We will be using librenms as the first canary for certcentral managed certificates :)
Description
Description
Details
Details
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Vgutierrez | T207050 Migrate most standard public TLS certificates to CertCentral issuance | |||
| Resolved | Vgutierrez | T209856 Deploy a certcentral managed TLS certificate for librenms |
Event Timeline
Comment Actions
Change 474722 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Provide a TLS certificate for librenms
Comment Actions
Change 474723 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] librenms: Deploy the TLS certificate managed by certcentral
Comment Actions
Change 474730 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Use the same naming schema for certs as LE puppetization
Comment Actions
Change 474730 merged by Vgutierrez:
[operations/puppet@production] certcentral: Deliver same certs (with same naming) as LE puppetization
Comment Actions
Change 474722 merged by Vgutierrez:
[operations/puppet@production] certcentral: Provide a TLS certificate for librenms
Comment Actions
Change 474723 merged by Vgutierrez:
[operations/puppet@production] librenms: Deploy the TLS certificate managed by certcentral
Comment Actions
Change 474743 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] librenms: Use certcentral cert
Comment Actions
Change 474747 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] librenms: Remove old letsencrypt puppetisation cert
Comment Actions
looking good:
vgutierrez@neodymium:~$ sudo cumin netmon1002.wikimedia.org,netmon2001.wikimedia.org 'sha256sum /etc/centralcerts/librenms.rsa-2048.crt'
2 hosts will be targeted:
netmon[1002,2001].wikimedia.org
Confirm to continue [y/n]? y
===== NODE GROUP =====
(2) netmon[1002,2001].wikimedia.org
----- OUTPUT of 'sha256sum /etc/c...nms.rsa-2048.crt' -----
e9828e3c7261ea693cb010479c978715234228ea0d1cd5f85ee31a5ac96ff673 /etc/centralcerts/librenms.rsa-2048.crt
================
PASS: |#######################################################################################################################################################| 100% (2/2) [00:00<00:00, 3.01hosts/s]
FAIL: | | 0% (0/2) [00:00<?, ?hosts/s]
100.0% (2/2) success ratio (>= 100.0% threshold) for command: 'sha256sum /etc/c...nms.rsa-2048.crt'.
100.0% (2/2) success ratio (>= 100.0% threshold) of nodes successfully executed all commands.
vgutierrez@neodymium:~$ sudo cumin netmon1002.wikimedia.org,netmon2001.wikimedia.org 'openssl x509 -text -noout -in /etc/centralcerts/librenms.rsa-2048.crt'
2 hosts will be targeted:
netmon[1002,2001].wikimedia.org
Confirm to continue [y/n]? y
===== NODE GROUP =====
(2) netmon[1002,2001].wikimedia.org
----- OUTPUT of 'openssl x509 -te...nms.rsa-2048.crt' -----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:a7:17:10:ae:0a:3e:dc:a6:e9:3b:f4:20:88:33:4c:dd:3a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Nov 19 15:50:45 2018 GMT
Not After : Feb 17 15:50:45 2019 GMT
Subject: CN = librenms.wikimedia.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ad:40:86:b8:4c:26:8f:7d:88:30:0a:73:e1:f2:
51:cd:0b:e9:64:c2:5a:02:4a:bb:8c:ff:53:07:43:
ce:99:7c:35:37:f4:90:ef:43:82:ab:da:8c:24:e0:
7f:b1:1b:cf:7e:07:2e:42:e6:f3:88:96:ed:25:79:
d8:a6:fb:cf:83:0b:3d:37:bd:8c:2f:32:42:42:5e:
9f:aa:7e:9f:e8:95:c3:07:49:c0:c0:b2:d9:4a:21:
2f:3a:9d:8d:74:a8:36:91:8b:b9:41:df:5f:12:52:
c4:1e:31:4c:06:4b:e8:ec:be:04:48:28:ef:67:ac:
db:b0:68:4c:d4:c9:04:ba:f7:ca:86:b4:61:ab:ba:
ee:79:5e:08:c2:af:08:99:12:41:de:f5:68:73:6b:
5f:b8:86:c0:f2:27:91:f6:7a:33:5a:f0:54:b1:30:
e8:01:c5:66:8a:99:87:7d:5d:f4:8b:2b:a9:18:ac:
18:7f:ba:7f:56:c9:4c:c5:4d:83:17:a5:60:ee:36:
61:2f:b5:5d:b3:a1:9c:64:a2:e9:0b:f9:65:18:51:
28:4a:52:e9:2a:12:6c:73:32:d9:e3:fb:cc:52:de:
56:ec:09:25:e8:0d:d9:3c:4c:8c:ef:51:e9:f0:4d:
6e:d9:20:ff:70:61:3d:cc:a4:be:10:92:5d:03:30:
18:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
8B:9A:37:A7:0B:65:75:43:F8:60:74:6F:0D:E0:AA:C0:AC:D2:5C:93
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:librenms.wikimedia.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
Timestamp : Nov 19 16:50:45.229 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:D0:EC:35:B9:55:50:40:7D:36:77:14:
41:8A:80:10:3C:03:7D:85:E3:4C:01:EA:0C:87:77:74:
6C:1E:88:DC:A0:02:20:6A:E0:DA:EB:E1:C4:46:D8:B8:
65:82:C6:71:C5:F2:85:F0:B1:F9:72:0C:D3:70:44:03:
53:34:CB:3F:0D:49:46
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
Timestamp : Nov 19 16:50:45.750 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:75:2E:90:FF:B0:06:C7:74:4F:15:36:77:
1B:3F:A9:45:0D:48:8A:19:2E:1D:67:30:C9:26:2D:14:
3F:2F:E7:1F:02:20:0B:DF:55:A1:93:1C:2C:94:BF:3A:
0B:F7:88:1A:DB:2E:36:78:B1:D3:FC:2D:0D:A0:5C:BD:
73:78:5A:DF:34:50
Signature Algorithm: sha256WithRSAEncryption
6c:70:76:ce:3f:2b:ee:96:10:2f:0a:35:24:8d:07:8f:d4:9f:
bf:75:80:fb:aa:74:f0:c3:d8:cc:c4:42:0d:68:a7:6a:a6:18:
c9:59:10:7c:b6:40:b3:35:d9:fb:a2:93:57:51:fe:0c:4e:65:
b5:ad:2c:e8:f6:c2:02:a9:9a:0a:fe:d8:66:30:67:0d:49:25:
aa:61:76:5f:70:d9:83:cd:ab:1e:7f:57:f9:54:d7:51:dd:7d:
be:43:c6:10:d5:df:d6:44:b4:cd:b8:1a:36:28:48:08:22:ad:
78:ae:5c:9f:e9:a0:6e:32:85:1d:b9:2a:aa:ae:48:04:f5:1c:
ab:d1:26:e6:e2:74:b9:d2:84:76:6e:d5:c7:5b:51:19:de:93:
7e:c4:a1:bd:61:82:b7:d4:d9:ad:00:b8:0b:48:23:fb:55:66:
8f:64:47:80:f2:76:28:56:43:43:ab:78:c0:e2:b9:e4:48:fd:
5a:3d:ad:ea:f5:4c:29:c6:8f:0c:16:a0:f1:ce:cd:ef:55:dd:
81:87:86:fe:98:08:a4:6f:02:9b:f5:d7:7c:5b:b6:10:dc:0b:
7d:d9:4b:9e:4d:57:ed:02:19:50:7e:95:79:da:56:db:ee:26:
9f:85:dc:ef:60:35:60:d2:16:59:61:10:c3:1b:ec:e8:c0:b1:
de:8c:1f:3d
================
PASS: |#######################################################################################################################################################| 100% (2/2) [00:00<00:00, 2.97hosts/s]
FAIL: | | 0% (0/2) [00:00<?, ?hosts/s]
100.0% (2/2) success ratio (>= 100.0% threshold) for command: 'openssl x509 -te...nms.rsa-2048.crt'.
100.0% (2/2) success ratio (>= 100.0% threshold) of nodes successfully executed all commands.Comment Actions
Change 474743 merged by Vgutierrez:
[operations/puppet@production] librenms: Use certcentral cert
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2018-11-20T15:38:19Z] <vgutierrez> switching to certcentral managed TLS certificate for librenms.wikimedia.org - T209856
Comment Actions
Change 474747 merged by Vgutierrez:
[operations/puppet@production] librenms: Remove old letsencrypt puppetisation cert