Page MenuHomePhabricator
Create Task
Maniphest T238900

add TLS support for smokeping.wikimedia.org
Closed, ResolvedPublic
Actions

Description

Currently ats-be is having issues connecting to netmon when trying to serve requests for smokeping.wikimedia.org:

Nov 22 04:19:44 cp1075 traffic_manager[16888]: [Nov 22 04:19:44.777] {0x2b12ac588700} ERROR: SSL connection failed for 'smokeping.wikimedia.org': error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Details

SubjectRepoBranchLines +/-
Serve smokeping.wm.o directly from netmon1002operations/dnsmaster+1 -1
smokeping: Serve traffic directly and using TLSoperations/puppetproduction+62 -41
acme_chief: Add smokeping certificateoperations/puppetproduction+7 -0
acme_chief: Revoke access from netmon boxes to netbox certificateoperations/puppetproduction+0 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez created this task.Nov 22 2019, 8:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 22 2019, 8:06 AM
gerritbot added a comment.Nov 22 2019, 8:11 AM

Change 552398 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Add smokeping certificate

https://gerrit.wikimedia.org/r/552398

gerritbot added a project: Patch-For-Review.Nov 22 2019, 8:11 AM
ema triaged this task as Medium priority.Nov 22 2019, 8:13 AM
Vgutierrez added subscribers: crusnov, Volans.Nov 22 2019, 8:24 AM

@Volans @crusnov @ayounsi we need some clarification regarding TLS material on netmon boxes, right now they get access to librenms and netbox acme-chief managed certificates. Is netbox still needed there?

We could add smokeping.wm.o as a SNI to the librenms one or handle it as an independent certificate (as proposed in https://gerrit.wikimedia.org/r/552398)

Volans mentioned this in T238919: Cleanup Netbox stuff from netmon hosts.Nov 22 2019, 12:29 PM
In T238900#5683710, @Vgutierrez wrote:

@Volans @crusnov @ayounsi we need some clarification regarding TLS material on netmon boxes, right now they get access to librenms and netbox acme-chief managed certificates. Is netbox still needed there?

No, it's not as Netbox was migrated to dedicated VMs netbox[12]001. I've opened T238919 for a more general cleanup.

ema moved this task from Backlog to TLS on the Traffic board.Nov 22 2019, 12:54 PM
gerritbot added a comment.Nov 25 2019, 3:21 AM

Change 552680 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Revoke access from netmon boxes to netbox certificate

https://gerrit.wikimedia.org/r/552680

gerritbot added a comment.Nov 25 2019, 12:25 PM

Change 552680 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Revoke access from netmon boxes to netbox certificate

https://gerrit.wikimedia.org/r/552680

Vgutierrez added a comment.Nov 25 2019, 12:49 PM

@Volans @ayounsi IMHO it doesn't make any sense to include smokeping.wm.o SNI on the librenms certificate, that would set a dependency between otherwise completely isolated services. So I'd say we continue with the 2 certs approach (https://gerrit.wikimedia.org/r/552398)

Volans added a comment.Nov 25 2019, 1:34 PM

No problem for me for 1 cert, it seems a reasonable approach.

Volans added a comment.Jan 13 2020, 10:42 AM

I was made aware that the two above comments are contradictory. I don't recall the why of my above comment or any limitation on the 2 certs approach. I agree they are separate services and should not depend on each other.

gerritbot added a comment.Jan 13 2020, 10:46 AM

Change 552398 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Add smokeping certificate

https://gerrit.wikimedia.org/r/552398

Maintenance_bot removed a project: Patch-For-Review.Jan 13 2020, 11:11 AM
gerritbot added a comment.Jan 13 2020, 3:40 PM

Change 564045 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/dns@master] Serve smokeping.wm.o directly from netmon1002

https://gerrit.wikimedia.org/r/564045

gerritbot added a project: Patch-For-Review.Jan 13 2020, 3:40 PM

Change 564046 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] smokeping: Serve traffic directly and using TLS

https://gerrit.wikimedia.org/r/564046

gerritbot added a comment.Jan 17 2020, 11:39 AM

Change 564046 merged by Vgutierrez:
[operations/puppet@production] smokeping: Serve traffic directly and using TLS

https://gerrit.wikimedia.org/r/564046

gerritbot added a comment.Jan 17 2020, 11:47 AM

Change 564045 merged by Vgutierrez:
[operations/dns@master] Serve smokeping.wm.o directly from netmon1002

https://gerrit.wikimedia.org/r/564045

Maintenance_bot removed a project: Patch-For-Review.Jan 17 2020, 12:10 PM
Vgutierrez closed this task as Resolved.Feb 19 2020, 2:40 PM
Vgutierrez claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL