This task will track the conversion of wikitech from a GlobalSign paid certificate to a free LetsEncrypt certificate. This must be completed by the expiry date of the current certificate, which is 2017-02-24.
This particular certificate was listed on T133717 as a candidate to conversion to LE.
While this certificate initially appears to be a valid canidate to convert from GlobalSign to LetsEncrypt, it appears (after some IRC discussion with @Krenair) that labs isntances, which contact the wikitech.w.o domain, use ruby-httpclient. ruby-httpclient has its own list of trusted roots, this patch overrides it to use the system's.
Alex has also prepared a patch to fix the trust issue: https://gerrit.wikimedia.org/r/#/c/311048/ - this has been merged live by @akosiaris on 2017-01-11.
Alex also prepared the LE conversion patch - https://gerrit.wikimedia.org/r/#/c/331638/ - this cannot be merged until we plan a maint window with the labs team, since it has potential to require a labs puppetmaster restart, or other associated labs services that interact with wikitech via its certificate.
This task was escalated to the @Andrew in labs for review on 2017-01-11 by @RobH. Andrew was involved in past wikitech updates (if @RobH recalls correctly). If another labs person should be involved, please update and reassign!