Page MenuHomePhabricator
Create Task
Maniphest T399114

Remove OCSP monitoring and related bits
Closed, ResolvedPublic
Actions

Description

Both Lets Encrypt (LE) and Google Trust Service (GTS) have deprecated support for OCSP and we have removed it in our infrastructure in T370821 for LE and T399079 for GTS. As such, we should remove all monitoring around OCSP from our infrastructure and the Puppet bits that support it.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
P:cache::haproxy: remove obsolete do_ocspoperations/puppetproduction+0 -6
nagios_common: remove check_ssl_cdn_ocsp*operations/puppetproduction+0 -10
P:cache::haproxy, C:haproxy, hiera: remove OCSP flag and monitoringoperations/puppetproduction+1 -14
Customize query in gerrit

Related Objects
Search...

Event Timeline

ssingh created this task.Jul 9 2025, 6:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2025, 6:22 PM
ssingh changed the task status from Open to In Progress.Jul 9 2025, 6:22 PM
ssingh triaged this task as Medium priority.
ssingh added a subtask: T399079: Disable OCSP for GTS issued certificates.
gerritbot added a comment.Jul 9 2025, 6:23 PM

Change #1167686 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] P:cache::haproxy: remove obsolete do_ocsp

https://gerrit.wikimedia.org/r/1167686

gerritbot added a project: Patch-For-Review.Jul 9 2025, 6:23 PM
Stashbot added a comment.Jul 9 2025, 6:40 PM

Mentioned in SAL (#wikimedia-operations) [2025-07-09T18:40:54Z] <sukhe> removing ocsp from deployment-prep: commit 3307286c7d18827b87231b61652efbaf0e3ba4c8: T399114

Stashbot added a comment.Jul 9 2025, 6:42 PM

Mentioned in SAL (#wikimedia-operations) [2025-07-09T18:42:31Z] <sukhe> re-adding ocsp from deployment-prep: commit 3307286c7d18827b87231b61652efbaf0e3ba4c8: T399114: will remove after Puppet removal

gerritbot added a comment.Jul 9 2025, 7:02 PM

Change #1167695 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] P:cache::haproxy, C:haproxy, hiera: remove OCSP flag and monitoring

https://gerrit.wikimedia.org/r/1167695

gerritbot added a comment.Jul 9 2025, 7:25 PM

Change #1167698 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] nagios_common: remove check_ssl_cdn_ocsp*

https://gerrit.wikimedia.org/r/1167698

gerritbot added a comment.Jul 14 2025, 2:43 PM

Change #1167695 merged by Ssingh:

[operations/puppet@production] P:cache::haproxy, C:haproxy, hiera: remove OCSP flag and monitoring

https://gerrit.wikimedia.org/r/1167695

Stashbot added a comment.Jul 14 2025, 2:55 PM

Mentioned in SAL (#wikimedia-operations) [2025-07-14T14:55:00Z] <sukhe> sudo cumin 'O:alerting_host' 'run-puppet-agent' :T399114

gerritbot added a comment.Jul 14 2025, 3:00 PM

Change #1167698 merged by Ssingh:

[operations/puppet@production] nagios_common: remove check_ssl_cdn_ocsp*

https://gerrit.wikimedia.org/r/1167698

ssingh closed this task as Resolved.Jul 14 2025, 3:02 PM
ssingh claimed this task.
ssingh closed subtask T399079: Disable OCSP for GTS issued certificates as Resolved.
gerritbot added a comment.Jul 14 2025, 5:48 PM

Change #1167686 merged by Ssingh:

[operations/puppet@production] P:cache::haproxy: remove obsolete do_ocsp

https://gerrit.wikimedia.org/r/1167686

Maintenance_bot removed a project: Patch-For-Review.Jul 14 2025, 6:31 PM
Stashbot added a comment.Jul 21 2025, 4:10 PM

Mentioned in SAL (#wikimedia-operations) [2025-07-21T16:10:10Z] <vgutierrez> cumin 'A:cp' 'systemctl reset-failed update-ocsp-all.timer' - T399114

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits