Page MenuHomePhabricator
Create Task
Maniphest T232988

Use acme-chief provided OCSP stapling responses
Closed, ResolvedPublic
Actions

Description

Now that acme-chief is providing prefetched OCSP stapling responses, clients supporting it (nginx based ones) can start to use them

Details

SubjectRepoBranchLines +/-
ATS: Set sysconfdir back as a read-only directoryoperations/puppetproduction+0 -1
ATS: Adjust OCSP freshness check for acme-chief managed responsesoperations/puppetproduction+1 -1
install_server: Enable OCSP stapling and SSL monitoringoperations/puppetproduction+8 -1
ATS,tlsproxy: ocsp parameter for acme_chief::cert is not needed anymoreoperations/puppetproduction+0 -2
acme_chief: Remove update-ocsp.d leftoversoperations/puppetproduction+0 -21
acme_chief,ATS,tlsproxy: Move to acme-chief centrally managed OCSP responsesoperations/puppetproduction+21 -48
ncredir: Monitor TLS handshake + OCSP stapling for every configured certoperations/puppetproduction+13 -10
ncredir: Check OCSP stapling on HTTPS icinga checkoperations/puppetproduction+1 -1
nagios_common: Provide a HTTPS check for LE with OCSPoperations/puppetproduction+5 -0
ncredir: Enable OCSPoperations/puppetproduction+3 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Sep 16 2019, 10:26 AM
gerritbot added a comment.Sep 16 2019, 10:42 AM

Change 537062 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ncredir: Enable OCSP

https://gerrit.wikimedia.org/r/537062

gerritbot added a project: Patch-For-Review.Sep 16 2019, 10:42 AM
Stashbot added a comment.Sep 16 2019, 10:45 AM

Mentioned in SAL (#wikimedia-operations) [2019-09-16T10:45:08Z] <vgutierrez> Enabling OCSP prefetched responses for the non-canonical redirect service - T232988

gerritbot added a comment.Sep 16 2019, 10:48 AM

Change 537062 merged by Vgutierrez:
[operations/puppet@production] ncredir: Enable OCSP

https://gerrit.wikimedia.org/r/537062

gerritbot added a comment.Sep 16 2019, 10:58 AM

Change 537066 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] nagios_common: Provide a HTTPS check for LE with OCSP

https://gerrit.wikimedia.org/r/537066

gerritbot added a comment.Sep 16 2019, 10:58 AM

Change 537067 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ncredir: Check OCSP stapling on HTTPS icinga check

https://gerrit.wikimedia.org/r/537067

gerritbot added a comment.Sep 16 2019, 11:01 AM

Change 537066 merged by Vgutierrez:
[operations/puppet@production] nagios_common: Provide a HTTPS check for LE with OCSP

https://gerrit.wikimedia.org/r/537066

gerritbot added a comment.Sep 16 2019, 11:08 AM

Change 537067 merged by Vgutierrez:
[operations/puppet@production] ncredir: Check OCSP stapling on HTTPS icinga check

https://gerrit.wikimedia.org/r/537067

Maintenance_bot removed a project: Patch-For-Review.Sep 16 2019, 11:10 AM
gerritbot added a comment.Sep 16 2019, 11:17 AM

Change 537075 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ncredir: Monitor TLS handshake + OCSP stapling for every configured cert

https://gerrit.wikimedia.org/r/537075

gerritbot added a project: Patch-For-Review.Sep 16 2019, 11:17 AM
gerritbot added a comment.Sep 16 2019, 11:32 AM

Change 537075 merged by Vgutierrez:
[operations/puppet@production] ncredir: Monitor TLS handshake + OCSP stapling for every configured cert

https://gerrit.wikimedia.org/r/537075

Maintenance_bot removed a project: Patch-For-Review.Sep 16 2019, 12:10 PM
Vgutierrez triaged this task as Medium priority.Sep 16 2019, 3:04 PM
gerritbot added a comment.Sep 18 2019, 7:53 AM

Change 537593 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] install_server: Enable OCSP stapling and SSL monitoring

https://gerrit.wikimedia.org/r/537593

gerritbot added a project: Patch-For-Review.Sep 18 2019, 7:53 AM
Vgutierrez added a project: Traffic.Sep 19 2019, 5:39 AM
Restricted Application added a project: SRE. · View Herald TranscriptSep 19 2019, 5:39 AM
Vgutierrez moved this task from Backlog to TLS on the Traffic board.Sep 19 2019, 5:39 AM
gerritbot added a comment.Sep 19 2019, 6:02 AM

Change 537789 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief,ATS,tlsproxy: Move to acme-chief centrally managed OCSP responses

https://gerrit.wikimedia.org/r/537789

gerritbot added a comment.Sep 19 2019, 7:53 AM

Change 537789 merged by Vgutierrez:
[operations/puppet@production] acme_chief,ATS,tlsproxy: Move to acme-chief centrally managed OCSP responses

https://gerrit.wikimedia.org/r/537789

gerritbot added a comment.Sep 19 2019, 8:20 AM

Change 537923 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Remove update-ocsp.d leftovers

https://gerrit.wikimedia.org/r/537923

gerritbot added a comment.Sep 19 2019, 8:44 AM

Change 537927 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS,tlsproxy: ocsp parameter for acme_chief::cert is not needed anymore

https://gerrit.wikimedia.org/r/537927

gerritbot added a comment.Sep 19 2019, 9:10 AM

Change 537923 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Remove update-ocsp.d leftovers

https://gerrit.wikimedia.org/r/537923

gerritbot added a comment.Sep 19 2019, 9:15 AM

Change 537927 merged by Vgutierrez:
[operations/puppet@production] ATS,tlsproxy: ocsp parameter for acme_chief::cert is not needed anymore

https://gerrit.wikimedia.org/r/537927

gerritbot added a comment.Sep 20 2019, 5:19 AM

Change 537593 merged by Vgutierrez:
[operations/puppet@production] install_server: Enable OCSP stapling and SSL monitoring

https://gerrit.wikimedia.org/r/537593

Maintenance_bot removed a project: Patch-For-Review.Sep 20 2019, 6:10 AM
gerritbot added a comment.Sep 20 2019, 8:58 AM

Change 538165 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Adjust OCSP freshness check for acme-chief managed responses

https://gerrit.wikimedia.org/r/538165

gerritbot added a project: Patch-For-Review.Sep 20 2019, 8:58 AM
gerritbot added a comment.Sep 20 2019, 9:04 AM

Change 538165 merged by Vgutierrez:
[operations/puppet@production] ATS: Adjust OCSP freshness check for acme-chief managed responses

https://gerrit.wikimedia.org/r/538165

Maintenance_bot removed a project: Patch-For-Review.Sep 20 2019, 9:10 AM
Krenair mentioned this in T220359: Benefit from acme-chief features in acme-chief clients.Sep 21 2019, 5:26 PM
gerritbot added a comment.Sep 23 2019, 9:34 AM

Change 538582 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Set sysconfdir back as a read-only directory

https://gerrit.wikimedia.org/r/538582

gerritbot added a project: Patch-For-Review.Sep 23 2019, 9:34 AM
gerritbot added a comment.Sep 23 2019, 9:52 AM

Change 538582 merged by Vgutierrez:
[operations/puppet@production] ATS: Set sysconfdir back as a read-only directory

https://gerrit.wikimedia.org/r/538582

Maintenance_bot removed a project: Patch-For-Review.Sep 23 2019, 10:11 AM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM
BBlack subscribed.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

BCornwall assigned this task to Vgutierrez.Aug 12 2022, 6:42 PM
BCornwall subscribed.

@Vgutierrez since this was merged, can this ticket be closed?

Aklapper added a comment.Sep 4 2022, 9:09 PM

@Vgutierrez: Could you please answer the last comment? Thanks in advance!

Aklapper added a comment.Dec 20 2022, 9:12 AM

@Vgutierrez: Could you please answer the last comment? Thanks in advance!

Vgutierrez closed this task as Resolved.Dec 20 2022, 9:51 AM

Oops.. yeah, let me close this. Cheers!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL