Page MenuHomePhabricator

update ldap-mirror.wikimedia.org certificate to sha256
Closed, ResolvedPublic

Description

This will be the tracking task to replace the SHA1 certificate for ldap-mirror.wikimedia.org to SHA256.

  • - reissue certificate in SHA256 & create patchset containing the new certificate
  • - merge into puppet and ensure ldap gets the updated information

FYI: I recall that previously, puppet alone didn't force LDAP to use the new certificate; further manual commands were required within ldap.

Event Timeline

RobH claimed this task.
RobH raised the priority of this task from to High.
RobH updated the task description. (Show Details)
RobH added projects: acl*sre-team, HTTPS.
RobH added a project: LDAP.
RobH set Security to None.
RobH added subscribers: Matanya, Jay8g, gerritbot and 14 others.
RobH added subscribers: Andrew, coren.

From what I can see, there is no issuer within the certificate. When you run "openssl x509 -in <certfile.crt> -noout -text" against a certificate file, it shows information, including the issuing agency.

When run against any of our rapidssl, digicert, globalsign, or symantec certificates, we get issuer information in the output. I have no order information in my Symantec, Digicert, or Globalsign portals. Attempting reissue with rapidssl results in certificate not found.

This makes me think this is a self signed certificate, which is why its lacking those particular fields. As such, this isn't really something that requires me to reissue. This requires someone who knows ldap, and knows about how self signed keys will affect this certificate use; to own this ticket.

I asked in IRC, and @coren backed up my initial suggestion that @Andrew handled this the last time we had to change ldap certificates. As such, I am going to assign him to this task.

@Andrew: If this isn't correct, or if you need a second set of eyes on things, just let me know.

ldap-mirror is plutonium which is I believe Alexandros's project. I've never touched it.

So, I'm not unwilling to work on this, but it might be simpler for Alex.

As @RobH points out

openssl x509 -in /home/alex/wikimedia/gerrit/puppet/production/files/ssl/ldap-mirror.wikimedia.org.crt -issuer
issuer= /C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/OU=Operations/CN=WMF CA 2014-2017

This is indeed an internal certificate issued by WMF CA 2014-2017. I 'll issue a new certificate with a sha256 signature and document it in wikitech

Change 223788 had a related patch set uploaded (by Alexandros Kosiaris):
Sign ldap-mirror.wikimedia.org with SHA256

https://gerrit.wikimedia.org/r/223788

Documentation in: https://wikitech.wikimedia.org/wiki/WMF_CA

Merging puppet change and restarting ldap servers to pick up the change

Change 223788 merged by Alexandros Kosiaris:
Sign ldap-mirror.wikimedia.org with SHA256

https://gerrit.wikimedia.org/r/223788