Page MenuHomePhabricator

Update Subject Alternative Name field in TLS certificates for swift
Closed, ResolvedPublic

Description

The current Subject Alternative Name fields of the TLS certificates offered by swift include only the DNS names ms-fe.{eqiad,codfw}.wmnet (which are deprecated) and ms-fe.svc.{eqiad,codfw}.wmnet:

$ echo | openssl s_client -connect ms-fe.svc.eqiad.wmnet:443 2>&1 | openssl x509 -noout -text | grep DNS
                DNS:ms-fe.eqiad.wmnet, DNS:ms-fe.svc.eqiad.wmnet
$ echo | openssl s_client -connect ms-fe.svc.codfw.wmnet:443 2>&1 | openssl x509 -noout -text | grep DNS
                DNS:ms-fe.codfw.wmnet, DNS:ms-fe.svc.codfw.wmnet

The new values for SAN should be respectively:

  • ms-fe.svc.eqiad.wmnet, swift.svc.eqiad.wmnet, swift-ro.discovery.wmnet, swift-rw.discovery.wmnet, upload.wikimedia.org
  • ms-fe.svc.codfw.wmnet, swift.svc.codfw.wmnet, swift-ro.discovery.wmnet, swift-rw.discovery.wmnet, upload.wikimedia.org

Note that I've included upload.wikimedia.org because ATS validates the origin server certificate against the Host header value as specified by the client.

Event Timeline

ema triaged this task as Normal priority.Dec 18 2018, 2:43 PM
ema created this task.
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptDec 18 2018, 2:43 PM
ema moved this task from Triage to TLS on the Traffic board.Dec 19 2018, 4:12 PM

Mentioned in SAL (#wikimedia-operations) [2018-12-21T09:22:55Z] <ema> depool ms-fe2006 to test new TLS certs T212215

Tested the new cert on ms-fe2006, looks good:

$ echo | openssl s_client -connect ms-fe2006.codfw.wmnet:443 2>&1 | openssl x509 -noout -text | grep DNS
                DNS:ms-fe.svc.codfw.wmnet, DNS:swift.svc.codfw.wmnet, DNS:swift-ro.discovery.wmnet, DNS:swift-rw.discovery.wmnet, DNS:upload.wikimedia.org
$ curl -I --resolve upload.wikimedia.org:443:10.192.16.190 https://upload.wikimedia.org/wikipedia/commons/1/15/Sampdoria_curva.jpg
HTTP/1.1 200 OK

Mentioned in SAL (#wikimedia-operations) [2018-12-21T09:57:46Z] <ema> repool ms-fe2006 with old certs, test successful T212215#4839960

Change 481136 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] swift: new cert for ms-fe.svc.codfw.wmnet

https://gerrit.wikimedia.org/r/481136

Change 481137 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] swift: new cert for ms-fe.svc.eqiad.wmnet

https://gerrit.wikimedia.org/r/481137

Mentioned in SAL (#wikimedia-operations) [2019-01-02T10:59:39Z] <ema> replace TLS certificates on ms-fe codfw hosts T212215

Change 481136 merged by Ema:
[operations/puppet@production] swift: new cert for ms-fe.svc.codfw.wmnet

https://gerrit.wikimedia.org/r/481136

Mentioned in SAL (#wikimedia-operations) [2019-01-02T11:46:39Z] <ema> replace TLS certificates on ms-fe eqiad hosts T212215

Change 481137 merged by Ema:
[operations/puppet@production] swift: new cert for ms-fe.svc.eqiad.wmnet

https://gerrit.wikimedia.org/r/481137

ema closed this task as Resolved.Jan 2 2019, 12:02 PM

New certificates deployed both in codfw and in eqiad.