Page MenuHomePhabricator

GlobalSign intermediate updates for one-offs
Closed, ResolvedPublic

Description

These are the affected GlobalSign certs that weren't handled in the first pass with the updates to the cache terminators:

CertFixed?Notes
archiva.wikimedia.org.crtYesSimple
benefactorevents.wikimedia.org.crtNoExternally-hosted
dumps.wikimedia.org.crtYesSimple
eventdonations.wikimedia.org.crtNoExternally-hosted
ganglia.wikimedia.org.crtYesSimple
icinga.wikimedia.org.crtYesservice is icinga
ldap-codfw.wikimedia.org.crtYesserpens, service is slapd
ldap-eqiad.wikimedia.org.crtYesseaborgium, service is slapd
librenms.wikimedia.org.crtYesSimple
lists.wikimedia.org.crtYesSimple
mail.wikimedia.org.crtYesmx[12]001; restarted exim4
policy.wikimedia.org.crtNoExternally-hosted
star.tools.wmflabs.org.crtYesSee Labs notes below
star.wmflabs.org.crtYesProbably not needed, internal, see Labs notes below
tendril.wikimedia.org.crtYesSimple
wikitech.wikimedia.org.crtYesSimple

For the ones initially marked Fixed/Simple above: the service host is sshable into the same hostname the cert is obviously for, and were fixed (after the puppet merge of the new intermediate) with:

touch /etc/ssl/localcerts/*.org.crt; puppet agent -t; service nginx restart; service apache2 restart

Labs notes:
It's a simple nginx restart after the touch/puppet as above, the question is just finding the right hosts:
Instance pattern names for hosts using the certs: https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Admin#SSL_certificates
Finding the current instances: root@labcontrol1001:~# source ~/novaenv.sh; nova list --all-tenants | egrep 'tools-(proxy|static)-'

Event Timeline

BBlack created this task.Oct 13 2016, 6:41 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptOct 13 2016, 6:41 PM
Zppix moved this task from Triage to TLS on the Traffic board.Oct 13 2016, 6:43 PM
Zppix moved this task from Backlog to Certificates on the HTTPS board.
BBlack updated the task description. (Show Details)Oct 13 2016, 6:58 PM
BBlack updated the task description. (Show Details)Oct 13 2016, 7:05 PM

seaborgium and serpens use certs from our internal CA, not from GlobalSign.

The ones in the puppet repo under files/ssl/ are signed by GlobalSign.... I wonder what's out of sync here?

When we setup the openldap replacement servers for the OpenDJ setup, we started with an internal cert from the beginning. From what I can tell, we probably still had the old Globalsign cert around and this was only noticed when it recently expired: https://phabricator.wikimedia.org/T145201
I followed up on that task to remove them.

BBlack updated the task description. (Show Details)Oct 13 2016, 7:20 PM

These are all fixed up now I believe, except for the 3x externally-hosted sites, which still link to the R1 root....

hashar added a subscriber: hashar.Oct 13 2016, 7:25 PM
This comment was removed by hashar.
BBlack closed this task as Resolved.Oct 14 2016, 10:15 AM
BBlack claimed this task.

Resolving for now, as we've covered what we can cover here in Ops. We'll need this ticket as a reference if we (quite likely) revert to the R1-based intermediate after the 4 day window of OCSP invalidity expires.