Page MenuHomePhabricator
Create Task
Maniphest T160187

ssl certificate/key update: *.tools.wmflabs.org (expires on 2017-03-24)
Closed, ResolvedPublic
Actions

Description

This task will track the implementation of the new private key and certificate for *.tools.wmflabs.org.

The private key is in the private repo, with the filename of new.star.tools.wmflabs.org.key. The new certificate will be staged in gerrit, but not merged, with the proper filename.

When it is time to merge these, the private repo file will have to rename/replace the existing star.tools.wmflabs.org.key.

Typical checklist for this kind of SSL certificate/key update:

  • - stage new private key in private repo with new.star.tools.wmflabs.org.key filename
  • - stage new certificate in gerrit https://gerrit.wikimedia.org/r/#/c/342254/
  • - halt puppet on affected hosts
  • - merge in gerrit patchset - https://gerrit.wikimedia.org/r/#/c/342254/
  • - git mv new.star.tools.wmflabs.org.key to replace existing(old) star.tools.wmflabs.org.key file in private repo
  • - run puppet on affected hosts and ensure affected services accept update without error (this one is the step that can go horribly wrong.)

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+29 -29new cert for *.tools.wmflabs.org
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Unknown Object (Task)
 ResolvedyuvipandaT160187 ssl certificate/key update: *.tools.wmflabs.org (expires on 2017-03-24)

Event Timeline

RobH created this task.Mar 10 2017, 6:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2017, 6:16 PM
RobH added a comment.Mar 10 2017, 6:19 PM

I'm willing to assist on this as needed. For other changes, we typically do the checklist as follows:

  • - stage new private key in private repo with new.filename
  • - stage new certificate in gerrit
  • - halt puppet on affected hosts
  • - merge in gerrit patchset
  • - git mv new.star.tools.wmflabs.org.key to replace existing(old) star.tools.wmflabs.org.key file in private repo
  • - run puppet on affected hosts and ensure affected services accept update without error (this one is the step that can go horribly wrong.)
RobH removed yuvipanda as the assignee of this task.Mar 10 2017, 6:20 PM
RobH claimed this task.
RobH updated the task description. (Show Details)
RobH mentioned this in Unknown Object (Task).Mar 10 2017, 6:33 PM
gerritbot added a subscriber: gerritbot.Mar 10 2017, 6:57 PM

Change 342254 had a related patch set uploaded (by RobH):
[operations/puppet] new cert for *.tools.wmflabs.org

https://gerrit.wikimedia.org/r/342254

gerritbot added a project: Patch-For-Review.Mar 10 2017, 6:57 PM
RobH reassigned this task from RobH to yuvipanda.Mar 10 2017, 6:58 PM
RobH updated the task description. (Show Details)
gerritbot added a comment.Mar 23 2017, 9:49 PM

Change 342254 merged by Madhuvishy:
[operations/puppet@production] new cert for *.tools.wmflabs.org

https://gerrit.wikimedia.org/r/342254

madhuvishy closed this task as Resolved.Mar 23 2017, 10:36 PM
madhuvishy added a subscriber: madhuvishy.

Is done now!

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:37 PM
Bstorm mentioned this in T206223: *.wmflabs.org cert needs renewing.Oct 4 2018, 3:09 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL