Probably this should be moved to LE.
we won't be able to move this to LE since it's in .wmnet and LE isn't allowed to sign non-public certs.  
" http-01 and tls-sni-01 need the domain to be publicly accessible in order for the verification to succeed." though "dns-01 should work in this scenario."
wow, only 2 days left? ouch, raising priority.
openssl x509 -enddate -noout -in labvirt-star.eqiad.wmnet.crt
notAfter=Apr 5 19:36:12 2017 GMT
this should have been CRIT and not just WARN in Icinga. (see linked monitoring ticket?)
also it just says "under 90 days" and used to show the actual date. (monitoring for certs changed?)
tested on labvirt1014 first, then deployed on all.
- revoke old cert: sudo openssl ca -config openssl.cnf -revoke ../labvirt-star.eqiad.wmnet.crt
- create new csr with existing key: sudo openssl req -config openssl.cnf -new -key ../labvirt-star.eqiad.wmnet.key -out ../labvirt-star.eqiad.wmnet.csr -sha256
- sign new csr: sudo openssl ca -config openssl.cnf -in ../labvirt-star.eqiad.wmnet.csr -out ../labvirt-star.eqiad.wmnet.crt -days 720
- <git commit all the changed file in private repo, except the .crt file, that download to public repo and replace it there instead
- run puppet on labvirt: [neodymium:~] $ sudo salt 'labvirt10*' cmd.run 'puppet agent -tv'
- confirm all green again https://icinga.wikimedia.org/cgi-bin/icinga/status.cgi?search_string=kvm