Automatically request renewals of mit.edu certs

[geofft]

Our certificate authority, InCommon, provides ​a WSDL API that allows us to programmatically request renewals of certs we already have, given just the "renew ID" from the email where they send us the cert. (That document is linked from ​InCommon's pile of documents, and mirrored from docs in ​Comodo's KB, in case it disappears/moves.)

We already have a cronjob to warn us when certificates are expiring. It might be nice to expand this to automatically request renewals of certificates that are close to expiration. The only thing you need is the "renew ID", which is in the email that the CA sends us to tell us we have a cert. We need to start tracking these somewhere for new certs, and we may not want them to be in the public source repository. For existing certs, we can gather some of these from the personal email archives of people who have forwarded cert requests onto MIT.

One possible approach for new certs is to have people forward the CA's emails to some @scripts address, or even to make a list to receive these emails so it happens automatically. At that point we might also think about automatically committing both new and renewed certs to the repository.

This ought to be doable by someone not on scripts-root, incidentally. You'll just need a renew ID for some vhost on scripts; a vhost you own should be fine (the risk with publicizing these is that someone can cause InCommon / Comodo to issue a cert when the site owner wanted the cert to expire), and you can test renewing that against the API.