Rotate hg.m.o cert

The hg.m.o cert will next expire on 2021.10.31, and every year thereafter. We need to rotate the cert a month before it expires, to give us time to debug and resolve issues with the option of backing out. (During the 2020 cert rotation, we rotated the cert a week before it expired, and had to deal with multiple days of tree closures afterwards.)

Steps

  • Create new cert (vcs team)

  • Update the various fingerprint locations in-tree and in secrets (vcs team)

  • Update treescript fingerprint, if applicable (releng team)

  • Create trusted and untrusted docker-worker AMIs. The trusted AMIs need to have the CoT key. (taskcluster team)

  • Create trusted and untrusted generic-worker AMIs. The trusted AMIs need to have the CoT key. (relops team)

  • Land ci-configuration patches to use the new AMIs (taskcluster, relops, releng teams)

  • Test, deal with fallout, update docs

We could use the opportunity to rotate CoT keys as well, in which case we would:

  • generate new CoT keys before creating the new trusted AMIs

  • add them to scriptworker

  • release scriptworker

  • roll out new scriptworker pools with the new scriptworker CoT key and the new trusted public keys in scriptworker.constants

  • then proceed with rolling out new AMIs

  • remove the old CoT keys from scriptworker.constants once all trusted workers are using the new keys