Page MenuHomePhabricator

Update varnishkafka client certificate for authenticating to kafka-jumbo
Open, HighPublic1 Estimated Story Points

Description

We have received a warning that the puppet certificate for varnishkafka is soon to expire.

image.png (60×380 px, 9 KB)

This is confirmed by checking the certificate file that is present on all caching proxy servers, e.g. cp1075.

btullis@cp1075:/etc/varnishkafka/ssl$ cat varnishkafka.crt.pem | openssl x509 -noout -dates
notBefore=Dec 13 15:55:06 2017 GMT
notAfter=Dec 13 15:55:06 2022 GMT

This certificate will need to be renewed, redeployed, and the varnishkafka service restarted on all cp* hosts.
Failure to do so before the expiry date will result in data loss in the webrequest stream.

The renewal process is similar to that described here: https://wikitech.wikimedia.org/wiki/Kafka/Administration#Kafka_Certificates
However, since it is a *client* certificate (where that client is varnishkafka) the process to make it live is somewhat different.