Page MenuHomePhabricator

Update media backup TLS certificates
Closed, ResolvedPublic

Description

Puppet certificates don't work with the version of go that prometheus servers use, so it fails to scrape metrics from them. Update the certificate so that they have the fqdn in SAN, not only on CN, which apparently is deprecated.

Event Timeline

jcrespo triaged this task as High priority.Aug 5 2021, 6:57 AM

High because it is causing metrics to fail to be collected for minio and creating alerts that are not easily acknowledgeable.

My two cents: not necessarily for this task but IMHO would be worth exploring if this is fixed (or has been, or it will be) on the puppet side, IOW asking for certs with fqdn in SAN too at enrollment time

I had an IRC discussion with @fgiunchedi , profile::pki seems the proper way to fix this, which may require changes on cert generation on backup hosts and ca configuration on prometheus ones- I need to research a bit about PKI support, as I don't have experience implementing it. CC @jbond

This was fixed in https://gerrit.wikimedia.org/r/710491 thus optimistically resolving