Page MenuHomePhabricator

Update openldap profile to use LE
Closed, ResolvedPublic

Description

I need new certs for some new ldap servers, and the certs on serpens and seaborgium expire in not all that long anyway.

Event Timeline

Andrew created this task.Mar 15 2019, 2:12 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMar 15 2019, 2:12 PM
Dzahn added a subscriber: Dzahn.
Restricted Application added a project: Operations. · View Herald TranscriptMar 15 2019, 2:13 PM

per brief IRC chat with @Vgutierrez it should be possible to migrate these to use Certcentral (https://wikitech.wikimedia.org/wiki/Certcentral)

Dzahn added a comment.Mar 15 2019, 2:19 PM

command for testing connection over ldaps with more debug info why it fails:

[ldap-eqiad-replica01:/etc/ldap] $ ldapsearch -H ldaps://ldap-eqiad-replica01.wikimedia.org -x mail="andrew*" -d1

that currently returns:

TLS: peer cert untrusted or revoked (0x42)

Valentin says we can copy the setup for librenms because currently there is another migration from certcentral to acme-chief.

Change 496785 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] acme_chief: generate certs for ldap-labs/ldap-ro servers

https://gerrit.wikimedia.org/r/496785

Change 496785 merged by Andrew Bogott:
[operations/puppet@production] acme_chief: generate certs for ldap-labs/ldap-ro servers

https://gerrit.wikimedia.org/r/496785

Change 496790 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] openldap: switch to using acme certs

https://gerrit.wikimedia.org/r/496790

Change 496790 merged by Andrew Bogott:
[operations/puppet@production] openldap: switch to using acme certs

https://gerrit.wikimedia.org/r/496790

Change 496799 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] ldap: give more systems access to the ldap certs

https://gerrit.wikimedia.org/r/496799

Change 496799 merged by Andrew Bogott:
[operations/puppet@production] ldap: give more systems access to the ldap certs

https://gerrit.wikimedia.org/r/496799

Change 496807 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] openldap certs: allow group 'openldap' to read them

https://gerrit.wikimedia.org/r/496807

Change 496807 merged by Andrew Bogott:
[operations/puppet@production] openldap certs: allow group 'openldap' to read them

https://gerrit.wikimedia.org/r/496807

Andrew closed this task as Resolved.Mar 18 2019, 1:57 PM
Andrew claimed this task.

This is working with acme now.