In order to do enable TLS termination on the appservers, we need to configure tlsproxy to work on the appservers. Since we don't want to expose our own public TLS certs on the appservers, we need to be able to sign a certificate similar to our unified one for each of the backend clusters, which should include the FQDN of the cluster (e.g. appservers.svc.eqiad.wmnet) as common name and all our domains and wildcards as SANs.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | • demon | T150465 MW-1.29.0-wmf.4 deployment blockers | |||
Resolved | • ssastry | T151702 API cluster failure / OOM | |||
Resolved | Joe | T152074 Separate clusters for asynchronous processing from the ones for public consumption | |||
Resolved | Joe | T153042 Enable TLS termination on the MediaWiki clusters |
Event Timeline
Change 326910 had a related patch set uploaded (by Giuseppe Lavagetto):
puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert
Change 326910 merged by Giuseppe Lavagetto:
puppetmaster: add puppet-wildcardsign, small fixes to puppet-ecdsacert
Change 326921 merged by Giuseppe Lavagetto:
ssl: add public TLS certs for mw clusters
Change 327164 had a related patch set uploaded (by Giuseppe Lavagetto):
role::mediawiki::webserver: add hack to allow installing nginx
Change 327164 merged by Giuseppe Lavagetto:
role::mediawiki::webserver: add hack to allow installing nginx
Change 327493 had a related patch set uploaded (by Giuseppe Lavagetto):
mediawiki: add https endpoints for all web clusters in codfw
Change 327493 merged by Giuseppe Lavagetto:
mediawiki: add https endpoints for all web clusters in codfw
Mentioned in SAL (#wikimedia-operations) [2016-12-15T20:13:22Z] <_joe_> restarting pybal low-traffic in eqiad to pick up new TLS endpoints for appservers, T153042