Page MenuHomePhabricator

GlobalSign intermediate updates for one-offs
Closed, ResolvedPublic


These are the affected GlobalSign certs that weren't handled in the first pass with the updates to the cache terminators:

CertFixed?Notes is icinga, service is slapd, service is slapd[12]001; restarted exim4 Labs notes below not needed, internal, see Labs notes below

For the ones initially marked Fixed/Simple above: the service host is sshable into the same hostname the cert is obviously for, and were fixed (after the puppet merge of the new intermediate) with:

touch /etc/ssl/localcerts/*.org.crt; puppet agent -t; service nginx restart; service apache2 restart

Labs notes:
It's a simple nginx restart after the touch/puppet as above, the question is just finding the right hosts:
Instance pattern names for hosts using the certs:
Finding the current instances: root@labcontrol1001:~# source ~/; nova list --all-tenants | egrep 'tools-(proxy|static)-'

Event Timeline

BBlack created this task.Oct 13 2016, 6:41 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptOct 13 2016, 6:41 PM
Zppix moved this task from Triage to TLS on the Traffic board.Oct 13 2016, 6:43 PM
Zppix moved this task from Backlog to Certificates on the HTTPS board.
BBlack updated the task description. (Show Details)Oct 13 2016, 6:58 PM
BBlack updated the task description. (Show Details)Oct 13 2016, 7:05 PM

seaborgium and serpens use certs from our internal CA, not from GlobalSign.

The ones in the puppet repo under files/ssl/ are signed by GlobalSign.... I wonder what's out of sync here?

When we setup the openldap replacement servers for the OpenDJ setup, we started with an internal cert from the beginning. From what I can tell, we probably still had the old Globalsign cert around and this was only noticed when it recently expired:
I followed up on that task to remove them.

BBlack updated the task description. (Show Details)Oct 13 2016, 7:20 PM

These are all fixed up now I believe, except for the 3x externally-hosted sites, which still link to the R1 root....

hashar added a subscriber: hashar.Oct 13 2016, 7:25 PM
This comment was removed by hashar.
BBlack closed this task as Resolved.Oct 14 2016, 10:15 AM
BBlack claimed this task.

Resolving for now, as we've covered what we can cover here in Ops. We'll need this ticket as a reference if we (quite likely) revert to the R1-based intermediate after the 4 day window of OCSP invalidity expires.