.com/wiki/general/multi-year-subscription-ssl/

[richardlau]

Updated https://ci.nodejs.org/ and https://direct.nodejs.org/

@mhdawson It looks like https://nodejs.org/ is still showing the old certificate which suggests that is what the Cloudflare setting we found affects (i.e. it's used for the sites that are proxied/load balanced):

I'm leaving updating https://ci-release.nodejs.org/ and updating Cloudflare to @mhdawson (we agreed beforehand -- https://ci-release.nodejs.org/ so that he can run through some instruction I have written to validate).