search

scientist-softserv / adventist_knapsack

Apache License 2.0
2 stars 0 forks source link

SSL Cert #330

Closed jillpe closed 1 year ago

jillpe commented 1 year ago

Summary

Earlier this summer we jumped through SLL cert renewal hoops with help from the team, so we'd like to think we can fix this problem ourselves and just follow the steps we learned. However, this alert seems different, and we could use some educated eyes to take a look and let us know.

The last certificate expired without a warning from AWS, so we assume this is a different certificate and it's embedded somewhere in AWS that we haven't worked before. We're also curious how the Hyku sites domain names are hosted. I have access to our BlueHost account, and I don't see b2.adventistdigitallibrary.org or s2.adventistdigitallibrary.org listed under our domains or subdomains. Perhaps I just can't find them. They were obviously set up before I joined this project, and my predecessor kept almost no documentation, so I hope I can rely on the team's memory.

Message from AWS

Greetings from Amazon Web Services,

You have an SSL/TLS certificate from AWS Certificate Manager in your AWS account that expires on Oct 07, 2023 at 23:59:59 UTC. This certificate includes the primary domain *.b2.adventistdigitallibrary.org and a total of 1 domains.

AWS account ID: 031107666127 AWS Region name: us-east-1 Certificate identifier: arn:aws:acm:us-east-1:031107666127:certificate/390ea164-e0ae-4914-971c-ae207ad37f8c

AWS Certificate Manager (ACM) was unable to renew the certificate automatically using DNS validation. You must take action to ensure that the renewal can be completed. If the certificate is not renewed and the current certificate expires, your website or application may become unreachable.

To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below. You can find the CNAME records for your domains by expanding your certificate and its domain entries in the ACM console. You can also use the DescribeCertificate command in the ACM API[1] or the describe-certificate operation in the ACM CLI[2] to find a certificate’s CNAME records. For more information, see Automatic Domain Validation Failure in the ACM troubleshooting guide[3]. The following 1 domains require validation: *.b2.adventistdigitallibrary.org

If you have questions about this process, you can contact the Support Center[4]. If you don’t have an AWS support plan, you can post a new thread in the AWS Certificate Manager discussion forum[5].

[1] https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html [2] https://docs.aws.amazon.com/cli/latest/reference/acm/describe-certificate.html [3] https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html#troubleshooting-renewal-domain-validation-failure [4] https://console.aws.amazon.com/support [5] https://repost.aws/tags/TAJ7zd4vjzSfC_8JNlsbq2tA?forumID=206 Sincerely, Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210 ...

Questions to Answer

aprilrieger commented 1 year ago

That was an old cert when we initially tried to setup the certification renewal annually with manual intervention.

We now have certification setup to automatically update and renew the certs through cert-manager in the cluster, automatically.

I ddi go in and clean up AWS a bit and deleted the old cert that was no longer in use so the client should not receive any more alerts for that old cert.

Also as part of the maintenance contract we monitor those SSL expirations and monitor them through Site24x7.