Page MenuHomePhabricator

labvirt-star.eqiad.wmnet.crt expiring soon
Closed, ResolvedPublic


Probably this should be moved to LE.

Event Timeline

we won't be able to move this to LE since it's in .wmnet and LE isn't allowed to sign non-public certs. [1] [2]

" http-01 and tls-sni-01 need the domain to be publicly accessible in order for the verification to succeed." though "dns-01 should work in this scenario."


related tickets for this renewal in the past: T96291, T116332

Dzahn triaged this task as High priority.Apr 4 2017, 1:40 AM

wow, only 2 days left? ouch, raising priority.

openssl x509 -enddate -noout -in labvirt-star.eqiad.wmnet.crt
notAfter=Apr 5 19:36:12 2017 GMT

this should have been CRIT and not just WARN in Icinga. (see linked monitoring ticket?)

also it just says "under 90 days" and used to show the actual date. (monitoring for certs changed?)

Change 346236 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] nagios_common: fi/enhance check_ssl_certfile plugin

Change 346236 merged by Dzahn:
[operations/puppet@production] nagios_common: fix/enhance check_ssl_certfile plugin

Change 346356 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] renew labvirt-star.eqiad.wmnet cert

Mentioned in SAL (#wikimedia-operations) [2017-04-04T21:12:40Z] <mutante> revoked old labvirt-star.eqiad.wmnet cert - created new csr, signed it (CA: wmf_ca_2014_2017). deploying new labvirt-star.eqiad valid for 720 days (T162085)

Change 346356 merged by Dzahn:
[operations/puppet@production] renew labvirt-star.eqiad.wmnet cert

tested on labvirt1014 first, then deployed on all.


[puppetmaster1001:/srv/private/modules/secret/secrets/ssl] $

  • revoke old cert: sudo openssl ca -config openssl.cnf -revoke ../labvirt-star.eqiad.wmnet.crt
  • create new csr with existing key: sudo openssl req -config openssl.cnf -new -key ../labvirt-star.eqiad.wmnet.key -out ../labvirt-star.eqiad.wmnet.csr -sha256
  • sign new csr: sudo openssl ca -config openssl.cnf -in ../labvirt-star.eqiad.wmnet.csr -out ../labvirt-star.eqiad.wmnet.crt -days 720
  • <git commit all the changed file in private repo, except the .crt file, that download to public repo and replace it there instead
  • run puppet on labvirt: [neodymium:~] $ sudo salt 'labvirt10*' 'puppet agent -tv'
  • confirm all green again
Dzahn edited projects, added SRE; removed Patch-For-Review.

@labvirt1014:~# openssl x509 -in /etc/ssl/localcerts/labvirt-star.eqiad.wmnet.crt -text -noout | grep After

Not After : Mar 25 21:00:52 2019 GMT