These are the affected GlobalSign certs that weren't handled in the first pass with the updates to the cache terminators:
Cert | Fixed? | Notes |
---|---|---|
archiva.wikimedia.org.crt | Yes | Simple |
benefactorevents.wikimedia.org.crt | No | Externally-hosted |
dumps.wikimedia.org.crt | Yes | Simple |
eventdonations.wikimedia.org.crt | No | Externally-hosted |
ganglia.wikimedia.org.crt | Yes | Simple |
icinga.wikimedia.org.crt | Yes | service is icinga |
ldap-codfw.wikimedia.org.crt | Yes | serpens, service is slapd |
ldap-eqiad.wikimedia.org.crt | Yes | seaborgium, service is slapd |
librenms.wikimedia.org.crt | Yes | Simple |
lists.wikimedia.org.crt | Yes | Simple |
mail.wikimedia.org.crt | Yes | mx[12]001; restarted exim4 |
policy.wikimedia.org.crt | No | Externally-hosted |
star.tools.wmflabs.org.crt | Yes | See Labs notes below |
star.wmflabs.org.crt | Yes | Probably not needed, internal, see Labs notes below |
tendril.wikimedia.org.crt | Yes | Simple |
wikitech.wikimedia.org.crt | Yes | Simple |
For the ones initially marked Fixed/Simple above: the service host is sshable into the same hostname the cert is obviously for, and were fixed (after the puppet merge of the new intermediate) with:
touch /etc/ssl/localcerts/*.org.crt; puppet agent -t; service nginx restart; service apache2 restart
Labs notes:
It's a simple nginx restart after the touch/puppet as above, the question is just finding the right hosts:
Instance pattern names for hosts using the certs: https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Admin#SSL_certificates
Finding the current instances: root@labcontrol1001:~# source ~/novaenv.sh; nova list --all-tenants | egrep 'tools-(proxy|static)-'