Page MenuHomePhabricator
Create Task
Maniphest T148069

GlobalSign intermediate updates for one-offs
Closed, ResolvedPublic
Actions

Description

These are the affected GlobalSign certs that weren't handled in the first pass with the updates to the cache terminators:

CertFixed?Notes
archiva.wikimedia.org.crtYesSimple
benefactorevents.wikimedia.org.crtNoExternally-hosted
dumps.wikimedia.org.crtYesSimple
eventdonations.wikimedia.org.crtNoExternally-hosted
ganglia.wikimedia.org.crtYesSimple
icinga.wikimedia.org.crtYesservice is icinga
ldap-codfw.wikimedia.org.crtYesserpens, service is slapd
ldap-eqiad.wikimedia.org.crtYesseaborgium, service is slapd
librenms.wikimedia.org.crtYesSimple
lists.wikimedia.org.crtYesSimple
mail.wikimedia.org.crtYesmx[12]001; restarted exim4
policy.wikimedia.org.crtNoExternally-hosted
star.tools.wmflabs.org.crtYesSee Labs notes below
star.wmflabs.org.crtYesProbably not needed, internal, see Labs notes below
tendril.wikimedia.org.crtYesSimple
wikitech.wikimedia.org.crtYesSimple

For the ones initially marked Fixed/Simple above: the service host is sshable into the same hostname the cert is obviously for, and were fixed (after the puppet merge of the new intermediate) with:

touch /etc/ssl/localcerts/*.org.crt; puppet agent -t; service nginx restart; service apache2 restart

Labs notes:
It's a simple nginx restart after the touch/puppet as above, the question is just finding the right hosts:
Instance pattern names for hosts using the certs: https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Admin#SSL_certificates
Finding the current instances: root@labcontrol1001:~# source ~/novaenv.sh; nova list --all-tenants | egrep 'tools-(proxy|static)-'

Related Objects
Search...

Event Timeline

BBlack created this task.Oct 13 2016, 6:41 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptOct 13 2016, 6:41 PM
Zppix moved this task from Backlog to TLS on the Traffic board.Oct 13 2016, 6:43 PM
Zppix moved this task from Backlog to Certificates on the HTTPS board.
BBlack updated the task description. (Show Details)Oct 13 2016, 6:58 PM
BBlack updated the task description. (Show Details)Oct 13 2016, 7:05 PM
Mholloway unsubscribed.Oct 13 2016, 7:09 PM
MoritzMuehlenhoff subscribed.Oct 13 2016, 7:10 PM

seaborgium and serpens use certs from our internal CA, not from GlobalSign.

BBlack added a comment.Oct 13 2016, 7:12 PM

The ones in the puppet repo under files/ssl/ are signed by GlobalSign.... I wonder what's out of sync here?

MoritzMuehlenhoff added a comment.Oct 13 2016, 7:18 PM

When we setup the openldap replacement servers for the OpenDJ setup, we started with an internal cert from the beginning. From what I can tell, we probably still had the old Globalsign cert around and this was only noticed when it recently expired: https://phabricator.wikimedia.org/T145201
I followed up on that task to remove them.

BBlack updated the task description. (Show Details)Oct 13 2016, 7:20 PM
BBlack added a comment.Oct 13 2016, 7:25 PM

These are all fixed up now I believe, except for the 3x externally-hosted sites, which still link to the R1 root....

hashar subscribed.Oct 13 2016, 7:25 PM
This comment was removed by hashar.
BBlack closed this task as Resolved.Oct 14 2016, 10:15 AM
BBlack claimed this task.

Resolving for now, as we've covered what we can cover here in Ops. We'll need this ticket as a reference if we (quite likely) revert to the R1-based intermediate after the 4 day window of OCSP invalidity expires.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits