- Get new edge HTTPS certificates for production need to be expanded/re-issued to mention the wikifunctions.org and *.wikifunctions.org domains
- Ditto for internal certificates which are generated using cergen (the file mediawiki.certs.yaml)
- acme-chief needs to be updated for Let's encrypt certs for wikifunctions.org
- Buy the standard set of certs adding wikifunctions.org
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | BUG REPORT | None | T344206 Special:MathStatus exception error on Wikifunctions | ||
Resolved | Jdforrester-WMF | T342865 Post-creation work for wikifunctionswiki | |||
Resolved | BTullis | T289316 Prepare and check storage layer for Wikifunctions.org (new public content wiki) | |||
Resolved | Jdforrester-WMF | T275945 Create Wikifunctions.org | |||
Resolved | cmassaro | T313226 Get all SRE-type things ready for launching Wikifunctions | |||
Resolved | Clement_Goubert | T313227 Get new edge & internal HTTPS certificates expanded to add wikifunctions.org and *.wikifunctions.org |
Event Timeline
Hi - the process for the public certs+DNS on this are non-trivial, can we get a little more information please?
Specifically:
- When do we expect to need the public domain + cert to be live on the Internet by?
- What's the plan for the wildcard subdomains? Will they be the standard suite of language-code subdomains like most other projects, or?
In the next few months; as soon as it's available we'll put up a landing page.
- What's the plan for the wildcard subdomains? Will they be the standard suite of language-code subdomains like most other projects, or?
It'll be like Wikidata; single main wiki, with m.wikifunctions.org for mobile, and later with potential future sub-projects like query.wikifunctions.org or whatever.
Change 842499 had a related patch set uploaded (by BBlack; author: BBlack):
[operations/puppet@production] Add wikifunctions.org to exim domains
Change 842500 had a related patch set uploaded (by BBlack; author: BBlack):
[operations/dns@master] wikifunctions.org: add temp DCV TXT record
Change 842500 merged by BBlack:
[operations/dns@master] wikifunctions.org: add temp DCV TXT record
Change 842501 had a related patch set uploaded (by BBlack; author: BBlack):
[operations/dns@master] Revert "wikifunctions.org: add temp DCV TXT record"
Change 842501 merged by BBlack:
[operations/dns@master] Revert "wikifunctions.org: add temp DCV TXT record"
Change 849111 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):
[operations/puppet@production] acme_chief: Test adding wikifunctions.org in acmechief-test1001
Change 842499 merged by BBlack:
[operations/puppet@production] Add wikifunctions.org to exim domains
Change 849111 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Test adding wikifunctions.org in acmechief-test1001
Change 849486 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):
[operations/puppet@production] acme-chief: Add wikifunctions.org to the unified cert
Change 849486 merged by Vgutierrez:
[operations/puppet@production] acme-chief: Add wikifunctions.org to the unified cert
acme-chief will deploy the unified cert shipping wikifunctions.org and *.wikifunctions.org SNI on 2022-11-02 08:25:26:
Oct 26 09:25:14 acmechief1001 acme-chief-backend[17159]: Staging_time will be enforced for unified / ec-prime256v1 till 2022-11-02 08:25:13 Oct 26 09:25:28 acmechief1001 acme-chief-backend[17159]: Staging_time will be enforced for unified / rsa-2048 till 2022-11-02 08:25:26
root@acmechief1001:~# openssl x509 -dates -ext subjectAltName -noout -in /var/lib/acme-chief/certs/unified/new/rsa-2048.crt notBefore=Oct 26 08:25:26 2022 GMT notAfter=Jan 24 08:25:25 2023 GMT X509v3 Subject Alternative Name: DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikifunctions.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikipedia.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikifunctions.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikipedia.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org root@acmechief1001:~# openssl x509 -dates -ext subjectAltName -noout -in /var/lib/acme-chief/certs/unified/new/ec-prime256v1.crt notBefore=Oct 26 08:25:13 2022 GMT notAfter=Jan 24 08:25:12 2023 GMT X509v3 Subject Alternative Name: DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikifunctions.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikipedia.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikifunctions.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikipedia.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org
DCs using the Let's Encrypt cert have the wikifunctions.org SNI available already:
vgutierrez@carrot:~/wikimedia.org/operations/dns$ openssl s_client -connect text-lb.eqiad.wikimedia.org:443 </dev/null 2>/dev/null |openssl x509 -noout -dates -ext subjectAltName notBefore=Oct 26 08:25:26 2022 GMT notAfter=Jan 24 08:25:25 2023 GMT X509v3 Subject Alternative Name: DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikifunctions.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikipedia.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikifunctions.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikipedia.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org
Change 914339 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):
[operations/puppet@production] ssl: Update api.svc, jobrunner.svc, and appservers.svc certs
Change 914339 merged by Clément Goubert:
[operations/puppet@production] ssl: Update api,jobrunner,appservers,parsoid certs
Mentioned in SAL (#wikimedia-operations) [2023-05-02T14:33:24Z] <claime> Merging new internal certs for api, jobrunner, appservers, parsoid - T313227
Change 914357 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):
[operations/puppet@production] ssl: Fix parsoid.svc.{codfw,eqiad} pubkeys
Change 914357 merged by Clément Goubert:
[operations/puppet@production] ssl: Fix parsoid.svc.{codfw,eqiad} pubkeys
Mentioned in SAL (#wikimedia-operations) [2023-05-02T15:36:13Z] <claime> Re-running puppet on failed parse servers - T313227
New internal certs now include wikifunctions.org and *.wikifunctions.org
Was there anything else?