Deploy a certcentral managed TLS certificate for librenms
Closed, ResolvedPublic

Description

We will be using librenms as the first canary for certcentral managed certificates :)

Vgutierrez triaged this task as Normal priority.
Vgutierrez added a project: Certcentral.
Vgutierrez moved this task from Triage to TLS on the Traffic board.

Change 474722 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Provide a TLS certificate for librenms

https://gerrit.wikimedia.org/r/474722

Change 474723 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] librenms: Deploy the TLS certificate managed by certcentral

https://gerrit.wikimedia.org/r/474723

Change 474730 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] certcentral: Use the same naming schema for certs as LE puppetization

https://gerrit.wikimedia.org/r/474730

Change 474730 merged by Vgutierrez:
[operations/puppet@production] certcentral: Deliver same certs (with same naming) as LE puppetization

https://gerrit.wikimedia.org/r/474730

Change 474722 merged by Vgutierrez:
[operations/puppet@production] certcentral: Provide a TLS certificate for librenms

https://gerrit.wikimedia.org/r/474722

Change 474723 merged by Vgutierrez:
[operations/puppet@production] librenms: Deploy the TLS certificate managed by certcentral

https://gerrit.wikimedia.org/r/474723

Change 474743 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] librenms: Use certcentral cert

https://gerrit.wikimedia.org/r/474743

Change 474747 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] librenms: Remove old letsencrypt puppetisation cert

https://gerrit.wikimedia.org/r/474747

looking good:

vgutierrez@neodymium:~$ sudo cumin netmon1002.wikimedia.org,netmon2001.wikimedia.org 'sha256sum /etc/centralcerts/librenms.rsa-2048.crt'
2 hosts will be targeted:
netmon[1002,2001].wikimedia.org
Confirm to continue [y/n]? y
===== NODE GROUP =====
(2) netmon[1002,2001].wikimedia.org
----- OUTPUT of 'sha256sum /etc/c...nms.rsa-2048.crt' -----
e9828e3c7261ea693cb010479c978715234228ea0d1cd5f85ee31a5ac96ff673  /etc/centralcerts/librenms.rsa-2048.crt
================
PASS:  |#######################################################################################################################################################| 100% (2/2) [00:00<00:00,  3.01hosts/s]
FAIL:  |                                                                                                                                                               |   0% (0/2) [00:00<?, ?hosts/s]
100.0% (2/2) success ratio (>= 100.0% threshold) for command: 'sha256sum /etc/c...nms.rsa-2048.crt'.
100.0% (2/2) success ratio (>= 100.0% threshold) of nodes successfully executed all commands.
vgutierrez@neodymium:~$ sudo cumin netmon1002.wikimedia.org,netmon2001.wikimedia.org 'openssl x509 -text -noout -in /etc/centralcerts/librenms.rsa-2048.crt'
2 hosts will be targeted:
netmon[1002,2001].wikimedia.org
Confirm to continue [y/n]? y
===== NODE GROUP =====
(2) netmon[1002,2001].wikimedia.org
----- OUTPUT of 'openssl x509 -te...nms.rsa-2048.crt' -----
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:a7:17:10:ae:0a:3e:dc:a6:e9:3b:f4:20:88:33:4c:dd:3a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Nov 19 15:50:45 2018 GMT
            Not After : Feb 17 15:50:45 2019 GMT
        Subject: CN = librenms.wikimedia.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:40:86:b8:4c:26:8f:7d:88:30:0a:73:e1:f2:
                    51:cd:0b:e9:64:c2:5a:02:4a:bb:8c:ff:53:07:43:
                    ce:99:7c:35:37:f4:90:ef:43:82:ab:da:8c:24:e0:
                    7f:b1:1b:cf:7e:07:2e:42:e6:f3:88:96:ed:25:79:
                    d8:a6:fb:cf:83:0b:3d:37:bd:8c:2f:32:42:42:5e:
                    9f:aa:7e:9f:e8:95:c3:07:49:c0:c0:b2:d9:4a:21:
                    2f:3a:9d:8d:74:a8:36:91:8b:b9:41:df:5f:12:52:
                    c4:1e:31:4c:06:4b:e8:ec:be:04:48:28:ef:67:ac:
                    db:b0:68:4c:d4:c9:04:ba:f7:ca:86:b4:61:ab:ba:
                    ee:79:5e:08:c2:af:08:99:12:41:de:f5:68:73:6b:
                    5f:b8:86:c0:f2:27:91:f6:7a:33:5a:f0:54:b1:30:
                    e8:01:c5:66:8a:99:87:7d:5d:f4:8b:2b:a9:18:ac:
                    18:7f:ba:7f:56:c9:4c:c5:4d:83:17:a5:60:ee:36:
                    61:2f:b5:5d:b3:a1:9c:64:a2:e9:0b:f9:65:18:51:
                    28:4a:52:e9:2a:12:6c:73:32:d9:e3:fb:cc:52:de:
                    56:ec:09:25:e8:0d:d9:3c:4c:8c:ef:51:e9:f0:4d:
                    6e:d9:20:ff:70:61:3d:cc:a4:be:10:92:5d:03:30:
                    18:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                8B:9A:37:A7:0B:65:75:43:F8:60:74:6F:0D:E0:AA:C0:AC:D2:5C:93
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:librenms.wikimedia.org
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
                                C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
                    Timestamp : Nov 19 16:50:45.229 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:D0:EC:35:B9:55:50:40:7D:36:77:14:
                                41:8A:80:10:3C:03:7D:85:E3:4C:01:EA:0C:87:77:74:
                                6C:1E:88:DC:A0:02:20:6A:E0:DA:EB:E1:C4:46:D8:B8:
                                65:82:C6:71:C5:F2:85:F0:B1:F9:72:0C:D3:70:44:03:
                                53:34:CB:3F:0D:49:46
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
                                A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
                    Timestamp : Nov 19 16:50:45.750 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:75:2E:90:FF:B0:06:C7:74:4F:15:36:77:
                                1B:3F:A9:45:0D:48:8A:19:2E:1D:67:30:C9:26:2D:14:
                                3F:2F:E7:1F:02:20:0B:DF:55:A1:93:1C:2C:94:BF:3A:
                                0B:F7:88:1A:DB:2E:36:78:B1:D3:FC:2D:0D:A0:5C:BD:
                                73:78:5A:DF:34:50
    Signature Algorithm: sha256WithRSAEncryption
         6c:70:76:ce:3f:2b:ee:96:10:2f:0a:35:24:8d:07:8f:d4:9f:
         bf:75:80:fb:aa:74:f0:c3:d8:cc:c4:42:0d:68:a7:6a:a6:18:
         c9:59:10:7c:b6:40:b3:35:d9:fb:a2:93:57:51:fe:0c:4e:65:
         b5:ad:2c:e8:f6:c2:02:a9:9a:0a:fe:d8:66:30:67:0d:49:25:
         aa:61:76:5f:70:d9:83:cd:ab:1e:7f:57:f9:54:d7:51:dd:7d:
         be:43:c6:10:d5:df:d6:44:b4:cd:b8:1a:36:28:48:08:22:ad:
         78:ae:5c:9f:e9:a0:6e:32:85:1d:b9:2a:aa:ae:48:04:f5:1c:
         ab:d1:26:e6:e2:74:b9:d2:84:76:6e:d5:c7:5b:51:19:de:93:
         7e:c4:a1:bd:61:82:b7:d4:d9:ad:00:b8:0b:48:23:fb:55:66:
         8f:64:47:80:f2:76:28:56:43:43:ab:78:c0:e2:b9:e4:48:fd:
         5a:3d:ad:ea:f5:4c:29:c6:8f:0c:16:a0:f1:ce:cd:ef:55:dd:
         81:87:86:fe:98:08:a4:6f:02:9b:f5:d7:7c:5b:b6:10:dc:0b:
         7d:d9:4b:9e:4d:57:ed:02:19:50:7e:95:79:da:56:db:ee:26:
         9f:85:dc:ef:60:35:60:d2:16:59:61:10:c3:1b:ec:e8:c0:b1:
         de:8c:1f:3d
================
PASS:  |#######################################################################################################################################################| 100% (2/2) [00:00<00:00,  2.97hosts/s]
FAIL:  |                                                                                                                                                               |   0% (0/2) [00:00<?, ?hosts/s]
100.0% (2/2) success ratio (>= 100.0% threshold) for command: 'openssl x509 -te...nms.rsa-2048.crt'.
100.0% (2/2) success ratio (>= 100.0% threshold) of nodes successfully executed all commands.

Change 474743 merged by Vgutierrez:
[operations/puppet@production] librenms: Use certcentral cert

https://gerrit.wikimedia.org/r/474743

Mentioned in SAL (#wikimedia-operations) [2018-11-20T15:38:19Z] <vgutierrez> switching to certcentral managed TLS certificate for librenms.wikimedia.org - T209856

Change 474747 merged by Vgutierrez:
[operations/puppet@production] librenms: Remove old letsencrypt puppetisation cert

https://gerrit.wikimedia.org/r/474747

Vgutierrez closed this task as Resolved.Tue, Nov 20, 4:05 PM
Vgutierrez removed a project: Patch-For-Review.