Page MenuHomePhabricator
Create Task
Maniphest T100827

replace git's sha1 cert with sha256
Closed, ResolvedPublic
Actions

Description

Tracking task to replace git's sha1 cert with sha256, in multiple steps:

  • - reissue certificate in sha256
  • - update configuration of ganglia to use new certificate
  • - push changes live
  • - revoke old sha1 certificate

Details

SubjectRepoBranchLines +/-
git.wikimedia.org.crt sha1 to sha256operations/puppetproduction+26 -29
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedRobHT73156 Replace SHA1 certificates with SHA256
 ResolvedRobHT100827 replace git's sha1 cert with sha256

Event Timeline

RobH created this task.May 29 2015, 7:01 PM
RobH claimed this task.
RobH raised the priority of this task from to Medium.
RobH updated the task description. (Show Details)
RobH added projects: acl*sre-team, HTTPS.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 29 2015, 7:01 PM
gerritbot subscribed.May 29 2015, 7:06 PM

Change 214673 had a related patch set uploaded (by RobH):
git.wikimedia.org.crt sha1 to sha256

https://gerrit.wikimedia.org/r/214673

gerritbot added a project: Patch-For-Review.May 29 2015, 7:06 PM
RobH mentioned this in T73156: Replace SHA1 certificates with SHA256.May 29 2015, 7:07 PM
Chmarkine subscribed.Jun 1 2015, 12:02 PM

git.wikimedia.org is behind misc-web. Is this cert still needed?

RobH added a comment.Jun 1 2015, 4:08 PM

Indeed, it is behind misc-web. I think we can indeed revoke this cert/keypair entirely. I'll keep it assigned to me and do so later today. Once done, I'll remove from our repo(s).

gerritbot added a comment.Jun 3 2015, 5:19 PM

Change 214673 abandoned by RobH:
git.wikimedia.org.crt sha1 to sha256

Reason:
git.w.o lives behind misc-web, this cert doesn't need to exist.

https://gerrit.wikimedia.org/r/214673

RobH mentioned this in rOPUPb5f918462cc6: git.w.o cert deletion - exists behind misc-web.Jun 3 2015, 5:26 PM
Dzahn mentioned this in rOPUP05d30f2f0d75: gitblit: don't install ssl cert anymore.Jun 3 2015, 5:42 PM
RobH closed this task as Resolved.Jun 3 2015, 5:45 PM

I revoked and deleted the git.wikimedia.org key and certificate, and Daniel's patchset stops the system from installing the now delete (and also unused) cert/key from systems.

Dzahn updated the task description. (Show Details)Jun 4 2015, 8:48 PM
Dzahn set Security to None.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL