Opened 6 years ago

#410 new enhancement

Automatically request renewals of mit.edu certs

Reported by: geofft Owned by:
Priority: normal Milestone:
Component: web Keywords:
Cc:

Description

Our certificate authority, InCommon, provides a WSDL API that allows us to programmatically request renewals of certs we already have, given just the "renew ID" from the email where they send us the cert. (That document is linked from InCommon's pile of documents, and mirrored from docs in Comodo's KB, in case it disappears/moves.)

We already have a cronjob to warn us when certificates are expiring. It might be nice to expand this to automatically request renewals of certificates that are close to expiration. The only thing you need is the "renew ID", which is in the email that the CA sends us to tell us we have a cert. We need to start tracking these somewhere for new certs, and we may not want them to be in the public source repository. For existing certs, we can gather some of these from the personal email archives of people who have forwarded cert requests onto MIT.

One possible approach for new certs is to have people forward the CA's emails to some @scripts address, or even to make a list to receive these emails so it happens automatically. At that point we might also think about automatically committing both new and renewed certs to the repository.

This ought to be doable by someone not on scripts-root, incidentally. You'll just need a renew ID for some vhost on scripts; a vhost you own should be fine (the risk with publicizing these is that someone can cause InCommon / Comodo to issue a cert when the site owner wanted the cert to expire), and you can test renewing that against the API.

Change History (0)

Note: See TracTickets for help on using tickets.