Page MenuHomePhabricator
Create Task
Maniphest T237066

Push renewed *.wmflabs.org certificate and new private key to cluster (expires 2019-11-16)
Closed, ResolvedPublic
Actions

Description

This task will track the updating of the already renewed/purcahsed *.wmflabs.org certificate/key.

The new certificate will be staged on gerrit via a patchset linked here.

The new private key is already merged live on the private puppet repo with the name new.star.wmflabs.org.key. When it is time to push the new certificate live, the contents of new.star.wmflabs.org.key should be moved into star.wmflabs.org.key and the new.wmflabs.org.key removed.

As this requires coordination with the cloud services team, this task was generated to hand off to them.

Public certificate file location: https://gerrit.wikimedia.org/r/547680
Private keyfile location: private repo, named new.star.wmflabs.org.key.

Details

SubjectRepoBranchLines +/-
base: certificates: add new GlobalSign CA filesoperations/puppetproduction+51 -0
new *.wmflabs.org certificateoperations/puppetproduction+33 -34
Customize query in gerrit

Related Objects
Search...

Event Timeline

RobH triaged this task as High priority.Oct 31 2019, 11:01 PM
RobH created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 31 2019, 11:01 PM
gerritbot added a comment.Oct 31 2019, 11:03 PM

Change 547680 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] new *.wmflabs.org certificate

https://gerrit.wikimedia.org/r/547680

gerritbot added a project: Patch-For-Review.Oct 31 2019, 11:03 PM
RobH removed RobH as the assignee of this task.Oct 31 2019, 11:04 PM
RobH assigned this task to Bstorm.
RobH updated the task description. (Show Details)
RobH edited subscribers, added: Bstorm; removed: RobH.

@Bstorm,

I'm not sure who in your team will be handling this update, but I've put all the details above so this can be reassigned to whoever does the work.

Please note that the ideal replacement time is halfway between the renewed issue date, and the expiry date. I advise swapping this sometime next week.

RobH added a parent task: Unknown Object (Task).Oct 31 2019, 11:06 PM
Krenair subscribed.Oct 31 2019, 11:09 PM
bd808 edited projects, added cloud-services-team (Kanban); removed cloud-services-team.Oct 31 2019, 11:18 PM
bd808 moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.
aborrero claimed this task.Nov 5 2019, 4:25 PM
aborrero added subscribers: RobH, aborrero.

I will handle this. @RobH is everything in place in your side? Am I good to go anytime?

aborrero moved this task from Soon! to Doing on the cloud-services-team (Kanban) board.Nov 5 2019, 4:26 PM
Krenair added a comment.Nov 5 2019, 8:07 PM

(FYI docs for this now live at https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/SSL_certificate)

gerritbot added a comment.Nov 6 2019, 9:56 AM

Change 547680 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] new *.wmflabs.org certificate

https://gerrit.wikimedia.org/r/547680

Stashbot added a comment.Nov 6 2019, 9:57 AM

Mentioned in SAL (#wikimedia-cloud) [2019-11-06T09:57:33Z] <arturo> replacing SSL cert for star.wmflabs.org (T237066)

Maintenance_bot removed a project: Patch-For-Review.Nov 6 2019, 10:10 AM
gerritbot added a comment.Nov 6 2019, 10:47 AM

Change 549058 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] base: certificates: add new GlobalSign CA file

https://gerrit.wikimedia.org/r/549058

gerritbot added a project: Patch-For-Review.Nov 6 2019, 10:47 AM
aborrero added a comment.Nov 6 2019, 10:58 AM

FYI this certificate changed issuer,

From: GlobalSign Organization Validation CA - SHA256 - G2
To: GlobalSign RSA OV SSL CA 2018

Not sure why. But in any case, this should be fine, the new CA is widely distributed in every browser. But we need https://gerrit.wikimedia.org/r/549058

RobH unsubscribed.Nov 6 2019, 4:27 PM
gerritbot added a comment.Nov 7 2019, 9:50 AM

Change 549058 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] base: certificates: add new GlobalSign CA files

https://gerrit.wikimedia.org/r/549058

Stashbot added a comment.Nov 7 2019, 9:53 AM

Mentioned in SAL (#wikimedia-cloud) [2019-11-07T09:53:09Z] <arturo> replacing SSL cert for star.wmflabs.org - for real this time (T237066)

aborrero closed this task as Resolved.Nov 7 2019, 9:55 AM

Done!

Maintenance_bot removed a project: Patch-For-Review.Nov 7 2019, 10:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL