The current Subject Alternative Name fields of the TLS certificates offered by swift include only the DNS names ms-fe.{eqiad,codfw}.wmnet (which are deprecated) and ms-fe.svc.{eqiad,codfw}.wmnet:
$ echo | openssl s_client -connect ms-fe.svc.eqiad.wmnet:443 2>&1 | openssl x509 -noout -text | grep DNS DNS:ms-fe.eqiad.wmnet, DNS:ms-fe.svc.eqiad.wmnet $ echo | openssl s_client -connect ms-fe.svc.codfw.wmnet:443 2>&1 | openssl x509 -noout -text | grep DNS DNS:ms-fe.codfw.wmnet, DNS:ms-fe.svc.codfw.wmnet
The new values for SAN should be respectively:
- ms-fe.svc.eqiad.wmnet, swift.svc.eqiad.wmnet, swift-ro.discovery.wmnet, swift-rw.discovery.wmnet, upload.wikimedia.org
- ms-fe.svc.codfw.wmnet, swift.svc.codfw.wmnet, swift-ro.discovery.wmnet, swift-rw.discovery.wmnet, upload.wikimedia.org
Note that I've included upload.wikimedia.org because ATS validates the origin server certificate against the Host header value as specified by the client.