Update Subject Alternative Name field in TLS certificates for swift
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• ema
	Dec 18 2018, 2:43 PM

Description

The current Subject Alternative Name fields of the TLS certificates offered by swift include only the DNS names ms-fe.{eqiad,codfw}.wmnet (which are deprecated) and ms-fe.svc.{eqiad,codfw}.wmnet:

$ echo | openssl s_client -connect ms-fe.svc.eqiad.wmnet:443 2>&1 | openssl x509 -noout -text | grep DNS
                DNS:ms-fe.eqiad.wmnet, DNS:ms-fe.svc.eqiad.wmnet
$ echo | openssl s_client -connect ms-fe.svc.codfw.wmnet:443 2>&1 | openssl x509 -noout -text | grep DNS
                DNS:ms-fe.codfw.wmnet, DNS:ms-fe.svc.codfw.wmnet

The new values for SAN should be respectively:

ms-fe.svc.eqiad.wmnet, swift.svc.eqiad.wmnet, swift-ro.discovery.wmnet, swift-rw.discovery.wmnet, upload.wikimedia.org
ms-fe.svc.codfw.wmnet, swift.svc.codfw.wmnet, swift-ro.discovery.wmnet, swift-rw.discovery.wmnet, upload.wikimedia.org

Note that I've included upload.wikimedia.org because ATS validates the origin server certificate against the Host header value as specified by the client.

Details

	Subject	Repo	Branch	Lines +/-
	swift: new cert for ms-fe.svc.eqiad.wmnet	operations/puppet	production	+23 -23
	swift: new cert for ms-fe.svc.codfw.wmnet	operations/puppet	production	+23 -23

Customize query in gerrit

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		• ema	T207048 ATS production-ready as a backend cache layer
		Resolved		• ema	T212215 Update Subject Alternative Name field in TLS certificates for swift

Event Timeline

• ema triaged this task as Medium priority.Dec 18 2018, 2:43 PM

• ema created this task.

Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptDec 18 2018, 2:43 PM

• ema moved this task from Backlog to TLS on the Traffic board.Dec 19 2018, 4:12 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-21T09:22:55Z] <ema> depool ms-fe2006 to test new TLS certs T212215

Tested the new cert on ms-fe2006, looks good:

$ echo | openssl s_client -connect ms-fe2006.codfw.wmnet:443 2>&1 | openssl x509 -noout -text | grep DNS
                DNS:ms-fe.svc.codfw.wmnet, DNS:swift.svc.codfw.wmnet, DNS:swift-ro.discovery.wmnet, DNS:swift-rw.discovery.wmnet, DNS:upload.wikimedia.org
$ curl -I --resolve upload.wikimedia.org:443:10.192.16.190 https://upload.wikimedia.org/wikipedia/commons/1/15/Sampdoria_curva.jpg
HTTP/1.1 200 OK

Mentioned in SAL (#wikimedia-operations) [2018-12-21T09:57:46Z] <ema> repool ms-fe2006 with old certs, test successful T212215#4839960

Change 481136 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] swift: new cert for ms-fe.svc.codfw.wmnet

https://gerrit.wikimedia.org/r/481136

Change 481137 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] swift: new cert for ms-fe.svc.eqiad.wmnet

https://gerrit.wikimedia.org/r/481137

Mentioned in SAL (#wikimedia-operations) [2019-01-02T10:59:39Z] <ema> replace TLS certificates on ms-fe codfw hosts T212215

Change 481136 merged by Ema:
[operations/puppet@production] swift: new cert for ms-fe.svc.codfw.wmnet

https://gerrit.wikimedia.org/r/481136

Mentioned in SAL (#wikimedia-operations) [2019-01-02T11:46:39Z] <ema> replace TLS certificates on ms-fe eqiad hosts T212215

Change 481137 merged by Ema:
[operations/puppet@production] swift: new cert for ms-fe.svc.eqiad.wmnet

https://gerrit.wikimedia.org/r/481137

New certificates deployed both in codfw and in eqiad.

Update Subject Alternative Name field in TLS certificates for swiftClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Update Subject Alternative Name field in TLS certificates for swift
Closed, ResolvedPublic
Actions

Related Objects
Search...