Page MenuHomePhabricator

Audit usage of *.tools.wmflabs.org GlobalSign TLS certificate and migrate any usage to LE
Closed, ResolvedPublic

Description

The GlobalSign certificate that we have used in the past for *.tools.wmflabs.org expires on 2020-06-24. We should replace this wildcard cert with either a Let's Encrypt wildcard or possibly better just individual certs for services that need it.

Details

Due Date
May 29 2020, 12:00 AM

Event Timeline

bd808 created this task.Apr 13 2020, 5:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 13 2020, 5:08 PM
bd808 added a parent task: Unknown Object (Task).Apr 13 2020, 5:08 PM
JHedden triaged this task as High priority.Apr 21 2020, 4:28 PM
bd808 set Due Date to May 29 2020, 12:00 AM.Apr 21 2020, 4:28 PM
Bstorm closed this task as Resolved.Apr 30 2020, 8:57 PM
Bstorm claimed this task.
Bstorm added a subscriber: Bstorm.

I see that T235252: Toolforge: SSL support for new domain toolforge.org created a cert that includes *.tools.wmflabs.org.
In https://github.com/wikimedia/puppet/commit/3a4773217e1fb06809cc080058e845dff2b60c21, we switched to the let's encrypt cert and then we removed the old cert from puppet https://github.com/wikimedia/puppet/commit/cfed4132d455ce8a343884f5e1b21b81b1588647

I do not believe it is currently used anywhere anymore with searching. I checked every place I know it used to be used, and it mentions the acme chief/LE setup instead in puppet. The only other place was the old k8s master, and that's deleted.

bd808 mentioned this in Unknown Object (Task).May 1 2020, 5:58 PM