On virt10xx, libvirtd uses a WMF CA-signed wildcard cert for virt*.eqiad.wmnet.
As part of the renaming from virt* to labvirt* we need a new cert for labvirt*.eqiad.wmnet.
https://gerrit.wikimedia.org/r/#/c/204279/ is an attempt to do this, but that cert is self-signed and we need one signed with the WMF CA.
In the meantime, libvirtd.log has sad, repeated notices:
error : virNetTLSContextCheckCertPair:495 : Our own certificate /etc/ssl/localcerts/labvirt-star.eqiad.wmnet.crt failed validation against /etc/ssl/certs/wmf-ca.pem: The certificate hasn't got a known issuer.