Page MenuHomePhabricator
Create Task
Maniphest T234803

Provide an easy way of picking the traffic serving TLS certificate used by ATS
Closed, ResolvedPublic
Actions

Description

Right now with nginx we can pick the certificate being used to serve traffic by simply setting public_tls_unified_cert_vendor to the name of the certificate, (digicert-2019 or globalsign-2018) while with ATS we currently need to set a whole structure with several paths and filenames, making it more prone to errors.

Details

SubjectRepoBranchLines +/-
ATS: Deploy acme-chief version of unified certificate on textoperations/puppetproduction+1 -1
acme_chief: Grant new esams cp hosts access to the unified certificateoperations/puppetproduction+1 -1
ATS: Deploy acme-chief version of the unified certificate globallyoperations/puppetproduction+3 -5
ATS,tlsproxy: Reload TLS material on acme_chief::cert updatesoperations/puppetproduction+15 -0
acme_chief: Grant access to all cp nodes to the unified certoperations/puppetproduction+4 -0
ATS: Use a common base path for /etc/ssl and /etc/acmecerts certsoperations/puppetproduction+50 -74
ATS: Pick the unified cert using hiera key public_tls_unified_cert_vendoroperations/puppetproduction+105 -31
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Oct 7 2019, 9:33 AM
Restricted Application added a project: SRE. · View Herald TranscriptOct 7 2019, 9:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Vgutierrez triaged this task as Medium priority.Oct 7 2019, 9:47 AM
gerritbot added a comment.Oct 7 2019, 10:44 AM

Change 541220 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Pick the unified cert using hiera key public_tls_unified_cert_vendor

https://gerrit.wikimedia.org/r/541220

gerritbot added a project: Patch-For-Review.Oct 7 2019, 10:44 AM
ema moved this task from Backlog to TLS on the Traffic board.Oct 14 2019, 5:36 PM
BBlack added a comment.Oct 17 2019, 2:09 PM

Notes from IRC, etc:

The current patch (merging shortly: https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/541220/ ) gets us part of the way there, enough to deploy dual commercial certs again across ATS + nginx. What we need to do beyond that in the near to medium term is:

  • Reduce some of the duplication in the hieradata (the common SNI-check blocks, etc)
  • Cover deployment of the lets-encrypt / acme_chief case to all nodes based on it being in the defined set of cert options (currently it's only deployed in eqsin; turning it on elsewhere via ucv hieradata wouldn't work)
  • Fix the issues around ATS not handling a switch of directory paths with a simple reload, since commercial and LE cert options current have distinct directory paths. This means we'll have to create some universal paths for ATS's access to the unified cert/key/ocsp which are symlinks out to the appropriate commercial or legacy paths as appropriate.
BBlack mentioned this in T230687: Decide/document criteria needed to serve acme-chief LE issued unified certificate to end users.Oct 17 2019, 2:15 PM
BBlack added a parent task: T230687: Decide/document criteria needed to serve acme-chief LE issued unified certificate to end users.
Stashbot added a comment.Oct 17 2019, 2:32 PM

Mentioned in SAL (#wikimedia-operations) [2019-10-17T14:32:23Z] <bblack> disable puppet on cache fleet (cp*) ahead of cert deployment refactoring - T234803

gerritbot added a comment.Oct 17 2019, 2:45 PM

Change 541220 merged by BBlack:
[operations/puppet@production] ATS: Pick the unified cert using hiera key public_tls_unified_cert_vendor

https://gerrit.wikimedia.org/r/541220

Maintenance_bot removed a project: Patch-For-Review.Oct 17 2019, 3:10 PM
BBlack mentioned this in T209515: Renew Digicert Unified in 2019.Oct 17 2019, 5:35 PM
gerritbot added a comment.Oct 18 2019, 9:01 AM

Change 544151 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Use a common base path for /etc/ssl and /etc/acmecerts certs

https://gerrit.wikimedia.org/r/544151

gerritbot added a project: Patch-For-Review.Oct 18 2019, 9:01 AM
gerritbot added a comment.Oct 22 2019, 6:07 AM

Change 544151 merged by Vgutierrez:
[operations/puppet@production] ATS: Use a common base path for /etc/ssl and /etc/acmecerts certs

https://gerrit.wikimedia.org/r/544151

Maintenance_bot removed a project: Patch-For-Review.Oct 22 2019, 6:10 AM
Stashbot mentioned this in T233274: ATS lua script reload doesn't work as expected.Oct 22 2019, 6:32 AM

Mentioned in SAL (#wikimedia-operations) [2019-10-22T06:32:00Z] <vgutierrez> rolling restart of ats-tls - T233274 T234803

gerritbot added a comment.Oct 22 2019, 8:04 AM

Change 545204 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Grant access to all cp nodes to the unified cert

https://gerrit.wikimedia.org/r/545204

gerritbot added a project: Patch-For-Review.Oct 22 2019, 8:04 AM
gerritbot added a comment.Oct 22 2019, 8:08 AM

Change 545204 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Grant access to all cp nodes to the unified cert

https://gerrit.wikimedia.org/r/545204

Maintenance_bot removed a project: Patch-For-Review.Oct 22 2019, 8:10 AM
gerritbot added a comment.Oct 22 2019, 8:22 AM

Change 545206 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Reload TLS material on acme_chief::cert updates

https://gerrit.wikimedia.org/r/545206

gerritbot added a project: Patch-For-Review.Oct 22 2019, 8:22 AM
gerritbot added a comment.Oct 22 2019, 8:25 AM

Change 545208 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Deploy acme-chief version of the unified certificate globally

https://gerrit.wikimedia.org/r/545208

gerritbot added a comment.Oct 22 2019, 10:12 AM

Change 545206 merged by Vgutierrez:
[operations/puppet@production] ATS,tlsproxy: Reload TLS material on acme_chief::cert updates

https://gerrit.wikimedia.org/r/545206

gerritbot added a comment.Oct 23 2019, 9:31 AM

Change 545208 merged by Vgutierrez:
[operations/puppet@production] ATS: Deploy acme-chief version of the unified certificate globally

https://gerrit.wikimedia.org/r/545208

Vgutierrez added a comment.Oct 23 2019, 9:46 AM
In T234803#5583888, @BBlack wrote:

Notes from IRC, etc:

The current patch (merging shortly: https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/541220/ ) gets us part of the way there, enough to deploy dual commercial certs again across ATS + nginx. What we need to do beyond that in the near to medium term is:

  • Reduce some of the duplication in the hieradata (the common SNI-check blocks, etc)
  • Cover deployment of the lets-encrypt / acme_chief case to all nodes based on it being in the defined set of cert options (currently it's only deployed in eqsin; turning it on elsewhere via ucv hieradata wouldn't work)
  • Fix the issues around ATS not handling a switch of directory paths with a simple reload, since commercial and LE cert options current have distinct directory paths. This means we'll have to create some universal paths for ATS's access to the unified cert/key/ocsp which are symlinks out to the appropriate commercial or legacy paths as appropriate.

After merging https://gerrit.wikimedia.org/r/545206 and https://gerrit.wikimedia.org/r/545208 the following things have changed since @BBlack comment:

  • acme-chief version of the unified certificate is now deployed everywhere
  • setting the ucv to lets-encrypt would work for the upload cluster.
Maintenance_bot removed a project: Patch-For-Review.Oct 23 2019, 10:10 AM
gerritbot added a comment.Oct 24 2019, 3:50 AM

Change 545693 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Grant new esams cp hosts access to the unified certificate

https://gerrit.wikimedia.org/r/545693

gerritbot added a project: Patch-For-Review.Oct 24 2019, 3:50 AM

Change 545693 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Grant new esams cp hosts access to the unified certificate

https://gerrit.wikimedia.org/r/545693

Maintenance_bot removed a project: Patch-For-Review.Oct 24 2019, 4:10 AM
Vgutierrez changed the task status from Open to Stalled.Nov 4 2019, 3:56 AM

I'm marking this task as stalled, it will be resolved as soon as T231627 is completed

gerritbot added a comment.Jan 3 2020, 3:58 PM

Change 561883 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: Deploy acme-chief version of unified certificate on text

https://gerrit.wikimedia.org/r/561883

gerritbot added a project: Patch-For-Review.Jan 3 2020, 3:58 PM
Krenair subscribed.Jan 4 2020, 4:08 PM
Vgutierrez closed this task as Resolved.Feb 27 2020, 5:19 PM
Vgutierrez claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits