From 07e66854075d90b6d48ea0bbbd9516ffbf49eb2b Mon Sep 17 00:00:00 2001 From: ChrisBAshton Date: Mon, 19 Feb 2024 10:50:47 +0000 Subject: [PATCH 1/5] Remove reference to "How we do DNS" in "Common AWS support tasks" We no longer look at AWS when processing common DNS queries - it's all handled in govuk-dns-tf - so we can safely remove this from this page. --- .../manual/common-aws-tasks-for-2nd-line-support.html.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/source/manual/common-aws-tasks-for-2nd-line-support.html.md b/source/manual/common-aws-tasks-for-2nd-line-support.html.md index 139e8909da..22f67d63f4 100644 --- a/source/manual/common-aws-tasks-for-2nd-line-support.html.md +++ b/source/manual/common-aws-tasks-for-2nd-line-support.html.md @@ -84,13 +84,4 @@ View the documentation on [how to backup and restore in AWS RDS]. [how to backup and restore in AWS RDS]: /manual/howto-backup-and-restore-in-aws-rds.html -## Learn - -### How do we do DNS? - -GOV.UK is effectively a DNS registrar for some third-level domain names, for -example service.gov.uk. - -See [how GOV.UK does DNS](/manual/dns.html). - [govuk-aws]: https://github.com/alphagov/govuk-aws From 312db0336795e754d9ed29d104ccd403d6a35d48 Mon Sep 17 00:00:00 2001 From: ChrisBAshton Date: Mon, 19 Feb 2024 11:09:18 +0000 Subject: [PATCH 2/5] Remove obsolete Icinga Alert document This was defined in Puppet: https://github.com/alphagov/govuk-puppet/blob/main/modules/monitoring/manifests/checks.pp#L127-L134 It doesn't appear to have been carried over to govuk-helm-charts. --- .../alerts/renew-tls-certificate.html.md | 41 ------------------- 1 file changed, 41 deletions(-) delete mode 100644 source/manual/alerts/renew-tls-certificate.html.md diff --git a/source/manual/alerts/renew-tls-certificate.html.md b/source/manual/alerts/renew-tls-certificate.html.md deleted file mode 100644 index 685f9ceeae..0000000000 --- a/source/manual/alerts/renew-tls-certificate.html.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -owner_slack: "#govuk-2ndline-tech" -title: Check the TLS certificate is valid and not due to expire -parent: "/manual.html" -layout: manual_layout -section: Icinga alerts ---- - -These checks look at the validity of the TLS certificates for: - -* www.gov.uk at the edge (Fastly) -* www.gov.uk at the origin (our servers) -* www.staging.publishing.service.gov.uk at the edge (Fastly) -* www.integration.publishing.service.gov.uk at the edge (Fastly) -* \*.publishing.service.gov.uk, \*.staging.publishing.service.gov.uk and \*.integration.publishing.service.gov.uk at the origin (our servers), depending on the environment Icinga is running in - -The alert fires 30 days before certificate expiry. - -See [renew a TLS certificate for GOV.UK](/manual/renew-a-tls-certificate.html). - -## Production www.gov.uk certificate - -The TLS certificate for www.gov.uk is managed by Fastly. If any additional -verification of domain ownership is needed for renewal (for example if Fastly -chooses a different outsourcing partner for its certification authority), -Fastly will open a support ticket with us. This ticket will go to 2nd-line Tech -Support, who should co-ordinate with Fastly to ensure that the certificate is -renewed. - -## Production, staging and integration wildcard certificates - -The wildcard TLS certificates for production, staging and integration are -automatically renewed by AWS. Renewal should require no human intervention -provided the DNS validation records remain in place. - -## Staging and integration www certificates - -The certificates for www.staging.publishing.service.gov.uk and -www.integration.publishing.service.gov.uk are automatically issued by Fastly. -Renewal should require no human intervention provided the DNS validation -records remain in place. From 454b2f883ae50dd99f8043aa01388a2009a4f0a7 Mon Sep 17 00:00:00 2001 From: ChrisBAshton Date: Mon, 19 Feb 2024 11:11:52 +0000 Subject: [PATCH 3/5] Remove obsolete Icinga alert about renewing TLS cert Only existed in Puppet, no longer lives: https://github.com/alphagov/govuk-puppet/blob/main/modules/monitoring/manifests/checks.pp#L127-L134 It contained documentation around renewing certificates in Gandi. I've logged into our Gandi account and there are no active SSL certificates on the account. I assume these instructions are no longer required. --- source/manual/renew-a-tls-certificate.html.md | 88 ------------------- 1 file changed, 88 deletions(-) delete mode 100644 source/manual/renew-a-tls-certificate.html.md diff --git a/source/manual/renew-a-tls-certificate.html.md b/source/manual/renew-a-tls-certificate.html.md deleted file mode 100644 index edf3545a92..0000000000 --- a/source/manual/renew-a-tls-certificate.html.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -owner_slack: "#govuk-2ndline-tech" -title: Renew a TLS certificate for GOV.UK -section: Infrastructure -layout: manual_layout -parent: "/manual.html" ---- - -## Renewing the certificate for www.gov.uk - -The TLS certificate for www.gov.uk is managed by Fastly. If there is any action -needed by us, for example if the requirement for verifying that we own the -domain have changed, then Fastly will open a support ticket with us. This -ticket will be routed to Technical 2nd-line support, who should coordinate with -Fastly to ensure that the certificate is renewed in good time. - -> The www.gov.uk certificate does not appear in manage.fastly.com, even though -> Fastly manages it for us. - -Occasionally, Fastly might need us to add or update a DNS record directly -underneath the `gov.uk` domain, in order for their supplier to validate our -ownership of the domain. If this happens, you will need to [open a ticket with -Jisc](/manual/dns.html#dns-for-the-gov-uk-top-level-domain), who manage the -`gov.uk.` DNS zone. - -Credentials for the Fastly Zendesk support site are in the [Technical 2nd Line password store](https://github.com/alphagov/govuk-secrets/blob/master/pass/2ndline/fastly). - -## Renewing publishing.service.gov.uk wildcard certificates - -Wildcard certificates for `*.publishing.service.gov.uk`, `*.staging.publishing.service.gov.uk` -and `*.integration.publishing.service.gov.uk` are issued by AWS Certificate -Manager (ACM) and should renew automatically. - -ACM relies on a validation DNS record being present in order to prove that we -own the domain. If an ACM-managed certificate is nearing its expiry date, check -the status of the certificate under ACM in the AWS web console to see whether -ACM was able to validate the domain. - -As long as the validation DNS record remains in place, AWS will renew these -certificates automatically. You shouldn't need to do anything unless something -goes wrong with the validation records. - -## Renewing legacy Gandi certificates - -You might come across a legacy certificate which is still issued through Gandi -(for example signup.take-part-in-research.service.gov.uk). - -If you need to renew one of these, first consider whether you could use -Fastly or AWS to issue the certificate so that future renewals are automatic. -If the service is hosted on either, the answer is probably "yes". - -If the service is hosted by an external supplier, that supplier should be -responsible for obtaining a certificate, even if we might have done this for -them in the past. Talk with whoever owns the relationship with the supplier in -order to resolve this. Platform Security and Reliability team can help you with -this if necessary. - -⚠️ **Never transfer a private key outside the system it was generated on.** -(This is why CSRs exist, and also why services such as AWS Certificate Manager -won't let you see private keys that they generate for you.) If you're unsure -how to avoid the need to send someone a private key, talk to Platform Security -and Reliability team and they will help you find a secure alternative. - -To renew a Gandi certificate, if it's absolutely necessary: - -1. [Generate a Certificate Signing Request (CSR)](generate-csr.html) for a - *renewal*. The private key *must* be generated on the infrastructure which - will ultimately host the certificate. If the certificate is for a - third-party supplier, they must generate the CSR and send it to you. The - private key must never leave the hosting environment. -2. Log into Gandi [using the credentials in the infra password - store](https://github.com/alphagov/govuk-secrets/blob/master/pass/infra/gandi/govuk.gpg). -3. Go to the account dashboard and find the list of TLS certificates on the - account. -4. Find the certificate you wish to renew and click Renew. -5. Go through the steps on the renewal form until you reach a page requesting a - Certificate Signing Request. -6. Upload the CSR to Gandi by pasting the contents of the .csr file into the - text box. -7. Next, choose DNS validation to validate it and follow the instructions to add - the relevant DNS records. -8. Pay for it - we don't have a stored payment method, so find the person with - the GDS credit card. Or raise a request for temporary credit card details from - PMO by sending an email to pmo@digital.cabinet-office.gov.uk. -9. Add the Certificate, Private Key, Certificate Signing Request and Intermediate Certificate - to the [`2ndline` pass store](https://github.com/alphagov/govuk-secrets/tree/master/pass/2ndline) - under the `certificates` directory. -10. Import the certificate to the relevant infrastructure From a3800e4b0a8070e317549924629a2c5fbac646e8 Mon Sep 17 00:00:00 2001 From: ChrisBAshton Date: Mon, 19 Feb 2024 11:20:21 +0000 Subject: [PATCH 4/5] Remove duplication of DNS documentation from Zendesk.html It's perhaps useful to have a signpost from this doc, but it shouldn't contain documentation that will otherwise fall out of date. --- source/manual/zendesk.html.md | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/source/manual/zendesk.html.md b/source/manual/zendesk.html.md index f8caee50ae..011265cb6f 100644 --- a/source/manual/zendesk.html.md +++ b/source/manual/zendesk.html.md @@ -109,19 +109,7 @@ review and assign to the `3rd Line--GOV.UK Product Requests` Zendesk group. ## DNS delegation tickets -As of October 2022, Technical 2nd line may be asked to process DNS delegation requests. This used to be handled by a dedicated `3rd Line--GDS Reliability Engineering` Zendesk queue, which has now been merged into `2nd Line--GOV.UK Alerts and Issues`. - -The requests will look something like the following: - -> Please delegate the following to `something.service.gov.uk` -> `nameserver1.example.com` -> `nameserver2.example.com` - -The workflow for these requests is that a requester emails a particular email address, which creates a Zendesk ticket for the GOV.UK Policy and Strategy team. The request is then signed off and routed to us. We then double-check with someone from GOV.UK Policy and Strategy that the change has been agreed, then add/change the necessary DNS records (see [example](https://github.com/alphagov/govuk-dns-config/pull/854/files)) and respond to the requestor via the ticket. - -Note that some requests come directly via the [hostmaster Google group](https://groups.google.com/a/digital.cabinet-office.gov.uk/g/hostmaster). If you are in any doubt about the legitimacy of a request, reassign the ticket to `3rd Line--Policy and Strategy` and add an internal note asking them. - -For actioning these requests, [read our DNS documentation](/manual/dns.html). +[Read our DNS documentation](/manual/dns.html) to find out more about these requests and how to action them. ## Automated requests from Amazon ACM or AWS Certificate Manager From c42036c6cf25fa4c8407d4dda493039dae425c79 Mon Sep 17 00:00:00 2001 From: ChrisBAshton Date: Mon, 19 Feb 2024 14:10:51 +0000 Subject: [PATCH 5/5] More clearly signpost the 2nd line DNS documentation --- source/manual/dns.html.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/source/manual/dns.html.md b/source/manual/dns.html.md index 971a528c7d..c4a5e6801a 100644 --- a/source/manual/dns.html.md +++ b/source/manual/dns.html.md @@ -7,18 +7,14 @@ layout: manual_layout parent: "/manual.html" --- -GOV.UK is responsible for managing several DNS zones. For documentation on updating DNS, see the [DNS change request and hostmaster](https://drive.google.com/drive/search?q=-%20type:document%20title:%22Tech%202nd%20Line%20-%20Handle%20Tickets%20on%20DNS%20Change%20request%20hostmaster%40%22) doc for Technical 2nd Line. +> For **Technical 2nd Line documentation** on when and how to respond to DNS delegation and domain verification requests, read the [DNS change request and hostmaster Google doc](https://drive.google.com/drive/search?q=-%20type:document%20title:%22Tech%202nd%20Line%20-%20Handle%20Tickets%20on%20DNS%20Change%20request%20hostmaster%40%22). -In most cases, zones are hosted by AWS (Route 53) and Google Cloud Platform (Cloud DNS). See [Amazon Route53 vs Google Cloud in the govuk-dns-tf README](https://github.com/alphagov/govuk-dns-tf#amazon-route53-vs-google-cloud) +GOV.UK is responsible for managing several DNS zones, spanning a number of `*.gov.uk` domains. As of February 2024, there are 45 hosted zones, configuring many hundreds of domains. A list of hosted zones is retrievable from a terminal using: -As of December 2022, there are 61 hosted zones. A list is retrievable from a terminal using: - -``` +```sh gds aws govuk-production-poweruser -- aws route53 list-hosted-zones | grep Name ``` -Some individual records within these zones are managed by other teams. - ## Records for GOV.UK systems We use a few domains: