Page MenuHomePhabricator

convert tendril to use Letsencrypt for SSL cert (deadline 2017-03-17)
Closed, ResolvedPublic

Description

This subtask is for converting tendril.wikimedia.org to use Letsencrypt instead of the current commercial cert.

Event Timeline

Dzahn renamed this task from convert tendril to use Letsencrypt for SSL cert to convert tendril to use Letsencrypt for SSL cert (deadline 2017-03-17).Jan 9 2017, 8:41 PM
Dzahn created this task.

Change 331085 had a related patch set uploaded (by Dzahn):
ganglia: use Letsencrypt for SSL cert

https://gerrit.wikimedia.org/r/331085

Change 331085 merged by Dzahn:
ganglia: use Letsencrypt for SSL cert

https://gerrit.wikimedia.org/r/331085

Screenshot from 2017-01-09 17-39-02.png (548×646 px, 60 KB)

@jcrespo Tendril is now switched over to Letsencrypt.

I double-checked the LDAP auth part after the Apache changes as you requested as well.

curl -vvv https://tendril.wikimedia.org
* Rebuilt URL to: https://tendril.wikimedia.org/
*   Trying 208.80.155.119...
* Connected to tendril.wikimedia.org (208.80.155.119) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: tendril.wikimedia.org (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: CN=tendril.wikimedia.org
* 	 start date: Tue, 10 Jan 2017 00:33:00 GMT
* 	 expire date: Mon, 10 Apr 2017 00:33:00 GMT
* 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* 	 compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: tendril.wikimedia.org
> User-Agent: curl/7.50.1
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Tue, 10 Jan 2017 01:40:02 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< WWW-Authenticate: Basic realm="WMF Labs (use wiki login name not shell) - nda/ops/wmf"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
* Connection #0 to host tendril.wikimedia.org left intact
Dzahn removed a project: Patch-For-Review.
Dzahn added a project: DBA.

So everything is fine on einsteinium, which is still prod, just (unsurprisingly) it doesn't work on dbmonitor1001/2001 which are going to replace einsteinium as the home of tendril soon.

Since they already use the role in site.pp that means there is currently a puppet error on them. I ACKed it in Icinga but will add something better like a Hiera setting to switch the active server around or something. It can only work on the host that actually has the DNS name tendril.

just reopened for that follow-up task on dbmonitor. still resolved on einsteinium, can be considered done for tracking task, old cert can be removed...

Change 331430 had a related patch set uploaded (by Dzahn):
disable Letsencrypt cert (do_acme: false) on dbmonitor*

https://gerrit.wikimedia.org/r/331430

what about doing the same thing as https://gerrit.wikimedia.org/r/#/c/331242/ ?

You are right, thanks :) Doing that.

Change 331430 merged by Dzahn:
disable Letsencrypt cert (do_acme: false) on dbmonitor*

https://gerrit.wikimedia.org/r/331430

Thank you for working on this.

Change 331534 had a related patch set uploaded (by Dzahn):
delete tendril.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/331534

Change 331534 merged by Dzahn:
delete tendril.wikimedia.org SSL cert

https://gerrit.wikimedia.org/r/331534