Now that we have basic puppetization of LE certs, we can start planning to deploy them in some limited places in production where we have existing commercial certs on renewal cycles.
Keep in mind the following situations are off the table (for now, here):
1. This isn't about the junk redirect domains, that's in T133548
2. If it's not a singular, direct, public-facing HTTP[S] host, it's out for now due to puppetization limitations
3. 3rd party services/hosts are out, and I'm not looking at fundraising or labs specifically in this ticket either
4. Wildcard certs (LE doesn't support)
Looking at our Ops cert renewal calendar and our globalsign account (where most certs come from), and keeping the above restrictions in mind, these seem to be the applicable cases we could LE-ify, ordered by their next commercial cert expiry:
| Cert | Expiry | Switched to LE
|--|--|
| icinga.wm.o | 2017-02-06 | Yes
| ganglia.wm.o | 2017-02-07 | Yes
| librenms.wm.o | 2017-02-10 | Yes
| wikitech.wm.o | 2017-02-23 | Yes
| lists.wm.o | 2017-03-01 | Yes
| tendril.wm.o | 2017-03-17 | Yes
| dumps.wm.o | 2017-04-26 | Yes
| archiva.wm.o | 2017-05-08 |
| gerrit.wm.o | 2018-05-25 | Yes
| stream.wm.o | 2017-11-21 |
| wikitech-static.w.o | 2017-03-01 | Yes
I just turned on our first full-auto-puppeted LE certs today (for apt/ubuntu/mirrors, which had no certs at all before), which is an nginx host. I'm going test one other from the above list which is an Apache.
We can put off mass conversion of this list for a while (they don't start expiring until 2017 anyways) until we've had some history on the first hosts and are comfortable the LE situation is stable with auto-renewals and all that. So we're probably looking at ~60+ days out from now (circa late June or beyond) before we start converting the remaining services above to LE certs.