Page MenuHomePhabricator
Create Task
Maniphest T411904

ATS/Gerrit: validate TLS hosts for gerrit (revert workaround that skips validation)
Closed, ResolvedPublic
Actions

Description

As part of moving Gerrit behind the CDN gerrit is now addressed by ATS under the new gerrit.discovery.wmnet name which points to one of the backend server names.

Gerrit servers have 2 public IPs, one host name and one service name. We have allowed incoming https connections to both of them in the firewall now.

acme_chief/Letsencrypt provides the certificates for our public service names in .wikimedia.org but naturally it can't issue a cert for an internal .wmnet name.

Therefore we needed a work-around which was to disable TLS host validation.

This task is to find a different solution for this certificate issue which allows us to revert https://gerrit.wikimedia.org/r/c/operations/puppet/+/1215684 eventually.

quoting the comment from its commit message:

Easiest might be another reverse proxy on a different port on the gerrit hosts, serving a different cert (but then proxied onwards to Apache).

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedDzahnT411895 gerrit behind CDN
 ResolvedNoneT411904 ATS/Gerrit: validate TLS hosts for gerrit (revert workaround that skips validation)

Event Timeline

Dzahn created this task.Dec 5 2025, 9:04 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptDec 5 2025, 9:04 PM
Dzahn added a project: Traffic.Dec 5 2025, 9:20 PM
Dzahn added a subscriber: ssingh.
Dzahn renamed this task from ATS: validate TLS hosts for gerrit (revert workaround that skips validation) to ATS/Gerrit: validate TLS hosts for gerrit (revert workaround that skips validation).Dec 5 2025, 9:23 PM
LSobanski triaged this task as Medium priority.Dec 8 2025, 4:44 PM
LSobanski moved this task from Incoming to Backlog on the collaboration-services board.
Dzahn changed the task status from Open to Stalled.Dec 12 2025, 12:10 AM

There is still debate whether https://gerrit.wikimedia.org/r/c/operations/puppet/+/1215684 is needed or not.

If it turns out it's not needed then this task would become invalid.

If it turns out we need it then this is valid but until we know.. I would call it stalled.

Dzahn changed the task status from Stalled to Open.Feb 9 2026, 8:15 PM

Yes, https://gerrit.wikimedia.org/r/c/operations/puppet/+/1215684/6/hieradata/common/profile/trafficserver/backend.yaml was needed

ABran-WMF closed this task as Resolved.Apr 2 2026, 12:18 PM
ABran-WMF subscribed.

@Dzahn closing that one because we removed these lines with T420909: gerrit: Add Envoy in Gerrit's stack

Dzahn awarded a token.Apr 2 2026, 4:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits