Page MenuHomePhabricator
Create Task
Maniphest T145120

update *.wmflabs.org certificate (existing expires on 2016-09-16)
Closed, ResolvedPublic
Actions

Description

This task will track the implementation of the updated *.wmflabs.org certificate. (Parent Task T140647 is a private procurement space task, so implementation should like be done in a public one.)

Patchset https://gerrit.wikimedia.org/r/#/c/309379/ has the new public certificate file.

The private key file is named in the private repo as new.star.wmflabs.org.key. When the new certificate file is pushed into service, the existing star.wmflabs.org.key file should be git rm'd, and then git mv the new.star.wmflabs.org.key into its place.

Further details will need to be added on what labs hosts make use of this certificate.

Details

SubjectRepoBranchLines +/-
tools: Provision proxy's cert from puppetmasteroperations/puppetproduction+0 -1
tools: Provision ssl private key from puppetmasteroperations/puppetproduction+1 -1
updated *.wmflabs.org certificateoperations/puppetproduction+29 -29
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Unknown Object (Task)
 ResolvedyuvipandaT145120 update *.wmflabs.org certificate (existing expires on 2016-09-16)

Event Timeline

RobH created this task.Sep 8 2016, 7:37 PM
Restricted Application added a project: Cloud-Services. · View Herald TranscriptSep 8 2016, 7:37 PM
gerritbot subscribed.Sep 8 2016, 7:38 PM

Change 309379 had a related patch set uploaded (by RobH):
updated *.wmflabs.org certificate

https://gerrit.wikimedia.org/r/309379

gerritbot added a project: Patch-For-Review.Sep 8 2016, 7:38 PM
RobH renamed this task from update *.wmflabs.org certificate to update *.wmflabs.org certificate (existing expires on 2016-09-16).Sep 8 2016, 7:40 PM
RobH reassigned this task from RobH to chasemp.
RobH raised the priority of this task from Medium to High.
RobH updated the task description. (Show Details)
chasemp reassigned this task from chasemp to yuvipanda.Sep 12 2016, 4:28 PM
gerritbot added a comment.Sep 12 2016, 5:56 PM

Change 310054 had a related patch set uploaded (by Yuvipanda):
tools: Provision ssl private key from puppetmaster

https://gerrit.wikimedia.org/r/310054

gerritbot added a comment.Sep 12 2016, 6:36 PM

Change 309379 merged by Yuvipanda:
updated *.wmflabs.org certificate

https://gerrit.wikimedia.org/r/309379

gerritbot added a comment.Sep 12 2016, 6:57 PM

Change 310062 had a related patch set uploaded (by Yuvipanda):
tools: Provision proxy's cert from puppetmaster

https://gerrit.wikimedia.org/r/310062

gerritbot added a comment.Sep 12 2016, 6:58 PM

Change 310054 merged by Yuvipanda:
tools: Provision ssl private key from puppetmaster

https://gerrit.wikimedia.org/r/310054

gerritbot added a comment.Sep 12 2016, 6:59 PM

Change 310062 merged by Yuvipanda:
tools: Provision proxy's cert from puppetmaster

https://gerrit.wikimedia.org/r/310062

yuvipanda added a comment.Sep 12 2016, 7:18 PM

I've moved over tools-static and tools, and they're good now.

Need to do novaproxy next.

yuvipanda added a comment.Sep 12 2016, 7:27 PM

I had to do this for the following set of hosts on tools:

  1. tools-proxy-*
  2. tools-static-*

I've done these by putting the ssl cert in the tools local puppetmaster. So in the future, for the tools-proxies / static, these need to be replaced only in the puppetmaster. Remember nginx needs a restart after.

On one of the proxy hosts I also found mismatched versions of nginx / openssl / libssl, causing puppet issues.

I've to do these in novaproxy-01 and -02, for both of which I need to still copy it manually to /etc/ssl/private (since they don't have a project puppetmaster)

yuvipanda added a comment.Sep 12 2016, 8:55 PM

ok, done on novaproxy-01 and -02 as well!

I've also documened the tools ssl certs in https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Admin#SSL_certificates. Not sure where to document novaproxy-01 and -02 though.

yuvipanda closed this task as Resolved.Sep 12 2016, 9:04 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:40 PM
Bstorm mentioned this in T206223: *.wmflabs.org cert needs renewing.Oct 4 2018, 2:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL