Page MenuHomePhabricator

labvirt-star.eqiad.wmnet.crt expiring soon
Closed, ResolvedPublic

Description

Probably this should be moved to LE.

Details

Related Gerrit Patches:
operations/puppet : productionrenew labvirt-star.eqiad.wmnet cert
operations/puppet : productionnagios_common: fix/enhance check_ssl_certfile plugin

Event Timeline

Andrew created this task.Apr 3 2017, 7:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 3 2017, 7:31 PM
Dzahn claimed this task.Apr 4 2017, 1:29 AM
Dzahn added a comment.Apr 4 2017, 1:36 AM

we won't be able to move this to LE since it's in .wmnet and LE isn't allowed to sign non-public certs. [1] [2]

" http-01 and tls-sni-01 need the domain to be publicly accessible in order for the verification to succeed." though "dns-01 should work in this scenario."

[1] https://community.letsencrypt.org/t/certificates-for-hosts-on-private-networks/174
[2] https://community.letsencrypt.org/t/securing-private-intranet-sites/1473/21

related tickets for this renewal in the past: T96291, T116332

Dzahn triaged this task as High priority.Apr 4 2017, 1:40 AM

wow, only 2 days left? ouch, raising priority.

openssl x509 -enddate -noout -in labvirt-star.eqiad.wmnet.crt
notAfter=Apr 5 19:36:12 2017 GMT

this should have been CRIT and not just WARN in Icinga. (see linked monitoring ticket?)

also it just says "under 90 days" and used to show the actual date. (monitoring for certs changed?)

Change 346236 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] nagios_common: fi/enhance check_ssl_certfile plugin

https://gerrit.wikimedia.org/r/346236

Change 346236 merged by Dzahn:
[operations/puppet@production] nagios_common: fix/enhance check_ssl_certfile plugin

https://gerrit.wikimedia.org/r/346236

Change 346356 had a related patch set uploaded (by Dzahn):
[operations/puppet@production] renew labvirt-star.eqiad.wmnet cert

https://gerrit.wikimedia.org/r/346356

Mentioned in SAL (#wikimedia-operations) [2017-04-04T21:12:40Z] <mutante> revoked old labvirt-star.eqiad.wmnet cert - created new csr, signed it (CA: wmf_ca_2014_2017). deploying new labvirt-star.eqiad valid for 720 days (T162085)

Change 346356 merged by Dzahn:
[operations/puppet@production] renew labvirt-star.eqiad.wmnet cert

https://gerrit.wikimedia.org/r/346356

Dzahn added a comment.Apr 4 2017, 9:26 PM

tested on labvirt1014 first, then deployed on all.

TLDR:

[puppetmaster1001:/srv/private/modules/secret/secrets/ssl] $

  • revoke old cert: sudo openssl ca -config openssl.cnf -revoke ../labvirt-star.eqiad.wmnet.crt
  • create new csr with existing key: sudo openssl req -config openssl.cnf -new -key ../labvirt-star.eqiad.wmnet.key -out ../labvirt-star.eqiad.wmnet.csr -sha256
  • sign new csr: sudo openssl ca -config openssl.cnf -in ../labvirt-star.eqiad.wmnet.csr -out ../labvirt-star.eqiad.wmnet.crt -days 720
  • <git commit all the changed file in private repo, except the .crt file, that download to public repo and replace it there instead
  • run puppet on labvirt: [neodymium:~] $ sudo salt 'labvirt10*' cmd.run 'puppet agent -tv'
  • confirm all green again https://icinga.wikimedia.org/cgi-bin/icinga/status.cgi?search_string=kvm
Dzahn closed this task as Resolved.Apr 4 2017, 9:27 PM
Dzahn edited projects, added Operations; removed Patch-For-Review.

@labvirt1014:~# openssl x509 -in /etc/ssl/localcerts/labvirt-star.eqiad.wmnet.crt -text -noout | grep After

Not After : Mar 25 21:00:52 2019 GMT
Dzahn added a subscriber: akosiaris.Apr 4 2017, 9:29 PM