Page MenuHomePhabricator

GlobalSign intermediate updates for one-offs
Closed, ResolvedPublic


These are the affected GlobalSign certs that weren't handled in the first pass with the updates to the cache terminators:

CertFixed?Notes is icinga, service is slapd, service is slapd[12]001; restarted exim4 Labs notes below not needed, internal, see Labs notes below

For the ones initially marked Fixed/Simple above: the service host is sshable into the same hostname the cert is obviously for, and were fixed (after the puppet merge of the new intermediate) with:

touch /etc/ssl/localcerts/*.org.crt; puppet agent -t; service nginx restart; service apache2 restart

Labs notes:
It's a simple nginx restart after the touch/puppet as above, the question is just finding the right hosts:
Instance pattern names for hosts using the certs:
Finding the current instances: root@labcontrol1001:~# source ~/; nova list --all-tenants | egrep 'tools-(proxy|static)-'

Event Timeline

Zppix moved this task from Backlog to Certificates on the HTTPS board.

seaborgium and serpens use certs from our internal CA, not from GlobalSign.

The ones in the puppet repo under files/ssl/ are signed by GlobalSign.... I wonder what's out of sync here?

When we setup the openldap replacement servers for the OpenDJ setup, we started with an internal cert from the beginning. From what I can tell, we probably still had the old Globalsign cert around and this was only noticed when it recently expired:
I followed up on that task to remove them.

These are all fixed up now I believe, except for the 3x externally-hosted sites, which still link to the R1 root....

This comment was removed by hashar.
BBlack claimed this task.

Resolving for now, as we've covered what we can cover here in Ops. We'll need this ticket as a reference if we (quite likely) revert to the R1-based intermediate after the 4 day window of OCSP invalidity expires.