131 lines
8.2 KiB
Markdown
131 lines
8.2 KiB
Markdown
# IwoooS DNS / TLS / certbot Owner Response Acceptance
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-14 |
|
||
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
|
||
| 工具 | `scripts/security/domain-tls-certbot-owner-response-acceptance.py` |
|
||
| 輸入 | `docs/security/domain-tls-certbot-owner-confirmation-request.snapshot.json` |
|
||
| Snapshot | `docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
DNS / TLS / certbot 屬於 C0 公開入口配置。既有 owner confirmation request 已把 4 個 certificate path 需確認關係列出,但若缺少 owner response acceptance 帳本,後續容易把 SAN / wildcard / 共用憑證覆蓋確認、renewal owner 或 ACME route owner 誤判成 DNS query、TLS probe、certbot renew、Nginx reload 或 route smoke 授權。
|
||
|
||
本文件只定義 owner response 如何收件、補證、隔離、拒收與進 reviewer review。它不是 request sent、不是 owner response received、不是 accepted response、不是 DNS query、不是 live TLS probe、不是 certbot renew、不是 Nginx reload、不是 route smoke,也不是 host write、production write 或 runtime gate 授權。
|
||
|
||
## 2. 摘要
|
||
|
||
| 指標 | 值 | 說明 |
|
||
|------|----|------|
|
||
| acceptance candidate count | `4` | 4 個 domain / certificate path relation candidate |
|
||
| C0 acceptance candidate count | `4` | 全部位於 188 public gateway / internal tools HTTPS 範圍 |
|
||
| acceptance field count | `23` | 每份 candidate 的 metadata-only 欄位 |
|
||
| required owner response field count | `13` | owner / decision / scope / redacted refs / coverage / expiry / renewal / ACME / window / rollback / validation |
|
||
| reviewer check count | `13` | raw cert、private key、credential、execution request、coverage ref 與 runtime gate 檢查 |
|
||
| outcome lane count | `7` | waiting、quarantine、reject、supplement、coverage review、read-only update、waiting runtime gate |
|
||
| blocked action count | `20` | DNS query、TLS probe、certbot renew、Nginx reload、route smoke、secret collection 等 |
|
||
| owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 |
|
||
| DNS query / TLS probe / certbot renew / Nginx reload / route smoke | `0 / 0 / 0 / 0 / 0` | 尚未批准且未執行 |
|
||
| runtime gate / action button | `0 / 0` | 未開啟 |
|
||
|
||
## 3. 四份驗收候選
|
||
|
||
| Acceptance candidate | Control tier | 來源 request | 驗收焦點 |
|
||
|----------------------|--------------|--------------|----------|
|
||
| `domain_tls_certbot_owner_response_acceptance:gitea.wooo.work` | `C0` | `domain_tls_certbot_owner_confirmation:gitea.wooo.work` | 憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口與 rollback owner |
|
||
| `domain_tls_certbot_owner_response_acceptance:langfuse.wooo.work` | `C0` | `domain_tls_certbot_owner_confirmation:langfuse.wooo.work` | 憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口與 rollback owner |
|
||
| `domain_tls_certbot_owner_response_acceptance:signoz.wooo.work` | `C0` | `domain_tls_certbot_owner_confirmation:signoz.wooo.work` | 憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口與 rollback owner |
|
||
| `domain_tls_certbot_owner_response_acceptance:tsenyang.com` | `C0` | `domain_tls_certbot_owner_confirmation:tsenyang.com` | 憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口與 rollback owner |
|
||
|
||
## 4. Owner response 必填欄位
|
||
|
||
| 欄位 | 規則 |
|
||
|------|------|
|
||
| `owner_role_or_team` | 只填角色或團隊,不填私人聯絡資料或 credential |
|
||
| `decision` | 允許 `confirm`、`defer`、`reject`、`request_more_evidence` |
|
||
| `decision_reason` | 摘要說明,不貼 raw cert、private key、certbot log 或 DNS credential |
|
||
| `affected_scope` | 明確列出 domain、certificate path metadata、ACME / route 影響範圍 |
|
||
| `redacted_evidence_refs` | 只接受脫敏 ref、ticket id、文件路徑、hash 或摘要 |
|
||
| `certificate_coverage_basis_ref` | SAN / wildcard / 共用憑證覆蓋依據的脫敏 ref |
|
||
| `certificate_expiry_metadata_ref` | 憑證到期資訊只能是 owner-provided metadata ref,不得貼 raw cert |
|
||
| `renewal_owner` | 未來 renewal 負責角色;不代表可執行 certbot renew |
|
||
| `acme_challenge_route_owner` | HTTP-01 ACME path 與 route smoke owner |
|
||
| `maintenance_window` | 未來 probe / renew / reload 的維護窗口;本 response 不開執行權 |
|
||
| `rollback_owner` | 未來若進變更的 rollback owner |
|
||
| `validation_plan` | DNS / TLS / ACME / route post-check 指標,不授權執行 |
|
||
| `followup_owner` | 後續補證、reviewer 或 runtime gate 負責角色 |
|
||
|
||
## 5. Reviewer checks
|
||
|
||
| Check | 說明 |
|
||
|-------|------|
|
||
| `owner_identity_present` | owner role / team 必須可追溯 |
|
||
| `decision_and_reason_present` | decision 與 reason 必須同時存在 |
|
||
| `redacted_refs_only` | evidence 只能是脫敏 ref、ticket、hash、文件路徑或摘要 |
|
||
| `raw_certificate_absent` | 不得出現 raw certificate payload、完整 SAN dump、private key 或 ACME account key |
|
||
| `secret_value_absent` | 不得出現 DNS credential、registrar credential、token、cookie、authorization header 或 Basic Auth |
|
||
| `coverage_basis_ref_present` | 覆蓋依據必須是 metadata ref |
|
||
| `expiry_metadata_ref_not_probe` | 到期資訊不得由本帳本觸發 live probe |
|
||
| `renewal_owner_separate_from_action` | renewal owner 與 certbot renew action 必須分離 |
|
||
| `acme_route_owner_present` | ACME path 與 route smoke owner 必須清楚 |
|
||
| `maintenance_window_present` | 未來執行期操作需維護窗口或明確禁止窗口 |
|
||
| `rollback_owner_present` | rollback owner 與 rollback ref 必須存在 |
|
||
| `validation_plan_present` | validation plan 只列 post-check,不授權執行 |
|
||
| `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected,且不得開 runtime gate |
|
||
|
||
## 6. Outcome lanes
|
||
|
||
| Lane | 意義 |
|
||
|------|------|
|
||
| `waiting_owner_response` | 尚未收到 owner response |
|
||
| `quarantine_raw_certificate_or_secret` | 收到 raw cert、private key、DNS credential 或 certbot account 內容時隔離 |
|
||
| `reject_execution_request` | 夾帶 DNS query、TLS probe、certbot renew、Nginx reload 或 host write 要求時拒收 |
|
||
| `request_supplement` | 欄位不足、scope 不清或 evidence ref 不可追溯時要求補件 |
|
||
| `ready_for_certificate_coverage_review` | metadata 合格後,只能進憑證覆蓋關係 reviewer review |
|
||
| `owner_review_only_update` | 只允許更新只讀 owner review ledger |
|
||
| `waiting_runtime_gate` | 即使 owner response accepted,runtime gate 仍等待獨立人工批准 |
|
||
|
||
## 7. 禁止事項
|
||
|
||
1. 不做 DNS query。
|
||
2. 不做 live TLS probe。
|
||
3. 不執行 certbot renew。
|
||
4. 不 reload Nginx。
|
||
5. 不執行 route smoke。
|
||
6. 不讀 TLS private key。
|
||
7. 不保存 raw certificate payload、DNS credential、certbot account key、secret value、未脫敏 certbot log、shell history 或 env dump。
|
||
8. 不修改 DNS record、TLS certificate path、ACME challenge route 或 production host。
|
||
9. 不開 runtime gate,不建立 action button。
|
||
|
||
## 8. 指令
|
||
|
||
產生 committed snapshot:
|
||
|
||
```bash
|
||
python3 scripts/security/domain-tls-certbot-owner-response-acceptance.py \
|
||
--root . \
|
||
--owner-confirmation-request-report docs/security/domain-tls-certbot-owner-confirmation-request.snapshot.json \
|
||
--output docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json \
|
||
--generated-at 2026-06-14T23:05:00+08:00
|
||
```
|
||
|
||
驗證 guard:
|
||
|
||
```bash
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
```
|
||
|
||
## 9. 完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| owner response acceptance ledger artifact | `100%` | 產生器、snapshot 與文件已固定 |
|
||
| DNS / TLS / certbot 只讀治理成熟度 | `74% -> 78%` | 收件驗收帳本更完整;不代表 live evidence 或 runtime action |
|
||
| owner response received / accepted | `0%` | 尚未收到,尚未驗收 |
|
||
| certificate coverage confirmed | `0%` | 尚未收到 owner-provided metadata ref |
|
||
| DNS query / TLS probe | `0%` | 尚未批准且未執行 |
|
||
| certbot renew / Nginx reload / route smoke | `0%` | 尚未批准且未執行 |
|
||
| runtime gate / host write | `0%` | 未授權且未執行 |
|