ACTION REQUIRED: GLB TLS Certificate expiration for primer.style

[octocerts]

ACTION REQUIRED - Certificate Expiration for primer.style on 2024-09-09

Hello! :wave:

The GLB TLS certificate for primer.style expires on 2024-09-09. Expiring certificate serial: 0322d80c64ddd9b3304c620010d94d6ffc09

The new certificate has been placed in Vault:

Application: primer-style Environment: production

Key for GLB Certificate + Private Key: TLS_CERTIFICATE

Deploying the application will automatically update the certificate. Please close this issue when you have verified the renewal of your certificate.

If you believe that your team has received this issue in error, please reach out to us in #secure-access-engineering in Slack.

[lesliecdubs]

@matthiaswenz is actively working on primer.style and @camertron has been involved in renewing our expiring certs. Can you both please make sure this gets taken care of by the 09-09 deadline?

[camertron]

Yep, this is the one we have a calendar event for 😅 Unfortunately the information in this issue is wrong - re-deploying the app will not fix the problem. I just checked the Azure console and it appears that the new cert was not automatically added to the primerstyle App Service as it should have been, which confirms our suspicion that some part of the automation needs more access.

In any case, primer.style will not be affected by this cert expiring because we are using an Azure-generated cert that expires 11-23-2024:

$ openssl s_client -connect primer.style:443 2>/dev/null | openssl x509 -noout -dates
notBefore=May 23 00:00:00 2024 GMT
notAfter=Nov 23 23:59:59 2024 GMT

[lesliecdubs]

Thanks for checking this out further @camertron. Can you please reach back out to #secure-access-engineering as referenced in the issue? I know we didn't technically receive this issue in error, but we ought to report that the information in the issue is incorrect and confirm whether they'd like to go ahead and close this issue or update it.

[lesliecdubs]

👋 @matthiaswenz we think this issue will be null once we have moved primer.style to Next.js. Do you have an expected timeframe for the new site to go live? Asking because we are trying to figure out how deep we need to go with ensuring the current primer.style cert doesn't expire.

[matthiaswenz]

Correct, this kind of cert issue should be void with GitHub issued certificates once we move primer.style to a Moda application which https://github.com/github/primer/issues/3629 laid the foundation for.

The timeline on when this new site will launch publicly is yet to be defined in detail with @dipree - though a date before November 23 shuold be feasible.

[camertron]

Great, thanks @matthiaswenz :) Given that we're not actually using this cert, and given that we're moving primer.style to Moda anyway, I think there's no reason to continue working on creating our own cert via octocerts/secrets-federation and instead continue to rely on the cert generated and managed by Azure 👍