Page MenuHomePhabricator

Push renewed * certificate and new private key to cluster (expires 2019-11-16)
Closed, ResolvedPublic


This task will track the updating of the already renewed/purcahsed * certificate/key.

The new certificate will be staged on gerrit via a patchset linked here.

The new private key is already merged live on the private puppet repo with the name When it is time to push the new certificate live, the contents of should be moved into and the removed.

As this requires coordination with the cloud services team, this task was generated to hand off to them.

Public certificate file location:
Private keyfile location: private repo, named

Related Objects

Event Timeline

RobH triaged this task as High priority.Oct 31 2019, 11:01 PM
RobH created this task.

Change 547680 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] new * certificate

RobH removed RobH as the assignee of this task.Oct 31 2019, 11:04 PM
RobH assigned this task to Bstorm.
RobH updated the task description. (Show Details)
RobH edited subscribers, added: Bstorm; removed: RobH.


I'm not sure who in your team will be handling this update, but I've put all the details above so this can be reassigned to whoever does the work.

Please note that the ideal replacement time is halfway between the renewed issue date, and the expiry date. I advise swapping this sometime next week.

RobH added a parent task: Unknown Object (Task).Oct 31 2019, 11:06 PM
aborrero added subscribers: RobH, aborrero.

I will handle this. @RobH is everything in place in your side? Am I good to go anytime?

Change 547680 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] new * certificate

Mentioned in SAL (#wikimedia-cloud) [2019-11-06T09:57:33Z] <arturo> replacing SSL cert for (T237066)

Change 549058 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] base: certificates: add new GlobalSign CA file

FYI this certificate changed issuer,

From: GlobalSign Organization Validation CA - SHA256 - G2
To: GlobalSign RSA OV SSL CA 2018

Not sure why. But in any case, this should be fine, the new CA is widely distributed in every browser. But we need

Change 549058 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] base: certificates: add new GlobalSign CA files

Mentioned in SAL (#wikimedia-cloud) [2019-11-07T09:53:09Z] <arturo> replacing SSL cert for - for real this time (T237066)