With the unplanned expiration of a couple of SSL certificates, T112542 was generated. Since then, we've listed all of the domains we purchased certificates from.
Now we need to decide if we are going to put in icinga checks for all of them, or just some, and how to differentiate.
>>! In T112542#1640176, @BBlack wrote:
> We only have that icinga check on the primary unified cert, which covers the production endpoints for:
>
> - wikipedia.org
> - mediawiki.org
> - wikibooks.org
> - wikidata.org
> - wikimediafoundation.org
> - wikimedia.org
> - wikinews.org
> - wikiquote.org
> - wikisource.org
> - wikiversity.org
> - wikivoyage.org
> - wiktionary.org
>
> ... and all of their mobile subdomains and whatnot. It's a pretty verbose check, validates functional SSL for all of the SAN domains, checks the cert expiry, etc.
>
> But we don't have any kind of checking in place for the various other misc certs we own that are deployed for smaller or one-off services, or deployed to third parties (or in some cases, rare today but important later - not deployed at all but still critical). Just looking at puppet's files/ssl/ today, that list is something like:
>
>
> archiva.wikimedia.org.crt
> blog.wikimedia.org.crt
> dumps.wikimedia.org.crt
> ecc-star.wmfusercontent.org.crt
> eventdonations.wikimedia.org.crt
> ganglia.wikimedia.org.crt
> gerrit.wikimedia.org.crt
> icinga.wikimedia.org.crt
> labvirt-star.eqiad.wmnet.crt
> ldap-codfw.wikimedia.org.crt
> ldap-eqiad.wikimedia.org.crt
> ldap-mirror.wikimedia.org.crt
> librenms.wikimedia.org.crt
> lists.wikimedia.org.crt
> policy.wikimedia.org.crt
> rt.wikimedia.org.crt
> star.planet.wikimedia.org.crt
> star.wmflabs.org.crt
> star.wmfusercontent.org.crt
> stream.wikimedia.org.crt
> tendril.wikimedia.org.crt
> ticket.wikimedia.org.crt
> toolserver.org.crt
> virt-star.eqiad.wmnet.crt
> wikitech.wikimedia.org.crt
>
>
> Of those, I can see in our icinga config direct expiry checks only for:
>
> lists.wikimedia.org
> ticket.wikimedia.org
> ldap-codfw.wikimedia.org
> ldap-eqiad.wikimedia.org
>
Additionally: https://docs.google.com/a/wikimedia.org/spreadsheets/d/1yT5rvoEEUHhNeJAQRVamr8ECqN3TLsMaO8N_At4Ki3I/edit?usp=sharing lists all the certificates and expiry info.
We need to determine which of these will get icinga checks.