Page MenuHomePhabricator
Create Task
Maniphest T232772

Audit tools project puppet CA certs to ensure that they are all consistent
Closed, ResolvedPublic
Actions

Description

As this was the ultimate root cause, of the outage, we should make sure there aren't any old CA certs floating around that could confuse things again.

Related Objects
Search...

Event Timeline

Bstorm triaged this task as Medium priority.Sep 12 2019, 7:07 PM
Bstorm created this task.
Bstorm added a project: Wikimedia-Incident.
Bstorm added a comment.Sep 12 2019, 7:26 PM

The related cert for the outage was on the server itself in this place https://phabricator.wikimedia.org/T148929#2817428

Krenair subscribed.Sep 13 2019, 6:40 PM

I just did a quick check (yay cumin!). You might want to check tools-elastic-01.tools.eqiad.wmflabs's /var/lib/puppet/client/ssl/certs/ca.pem. Other than that, that file name and also more importantly /var/lib/puppet/ssl/certs/ca.pem and /etc/ssl/certs/Puppet_Internal_CA.pem look consistent.

Andrew closed this task as Resolved.Sep 13 2019, 7:25 PM
Andrew claimed this task.
Andrew subscribed.

I fixed the file that @Krenair mentioned and confirmed that /var/lib/puppet/ssl/certs/ca.pem == /etc/ssl/certs/Puppet_Internal_CA.pem ==/var/lib/puppet/client/ssl/certs/ca.pem on all hosts in tools.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL