We will be using librenms as the first canary for certcentral managed certificates :)
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Vgutierrez | T207050 Migrate most standard public TLS certificates to CertCentral issuance | |||
Resolved | Vgutierrez | T209856 Deploy a certcentral managed TLS certificate for librenms |
Event Timeline
Change 474722 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Provide a TLS certificate for librenms
Change 474723 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] librenms: Deploy the TLS certificate managed by certcentral
Change 474730 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Use the same naming schema for certs as LE puppetization
Change 474730 merged by Vgutierrez:
[operations/puppet@production] certcentral: Deliver same certs (with same naming) as LE puppetization
Change 474722 merged by Vgutierrez:
[operations/puppet@production] certcentral: Provide a TLS certificate for librenms
Change 474723 merged by Vgutierrez:
[operations/puppet@production] librenms: Deploy the TLS certificate managed by certcentral
Change 474743 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] librenms: Use certcentral cert
Change 474747 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] librenms: Remove old letsencrypt puppetisation cert
looking good:
vgutierrez@neodymium:~$ sudo cumin netmon1002.wikimedia.org,netmon2001.wikimedia.org 'sha256sum /etc/centralcerts/librenms.rsa-2048.crt' 2 hosts will be targeted: netmon[1002,2001].wikimedia.org Confirm to continue [y/n]? y ===== NODE GROUP ===== (2) netmon[1002,2001].wikimedia.org ----- OUTPUT of 'sha256sum /etc/c...nms.rsa-2048.crt' ----- e9828e3c7261ea693cb010479c978715234228ea0d1cd5f85ee31a5ac96ff673 /etc/centralcerts/librenms.rsa-2048.crt ================ PASS: |#######################################################################################################################################################| 100% (2/2) [00:00<00:00, 3.01hosts/s] FAIL: | | 0% (0/2) [00:00<?, ?hosts/s] 100.0% (2/2) success ratio (>= 100.0% threshold) for command: 'sha256sum /etc/c...nms.rsa-2048.crt'. 100.0% (2/2) success ratio (>= 100.0% threshold) of nodes successfully executed all commands. vgutierrez@neodymium:~$ sudo cumin netmon1002.wikimedia.org,netmon2001.wikimedia.org 'openssl x509 -text -noout -in /etc/centralcerts/librenms.rsa-2048.crt' 2 hosts will be targeted: netmon[1002,2001].wikimedia.org Confirm to continue [y/n]? y ===== NODE GROUP ===== (2) netmon[1002,2001].wikimedia.org ----- OUTPUT of 'openssl x509 -te...nms.rsa-2048.crt' ----- Certificate: Data: Version: 3 (0x2) Serial Number: 03:a7:17:10:ae:0a:3e:dc:a6:e9:3b:f4:20:88:33:4c:dd:3a Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: Nov 19 15:50:45 2018 GMT Not After : Feb 17 15:50:45 2019 GMT Subject: CN = librenms.wikimedia.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ad:40:86:b8:4c:26:8f:7d:88:30:0a:73:e1:f2: 51:cd:0b:e9:64:c2:5a:02:4a:bb:8c:ff:53:07:43: ce:99:7c:35:37:f4:90:ef:43:82:ab:da:8c:24:e0: 7f:b1:1b:cf:7e:07:2e:42:e6:f3:88:96:ed:25:79: d8:a6:fb:cf:83:0b:3d:37:bd:8c:2f:32:42:42:5e: 9f:aa:7e:9f:e8:95:c3:07:49:c0:c0:b2:d9:4a:21: 2f:3a:9d:8d:74:a8:36:91:8b:b9:41:df:5f:12:52: c4:1e:31:4c:06:4b:e8:ec:be:04:48:28:ef:67:ac: db:b0:68:4c:d4:c9:04:ba:f7:ca:86:b4:61:ab:ba: ee:79:5e:08:c2:af:08:99:12:41:de:f5:68:73:6b: 5f:b8:86:c0:f2:27:91:f6:7a:33:5a:f0:54:b1:30: e8:01:c5:66:8a:99:87:7d:5d:f4:8b:2b:a9:18:ac: 18:7f:ba:7f:56:c9:4c:c5:4d:83:17:a5:60:ee:36: 61:2f:b5:5d:b3:a1:9c:64:a2:e9:0b:f9:65:18:51: 28:4a:52:e9:2a:12:6c:73:32:d9:e3:fb:cc:52:de: 56:ec:09:25:e8:0d:d9:3c:4c:8c:ef:51:e9:f0:4d: 6e:d9:20:ff:70:61:3d:cc:a4:be:10:92:5d:03:30: 18:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 8B:9A:37:A7:0B:65:75:43:F8:60:74:6F:0D:E0:AA:C0:AC:D2:5C:93 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:librenms.wikimedia.org X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70: C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56 Timestamp : Nov 19 16:50:45.229 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:D0:EC:35:B9:55:50:40:7D:36:77:14: 41:8A:80:10:3C:03:7D:85:E3:4C:01:EA:0C:87:77:74: 6C:1E:88:DC:A0:02:20:6A:E0:DA:EB:E1:C4:46:D8:B8: 65:82:C6:71:C5:F2:85:F0:B1:F9:72:0C:D3:70:44:03: 53:34:CB:3F:0D:49:46 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33: A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D Timestamp : Nov 19 16:50:45.750 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:75:2E:90:FF:B0:06:C7:74:4F:15:36:77: 1B:3F:A9:45:0D:48:8A:19:2E:1D:67:30:C9:26:2D:14: 3F:2F:E7:1F:02:20:0B:DF:55:A1:93:1C:2C:94:BF:3A: 0B:F7:88:1A:DB:2E:36:78:B1:D3:FC:2D:0D:A0:5C:BD: 73:78:5A:DF:34:50 Signature Algorithm: sha256WithRSAEncryption 6c:70:76:ce:3f:2b:ee:96:10:2f:0a:35:24:8d:07:8f:d4:9f: bf:75:80:fb:aa:74:f0:c3:d8:cc:c4:42:0d:68:a7:6a:a6:18: c9:59:10:7c:b6:40:b3:35:d9:fb:a2:93:57:51:fe:0c:4e:65: b5:ad:2c:e8:f6:c2:02:a9:9a:0a:fe:d8:66:30:67:0d:49:25: aa:61:76:5f:70:d9:83:cd:ab:1e:7f:57:f9:54:d7:51:dd:7d: be:43:c6:10:d5:df:d6:44:b4:cd:b8:1a:36:28:48:08:22:ad: 78:ae:5c:9f:e9:a0:6e:32:85:1d:b9:2a:aa:ae:48:04:f5:1c: ab:d1:26:e6:e2:74:b9:d2:84:76:6e:d5:c7:5b:51:19:de:93: 7e:c4:a1:bd:61:82:b7:d4:d9:ad:00:b8:0b:48:23:fb:55:66: 8f:64:47:80:f2:76:28:56:43:43:ab:78:c0:e2:b9:e4:48:fd: 5a:3d:ad:ea:f5:4c:29:c6:8f:0c:16:a0:f1:ce:cd:ef:55:dd: 81:87:86:fe:98:08:a4:6f:02:9b:f5:d7:7c:5b:b6:10:dc:0b: 7d:d9:4b:9e:4d:57:ed:02:19:50:7e:95:79:da:56:db:ee:26: 9f:85:dc:ef:60:35:60:d2:16:59:61:10:c3:1b:ec:e8:c0:b1: de:8c:1f:3d ================ PASS: |#######################################################################################################################################################| 100% (2/2) [00:00<00:00, 2.97hosts/s] FAIL: | | 0% (0/2) [00:00<?, ?hosts/s] 100.0% (2/2) success ratio (>= 100.0% threshold) for command: 'openssl x509 -te...nms.rsa-2048.crt'. 100.0% (2/2) success ratio (>= 100.0% threshold) of nodes successfully executed all commands.
Change 474743 merged by Vgutierrez:
[operations/puppet@production] librenms: Use certcentral cert
Mentioned in SAL (#wikimedia-operations) [2018-11-20T15:38:19Z] <vgutierrez> switching to certcentral managed TLS certificate for librenms.wikimedia.org - T209856
Change 474747 merged by Vgutierrez:
[operations/puppet@production] librenms: Remove old letsencrypt puppetisation cert