Stop issuing RSA certificates
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Vgutierrez
	Jun 27 2025, 9:29 AM

Description

Back in T375569 we stopped using RSA certificates (almost) everywhere. We can safely stop issuing them now for every certificate configured in acme-chief except for

lists (T398018)
mx-in and mx-out

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	acme_chief: Don't issue RSA certs by default	operations/puppet	production	+19 -9

Customize query in gerrit

Related Objects

Mentioned Here: T375569: Remove RSA certificates from puppet
T398018: Follow up on lists.wm.o TLS usage
T398019: Set up TLS dual stack for mx-in[12]001.wikimedia.org

Event Timeline

Vgutierrez created this task.Jun 27 2025, 9:29 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 27 2025, 9:29 AM

Vgutierrez triaged this task as Medium priority.Jun 27 2025, 9:42 AM

toolforge

Unless I've missed something, https://gerrit.wikimedia.org/r/c/operations/puppet/+/1164399 will let this change to be done for the Toolforge certs as well.

Vgutierrez updated the task description. (Show Details)Jun 27 2025, 10:18 AM

Change #1164418 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] acme_chief: Don't issue RSA certs by default

https://gerrit.wikimedia.org/r/1164418

gerritbot added a project: Patch-For-Review.Jun 27 2025, 10:25 AM

Change #1164418 merged by Vgutierrez:

[operations/puppet@production] acme_chief: Don't issue RSA certs by default

https://gerrit.wikimedia.org/r/1164418

Mentioned in SAL (#wikimedia-operations) [2025-07-02T09:49:23Z] <vgutierrez> acme-chief: stop issuing RSA certificates by default - T398020

Vgutierrez closed this task as Resolved.Jul 2 2025, 9:53 AM

Vgutierrez claimed this task.

Maintenance_bot removed a project: Patch-For-Review.Jul 2 2025, 10:31 AM