Probably this should be moved to LE.
Description
Description
Details
Details
| Project | Branch | Lines +/- | Subject | |
|---|---|---|---|---|
| operations/puppet | production | +15 -15 | renew labvirt-star.eqiad.wmnet cert | |
| operations/puppet | production | +26 -9 | nagios_common: fix/enhance check_ssl_certfile plugin |
Related Objects
Related Objects
Event Timeline
Comment Actions
we won't be able to move this to LE since it's in .wmnet and LE isn't allowed to sign non-public certs. [1] [2]
" http-01 and tls-sni-01 need the domain to be publicly accessible in order for the verification to succeed." though "dns-01 should work in this scenario."
[1] https://community.letsencrypt.org/t/certificates-for-hosts-on-private-networks/174
[2] https://community.letsencrypt.org/t/securing-private-intranet-sites/1473/21
related tickets for this renewal in the past: T96291, T116332
Comment Actions
wow, only 2 days left? ouch, raising priority.
openssl x509 -enddate -noout -in labvirt-star.eqiad.wmnet.crt
notAfter=Apr 5 19:36:12 2017 GMT
this should have been CRIT and not just WARN in Icinga. (see linked monitoring ticket?)
also it just says "under 90 days" and used to show the actual date. (monitoring for certs changed?)
Comment Actions
Change 346236 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] nagios_common: fi/enhance check_ssl_certfile plugin
Comment Actions
Change 346236 merged by Dzahn:
[operations/puppet@production] nagios_common: fix/enhance check_ssl_certfile plugin
Comment Actions
Change 346356 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] renew labvirt-star.eqiad.wmnet cert
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2017-04-04T21:12:40Z] <mutante> revoked old labvirt-star.eqiad.wmnet cert - created new csr, signed it (CA: wmf_ca_2014_2017). deploying new labvirt-star.eqiad valid for 720 days (T162085)
Comment Actions
Change 346356 merged by Dzahn:
[operations/puppet@production] renew labvirt-star.eqiad.wmnet cert
Comment Actions
tested on labvirt1014 first, then deployed on all.
TLDR:
[puppetmaster1001:/srv/private/modules/secret/secrets/ssl] $
- revoke old cert: sudo openssl ca -config openssl.cnf -revoke ../labvirt-star.eqiad.wmnet.crt
- create new csr with existing key: sudo openssl req -config openssl.cnf -new -key ../labvirt-star.eqiad.wmnet.key -out ../labvirt-star.eqiad.wmnet.csr -sha256
- sign new csr: sudo openssl ca -config openssl.cnf -in ../labvirt-star.eqiad.wmnet.csr -out ../labvirt-star.eqiad.wmnet.crt -days 720
- <git commit all the changed file in private repo, except the .crt file, that download to public repo and replace it there instead
- run puppet on labvirt: [neodymium:~] $ sudo salt 'labvirt10*' cmd.run 'puppet agent -tv'
- confirm all green again https://icinga.wikimedia.org/cgi-bin/icinga/status.cgi?search_string=kvm
Comment Actions
@labvirt1014:~# openssl x509 -in /etc/ssl/localcerts/labvirt-star.eqiad.wmnet.crt -text -noout | grep After
Not After : Mar 25 21:00:52 2019 GMT