LetsEncrypt cert expiration warning for some ncredir names
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	RLazarus
	Jul 9 2021, 3:35 PM

Description

We got an email on noc@ from LetsEncrypt warning that certs for the names listed below will expire at 2021-07-19 14:01 UTC -- that's ten days from this task, nineteen days from their warning. That's closer than we usually let these get to expiring, as I understand it.

The list of names exactly matches non-canonical-redirect-2 in hieradata/common.yaml.

Marking this high priority because expiration will be a week from the end of the WMF holiday; traffic folks, feel free to downgrade.

The email subject was Let's Encrypt certificate expiration notice for domain "*.wikimania.asia" (and 37 more), received at 2021-06-29 14:09 UTC. Affected names:

*.wikimania.asia
*.wikimania.com
*.wikimania.org
*.wikimedia.com
*.wikimedia.community
*.wikimedia.jp.net
*.wikimedia.lt
*.wikimedia.us
*.wikimediacommons.co.uk
*.wikimediacommons.info
*.wikimediacommons.jp.net
*.wikimediacommons.mobi
*.wikimediacommons.net
*.wikimediacommons.org
*.wikimediafoundation.com
*.wikimediafoundation.info
*.wikimediafoundation.net
*.wikinews.com
*.wikinews.de
wikimania.asia
wikimania.com
wikimania.org
wikimedia.com
wikimedia.community
wikimedia.jp.net
wikimedia.lt
wikimedia.us
wikimediacommons.co.uk
wikimediacommons.info
wikimediacommons.jp.net
wikimediacommons.mobi
wikimediacommons.net
wikimediacommons.org
wikimediafoundation.com
wikimediafoundation.info
wikimediafoundation.net
wikinews.com
wikinews.de

Details

	Subject	Repo	Branch	Lines +/-
	acme-chief: Drop wikimedia.com related SNIs	operations/puppet	production	+0 -2
	nc_redirects: Remove wikimedia.com rule	operations/puppet	production	+0 -3

Customize query in gerrit

Related Objects

Mentioned Here: T281428: "wikimedia.com" DNS transfer to Wikimedia Enterprise's AWS infra

Event Timeline

RLazarus created this task.Jul 9 2021, 3:35 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2021, 3:35 PM

RLazarus triaged this task as High priority.Jul 9 2021, 3:35 PM

non-canonical-redirect-2 has been successfully renewed on July 3rd with the exception of wikimedia.com and *.wikimedia.com. This is expected and caused by T281428. It looks like as part of that task @BBlack missed the clean-up of the acme-chief config.

root@acmechief1001:/var/lib/acme-chief/certs/non-canonical-redirect-2# openssl x509 -noout -issuer -dates -in /var/lib/acme-chief/certs/non-canonical-redirect-2/live/rsa-2048.crt
issuer=C = US, O = Let's Encrypt, CN = R3
notBefore=Jul  3 16:00:50 2021 GMT
notAfter=Oct  1 16:00:49 2021 GMT

acme-chief continued to issue the certificate cause the non-canonical-redirect certs are configured with the flag skip_invalid_snis: true

root@acmechief1001:/var/lib/acme-chief/certs/non-canonical-redirect-2# openssl x509 -noout -text -in /var/lib/acme-chief/certs/non-canonical-redirect-2/live/rsa-2048.crt |grep DNS: |sed s/DNS://g |sed 's/, /\n/g'
                *.wikimania.asia
*.wikimania.com
*.wikimania.org
*.wikimedia.community
*.wikimedia.jp.net
*.wikimedia.lt
*.wikimedia.us
*.wikimediacommons.co.uk
*.wikimediacommons.info
*.wikimediacommons.jp.net
*.wikimediacommons.mobi
*.wikimediacommons.net
*.wikimediacommons.org
*.wikimediafoundation.com
*.wikimediafoundation.info
*.wikimediafoundation.net
*.wikinews.com
*.wikinews.de
wikimania.asia
wikimania.com
wikimania.org
wikimedia.community
wikimedia.jp.net
wikimedia.lt
wikimedia.us
wikimediacommons.co.uk
wikimediacommons.info
wikimediacommons.jp.net
wikimediacommons.mobi
wikimediacommons.net
wikimediacommons.org
wikimediafoundation.com
wikimediafoundation.info
wikimediafoundation.net
wikinews.com
wikinews.de

Change 703910 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] nc_redirects: Remove wikimedia.com rule

https://gerrit.wikimedia.org/r/703910

Change 703911 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] acme-chief: Drop wikimedia.com related SNIs

https://gerrit.wikimedia.org/r/703911

I'll merge https://gerrit.wikimedia.org/r/703910 and https://gerrit.wikimedia.org/r/703911 on Monday to properly clean-up wikimedia.com from ncredir rules and acme-chief configuration, thanks for filling the task @RLazarus