Renew *.jquery.com cert, expiring 14 July 2024

[timmywil]

Instructions: https://github.com/jquery/infrastructure-puppet/blob/staging/doc/cdn-cert.md Previous ticket: https://github.com/jquery/infrastructure-puppet/issues/21

Timeline

Date	Action
Fri June 14, 2024	Created a ticket with LF IT to issue new certs
Fri June 14, 2024	LF IT confirmed receipt of the request
Fri June 14, 2024	Ticket assigned to Chris Hoy Poy
Mon June 17, 2024	Timmy commented on the ticket asking to expedite
Sat June 22, 2024	Timmy commented asking for an update, and messaged Ryan Aslett directly
Mon June 24, 2024	Public certs delivered via ticket; private cert delivered via 1Password
Wed June 26, 2024	Verified cert locally (more on that below)
Wed June 26, 2024	Uploaded cert to Fastly; enabled for code2 by pointing code2 DNS at t.sni.global.fastly.net and enabling the cert only on that TLS configuration (the CDN and other sites use k.sni)
Wed June 26, 2024	Tested the cert in IE8+, Chrome 69+, FF 31+, Safari 9+, iOS 9+, Android 4.4.2+, openssl 1.1. Chrome 49 and Safari 6-8 are failing handshakes, but we think they might work when deployed to Fastly's k TLS configuration, which has more available ciphers. IE8 doesn't work when on Windows XP, but that's the same for the current cert.
Wed June 26, 2024	Waiting at least 5 days since the cert was issued, which was Tue, 25 Jun 2024 00:00:00 GMT, to test live.
Tue July 2, 2024	New cert activated and old cert deleted. Chrome 49 is still failing on Windows XP (as are most browsers besides FF). All other browsers that were expected to work are now working, including Safari 6-8, which were failing on the t TLS configuration. https://www.ssllabs.com/ssltest/analyze.html?d=releases.jquery.com

Notes from troubleshooting failed verifications

• The cert algorithm changed from RSA to ECDSA. This required a change in verify_cert.sh.
• The new cert (AS WELL AS THE CURRENT CERT) did not pass the openssl verify step to validate the certificate chain on Windows or Mac. Ubuntu does pass, but it's because it adds /etc/ssl/certs/USERTrust_ECC_Certification_Authority.pem as a trusted authority. Ryan Aslett guessed it was because it's fairly new compared to AddTrust, which expired in 2020. We don't see a way around this, but it doesn't seem to be an issue in browsers or curl.

[Krinkle]

Test URL: https://code.jquery.com/MIT-LICENSE.txt

Failing on staging (code2/t.sni): IE8/WinXP, Safari 7.1 (macOS Mavericks), iOS 6 (iPhone 4 simulator).

Working on final deploy (code/k.sni, tested via BrowserStack):

• Firefox 52/WinXP
• IE8/Win7
• IE9/Win7
• Safari 7.1 (macOS Mavericks)
• iOS 6 (iPhone 4 simulator)

Failing both before and after (known, unsupported, HTTP-only)

• IE8/WinXP

Working before but (new) failing after:

• Chrome 49/WinXP. This supports TLS 1.2 but appears to be RSA-only. Even with Fastly's extended chipher support, this won't work now and joins IE8/WinXP in being HTTP-only. Note that WinXP remains supported via Firefox 52.