These are the affected GlobalSign certs that weren't handled in the first pass with the updates to the cache terminators:
| Cert | Fixed? | Notes |
| --- | --- | ---|
| archiva.wikimedia.org.crt | Yes | Simple |
| benefactorevents.wikimedia.org.crt | No | Externally-hosted |
| dumps.wikimedia.org.crt | Yes | Simple |
| eventdonations.wikimedia.org.crt | No | Externally-hosted |
| ganglia.wikimedia.org.crt | Yes | Simple |
| icinga.wikimedia.org.crt | No | Simple, but puppet currently disabled... |
| ldap-codfw.wikimedia.org.crt | Yes | serpens, service is slapd |
| ldap-eqiad.wikimedia.org.crt | Yes | seaborgium, service is slapd |
| librenms.wikimedia.org.crt | Yes | Simple |
| lists.wikimedia.org.crt | Yes | Simple |
| mail.wikimedia.org.crt | Yes | mx[12]001; restarted exim4 |
| policy.wikimedia.org.crt | No | Externally-hosted |
| star.tools.wmflabs.org.crt | Yes | See Labs notes below |
| star.wmflabs.org.crt | Yes | Probably not needed, internal, see Labs notes below |
| tendril.wikimedia.org.crt | Yes | Simple |
| wikitech.wikimedia.org.crt | Yes | Simple |
For the ones initially marked Fixed/Simple above: the service host is sshable into the same hostname the cert is obviously for, and were fixed (after the puppet merge of the new intermediate) with:
```
touch /etc/ssl/localcerts/*.org.crt; puppet agent -t; service nginx restart; service apache2 restart
```
Labs notes:
It's a simple nginx restart after the touch/puppet as above, the question is just finding the right hosts:
Instance pattern names for hosts using the certs: https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Admin#SSL_certificates
Finding the current instances: `root@labcontrol1001:~# source ~/novaenv.sh; nova list --all-tenants | egrep 'tools-(proxy|static)-'`