Page MenuHomePhabricator

add TLS support for smokeping.wikimedia.org
Closed, ResolvedPublic

Description

Currently ats-be is having issues connecting to netmon when trying to serve requests for smokeping.wikimedia.org:

Nov 22 04:19:44 cp1075 traffic_manager[16888]: [Nov 22 04:19:44.777] {0x2b12ac588700} ERROR: SSL connection failed for 'smokeping.wikimedia.org': error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Details

Related Gerrit Patches:

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 22 2019, 8:06 AM

Change 552398 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Add smokeping certificate

https://gerrit.wikimedia.org/r/552398

ema triaged this task as Medium priority.Nov 22 2019, 8:13 AM

@Volans @crusnov @ayounsi we need some clarification regarding TLS material on netmon boxes, right now they get access to librenms and netbox acme-chief managed certificates. Is netbox still needed there?

We could add smokeping.wm.o as a SNI to the librenms one or handle it as an independent certificate (as proposed in https://gerrit.wikimedia.org/r/552398)

@Volans @crusnov @ayounsi we need some clarification regarding TLS material on netmon boxes, right now they get access to librenms and netbox acme-chief managed certificates. Is netbox still needed there?

No, it's not as Netbox was migrated to dedicated VMs netbox[12]001. I've opened T238919 for a more general cleanup.

ema moved this task from Triage to TLS on the Traffic board.Nov 22 2019, 12:54 PM

Change 552680 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Revoke access from netmon boxes to netbox certificate

https://gerrit.wikimedia.org/r/552680

Change 552680 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Revoke access from netmon boxes to netbox certificate

https://gerrit.wikimedia.org/r/552680

@Volans @ayounsi IMHO it doesn't make any sense to include smokeping.wm.o SNI on the librenms certificate, that would set a dependency between otherwise completely isolated services. So I'd say we continue with the 2 certs approach (https://gerrit.wikimedia.org/r/552398)

No problem for me for 1 cert, it seems a reasonable approach.

I was made aware that the two above comments are contradictory. I don't recall the why of my above comment or any limitation on the 2 certs approach. I agree they are separate services and should not depend on each other.

Change 552398 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Add smokeping certificate

https://gerrit.wikimedia.org/r/552398

Change 564045 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/dns@master] Serve smokeping.wm.o directly from netmon1002

https://gerrit.wikimedia.org/r/564045

Change 564046 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] smokeping: Serve traffic directly and using TLS

https://gerrit.wikimedia.org/r/564046

Change 564046 merged by Vgutierrez:
[operations/puppet@production] smokeping: Serve traffic directly and using TLS

https://gerrit.wikimedia.org/r/564046

Change 564045 merged by Vgutierrez:
[operations/dns@master] Serve smokeping.wm.o directly from netmon1002

https://gerrit.wikimedia.org/r/564045

Vgutierrez closed this task as Resolved.Wed, Feb 19, 2:40 PM
Vgutierrez claimed this task.