Portal:Cloud VPS/Admin/SSL certificate

From Wikitech
This page contains historical information. It may be outdated or unreliable.
This certificate is now managed via acme-chief.

This page contains information on how to administer and replace the star.wmflabs.org SSL certificate

For traditional certificates, they are usually valid for 1 year, and they should be renewed at least 2 weeks prior to expiration date.

For LE certificates, we will use acme-chief.


*.wmflabs.org (also known as star.wmflabs.org)

This certificate is in use by the main web proxies in WMCS, and is physically deployed in the proxy-*.project-proxy.eqiad.wmflabs instances.

The private key is hosted directly in the server (non-puppetised).

Example URL using this SSL certificate: https://tools-static.wmflabs.org/

This is a purely project-proxy thing. To move to acme-chief would probably involve project-proxy having a puppetmaster, and at least designate-admin permissions in the wmflabsdotorg tenant.

Renewing star.wmflabs.org

  1. request certificate renewal, usually with DCops and/or Traffic team. Involves purchase approval, etc. May take a couple of weeks.
  2. the private key is added to the /srv/private repo in a prod puppetmaster without replacing the old one. Usually with a new. prefix in the filename. This is usually done by whoever purchases the certificate.
  3. once the public key is received, an operations/puppet.git repo patch should be staged into gerrit. This is usually done by whoever purchases the certificate. This patch is not merged yet.
  4. ensure affected servers/services are working correctly previous to further operations.
  5. disable/stop puppet agent in all affected servers, i.e, the servers running the webservers using the certificate to be renewed.
  6. merge public key patch into the operations/puppet.git repo.
  7. replace the old private key with the new one in the /srv/private repo in production puppetmaster.
  8. scp private key to nova-proxy servers and put it into /etc/ssl/private.
  9. enable and run puppet agent in one of the server to see if all public/private keys are in place. Restart nginx to see if it can start with no issues with the new certificate.
  10. if all was fine in the previous test, continue to all other servers.

Example of replacing *.wmflabs.org

A collection of example Phabricator tasks:

TODO: add command examples