@RLazarus in https://phabricator.wikimedia.org/T248093#6076630 you mentioned committing a script for automating cert renewal, and I see it indeed. Renewing the certs should amount to just running the script, correct?

I am aiming to at least test TLS on memcached T271967, hoping to roll it out next month. If this works out, we will not be needing mcrouter certs. We have 60 days ahead of us, I think it can be done, providing that testing is successful.

In T276029#6870062, @jijiki wrote:

I am aiming to at least test TLS on memcached T271967, hoping to roll it out next month. If this works out, we will not be needing mcrouter certs. We have 60 days ahead of us, I think it can be done, providing that testing is successful.

In that hypothesis, we'd also get rid of mcrouter proxies completely, which is an added advantage. 60 days seems a bit tight though, but if you feel confident you can do it, sure, why not. I'd just like not to have to do this on a tight schedule.

In T276029#6870186, @Joe wrote:

In T276029#6870062, @jijiki wrote:

I am aiming to at least test TLS on memcached T271967, hoping to roll it out next month. If this works out, we will not be needing mcrouter certs. We have 60 days ahead of us, I think it can be done, providing that testing is successful.

In that hypothesis, we'd also get rid of mcrouter proxies completely, which is an added advantage. 60 days seems a bit tight though, but if you feel confident you can do it, sure, why not. I'd just like not to have to do this on a tight schedule.

Oh yeah, that was implied :). The memcached upgrade to a version that supports TLS is halfway done, and we are already using memcached + TLS in idp. Even if we don't make it on time, we always have the option to do what we did last time.

In T276029#6869338, @Joe wrote:

@RLazarus in https://phabricator.wikimedia.org/T248093#6076630 you mentioned committing a script for automating cert renewal, and I see it indeed. Renewing the certs should amount to just running the script, correct?

Yep -- modules/cergen/files/renew_mcrouter_certs.py is the code, and it's /usr/local/bin/renew_mcrouter_certs on the pupetmaster.

Can't promise that the script hasn't rotted in the last year, but if not, it should really be as simple as "ssh to the puppetmaster and run it."

Halfway ping just to remember that a month is left before the certs expire :)

yeap, thank you!

@RLazarus do you mind running the script one last time? I hope to get TLS working this quarter, but sadly I didn't manage to do it towards the end of Q3 as I originally planned.

Mentioned in SAL (#wikimedia-operations) [2021-04-14T14:13:07Z] <rzl> mcrouter cert renewal complete, puppet re-enabled T276029