Page MenuHomePhabricator
Create Task
Maniphest T313227

Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org
Closed, ResolvedPublic
Actions

Description

  • Get new edge HTTPS certificates for production need to be expanded/re-issued to mention the wikifunctions.org and *.wikifunctions.org domains
  • Ditto for internal certificates which are generated using cergen (the file mediawiki.certs.yaml)
  • acme-chief needs to be updated for Let's encrypt certs for wikifunctions.org
  • Buy the standard set of certs adding wikifunctions.org

Details

SubjectRepoBranchLines +/-
ssl: Fix parsoid.svc.{codfw,eqiad} pubkeysoperations/puppetproduction+80 -84
ssl: Update api,jobrunner,appservers,parsoid certsoperations/puppetproduction+424 -376
acme-chief: Add wikifunctions.org to the unified certoperations/puppetproduction+2 -279
acme_chief: Test adding wikifunctions.org in acmechief-test1001operations/puppetproduction+279 -0
Add wikifunctions.org to exim domainsoperations/puppetproduction+1 -0
Revert "wikifunctions.org: add temp DCV TXT record"operations/dnsmaster+0 -3
wikifunctions.org: add temp DCV TXT recordoperations/dnsmaster+3 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Jdforrester-WMF created this task.Jul 18 2022, 2:21 PM
Jdforrester-WMF updated the task description. (Show Details)
Jdforrester-WMF mentioned this in T313226: Get all SRE-type things ready for launching Wikifunctions.
Vgutierrez triaged this task as Medium priority.Jul 18 2022, 2:26 PM
Vgutierrez added a project: Traffic.
RhinosF1 subscribed.Jul 18 2022, 2:26 PM
Maintenance_bot added a project: SRE.Jul 18 2022, 2:29 PM
BBlack assigned this task to Jdforrester-WMF.Jul 20 2022, 1:49 PM
BBlack subscribed.

Hi - the process for the public certs+DNS on this are non-trivial, can we get a little more information please?

Specifically:

  1. When do we expect to need the public domain + cert to be live on the Internet by?
  2. What's the plan for the wildcard subdomains? Will they be the standard suite of language-code subdomains like most other projects, or?
Jdforrester-WMF added a comment.Jul 20 2022, 2:00 PM
In T313227#8091301, @BBlack wrote:

Hi - the process for the public certs+DNS on this are non-trivial, can we get a little more information please?

Specifically:

  1. When do we expect to need the public domain + cert to be live on the Internet by?

In the next few months; as soon as it's available we'll put up a landing page.

  1. What's the plan for the wildcard subdomains? Will they be the standard suite of language-code subdomains like most other projects, or?

It'll be like Wikidata; single main wiki, with m.wikifunctions.org for mobile, and later with potential future sub-projects like query.wikifunctions.org or whatever.

akosiaris subscribed.Jul 20 2022, 3:29 PM
KOfori subscribed.Jul 25 2022, 1:02 PM
BBlack mentioned this in Unknown Object (Task).Aug 3 2022, 11:00 PM
Jdforrester-WMF removed Jdforrester-WMF as the assignee of this task.Aug 8 2022, 2:12 PM
jijiki moved this task from Incoming 🐫 to 🙈🙉🙊Backlog on the serviceops board.Sep 28 2022, 2:17 PM
gerritbot added a comment.Oct 13 2022, 4:14 PM

Change 842499 had a related patch set uploaded (by BBlack; author: BBlack):

[operations/puppet@production] Add wikifunctions.org to exim domains

https://gerrit.wikimedia.org/r/842499

gerritbot added a project: Patch-For-Review.Oct 13 2022, 4:14 PM
gerritbot added a comment.Oct 13 2022, 4:22 PM

Change 842500 had a related patch set uploaded (by BBlack; author: BBlack):

[operations/dns@master] wikifunctions.org: add temp DCV TXT record

https://gerrit.wikimedia.org/r/842500

gerritbot added a comment.Oct 13 2022, 4:23 PM

Change 842500 merged by BBlack:

[operations/dns@master] wikifunctions.org: add temp DCV TXT record

https://gerrit.wikimedia.org/r/842500

gerritbot added a comment.Oct 13 2022, 4:27 PM

Change 842501 had a related patch set uploaded (by BBlack; author: BBlack):

[operations/dns@master] Revert "wikifunctions.org: add temp DCV TXT record"

https://gerrit.wikimedia.org/r/842501

gerritbot added a comment.Oct 13 2022, 4:28 PM

Change 842501 merged by BBlack:

[operations/dns@master] Revert "wikifunctions.org: add temp DCV TXT record"

https://gerrit.wikimedia.org/r/842501

gerritbot added a comment.Oct 25 2022, 3:05 PM

Change 849111 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] acme_chief: Test adding wikifunctions.org in acmechief-test1001

https://gerrit.wikimedia.org/r/849111

gerritbot added a comment.Oct 25 2022, 4:15 PM

Change 842499 merged by BBlack:

[operations/puppet@production] Add wikifunctions.org to exim domains

https://gerrit.wikimedia.org/r/842499

gerritbot added a comment.Oct 26 2022, 8:48 AM

Change 849111 merged by Vgutierrez:

[operations/puppet@production] acme_chief: Test adding wikifunctions.org in acmechief-test1001

https://gerrit.wikimedia.org/r/849111

gerritbot added a comment.Oct 26 2022, 9:05 AM

Change 849486 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] acme-chief: Add wikifunctions.org to the unified cert

https://gerrit.wikimedia.org/r/849486

gerritbot added a comment.Oct 26 2022, 9:21 AM

Change 849486 merged by Vgutierrez:

[operations/puppet@production] acme-chief: Add wikifunctions.org to the unified cert

https://gerrit.wikimedia.org/r/849486

Vgutierrez subscribed.Oct 26 2022, 9:28 AM

acme-chief will deploy the unified cert shipping wikifunctions.org and *.wikifunctions.org SNI on 2022-11-02 08:25:26:

Oct 26 09:25:14 acmechief1001 acme-chief-backend[17159]: Staging_time will be enforced for unified / ec-prime256v1 till 2022-11-02 08:25:13
Oct 26 09:25:28 acmechief1001 acme-chief-backend[17159]: Staging_time will be enforced for unified / rsa-2048 till 2022-11-02 08:25:26
root@acmechief1001:~# openssl x509 -dates -ext subjectAltName -noout -in /var/lib/acme-chief/certs/unified/new/rsa-2048.crt
notBefore=Oct 26 08:25:26 2022 GMT
notAfter=Jan 24 08:25:25 2023 GMT
X509v3 Subject Alternative Name: 
    DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikifunctions.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikipedia.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikifunctions.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikipedia.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org
root@acmechief1001:~# openssl x509 -dates -ext subjectAltName -noout -in /var/lib/acme-chief/certs/unified/new/ec-prime256v1.crt
notBefore=Oct 26 08:25:13 2022 GMT
notAfter=Jan 24 08:25:12 2023 GMT
X509v3 Subject Alternative Name: 
    DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikifunctions.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikipedia.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikifunctions.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikipedia.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org
Vgutierrez updated the task description. (Show Details)Oct 26 2022, 10:01 AM
Vgutierrez added a comment.Nov 2 2022, 11:30 AM

DCs using the Let's Encrypt cert have the wikifunctions.org SNI available already:

vgutierrez@carrot:~/wikimedia.org/operations/dns$ openssl s_client -connect text-lb.eqiad.wikimedia.org:443 </dev/null 2>/dev/null |openssl x509 -noout -dates -ext subjectAltName
notBefore=Oct 26 08:25:26 2022 GMT
notAfter=Jan 24 08:25:25 2023 GMT
X509v3 Subject Alternative Name: 
    DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikifunctions.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikipedia.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikifunctions.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikipedia.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org
Vgutierrez updated the task description. (Show Details)Nov 3 2022, 2:05 PM
BCornwall subscribed.May 1 2023, 9:26 PM

@Vgutierrez Would you consider this completed and ready to close?

Maintenance_bot removed a project: Patch-For-Review.May 1 2023, 9:30 PM
Joe subscribed.May 2 2023, 6:52 AM

we also need to add wikifunctions to our internal certs

Joe updated the task description. (Show Details)May 2 2023, 7:12 AM
Clement_Goubert claimed this task.May 2 2023, 1:37 PM
gerritbot added a comment.May 2 2023, 2:04 PM

Change 914339 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/puppet@production] ssl: Update api.svc, jobrunner.svc, and appservers.svc certs

https://gerrit.wikimedia.org/r/914339

gerritbot added a project: Patch-For-Review.May 2 2023, 2:04 PM
Clement_Goubert changed the task status from Open to In Progress.May 2 2023, 2:10 PM
Clement_Goubert moved this task from 🙈🙉🙊Backlog to Doing 😎 on the serviceops board.
gerritbot added a comment.May 2 2023, 2:31 PM

Change 914339 merged by Clément Goubert:

[operations/puppet@production] ssl: Update api,jobrunner,appservers,parsoid certs

https://gerrit.wikimedia.org/r/914339

Stashbot added a comment.May 2 2023, 2:33 PM

Mentioned in SAL (#wikimedia-operations) [2023-05-02T14:33:24Z] <claime> Merging new internal certs for api, jobrunner, appservers, parsoid - T313227

Maintenance_bot removed a project: Patch-For-Review.May 2 2023, 3:10 PM
gerritbot added a comment.May 2 2023, 3:20 PM

Change 914357 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/puppet@production] ssl: Fix parsoid.svc.{codfw,eqiad} pubkeys

https://gerrit.wikimedia.org/r/914357

gerritbot added a project: Patch-For-Review.May 2 2023, 3:20 PM
gerritbot added a comment.May 2 2023, 3:34 PM

Change 914357 merged by Clément Goubert:

[operations/puppet@production] ssl: Fix parsoid.svc.{codfw,eqiad} pubkeys

https://gerrit.wikimedia.org/r/914357

Stashbot added a comment.May 2 2023, 3:36 PM

Mentioned in SAL (#wikimedia-operations) [2023-05-02T15:36:13Z] <claime> Re-running puppet on failed parse servers - T313227

Maintenance_bot removed a project: Patch-For-Review.May 2 2023, 4:11 PM
Clement_Goubert updated the task description. (Show Details)May 3 2023, 8:14 AM

New internal certs now include wikifunctions.org and *.wikifunctions.org

Was there anything else?

BCornwall closed this task as Resolved.May 10 2023, 9:04 PM

Resolving since it appears to be finished. Thanks all!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits