This task will track the implementation of the updated/renewed *.tools.wmflabs.org certificate and key.
The new key is already committed to the private puppet repo as new.star.tools.wmflabs.org.key. The new certificate will be linked into this task via gerrit patchset once the order is received by @RobH. Then this task will be reassigned to the cloud-services-team for implementation.
The gerrit patchset https://gerrit.wikimedia.org/r/510250 stages the new certificate, and the new private key is stored in the private puppet repo as new.star.tools.wmflabs.org. Please ensure both the private key and the staged certificate are merged live at the same time, or failures will result.