Portal:Cloud VPS/Admin/SSL certificate
This page contains historical information. It is probably no longer true.
This certificate is now managed via acme-chief.
This page contains information on how to administer and replace the star.wmflabs.org SSL certificate
For traditional certificates, they are usually valid for 1 year, and they should be renewed at least 2 weeks prior to expiration date.
For LE certificates, we will use acme-chief.
*.wmflabs.org (also known as star.wmflabs.org)
This certificate is in use by the main web proxies in WMCS, and is physically deployed in the proxy-*.project-proxy.eqiad.wmflabs instances.
The private key is hosted directly in the server (non-puppetised).
Example URL using this SSL certificate: https://tools-static.wmflabs.org/
This is a purely project-proxy thing. To move to acme-chief would probably involve project-proxy having a puppetmaster, and at least designate-admin permissions in the wmflabsdotorg tenant.
- request certificate renewal, usually with DCops and/or Traffic team. Involves purchase approval, etc. May take a couple of weeks.
- the private key is added to the /srv/private repo in a prod puppetmaster without replacing the old one. Usually with a new. prefix in the filename. This is usually done by whoever purchases the certificate.
- once the public key is received, an operations/puppet.git repo patch should be staged into gerrit. This is usually done by whoever purchases the certificate. This patch is not merged yet.
- ensure affected servers/services are working correctly previous to further operations.
- disable/stop puppet agent in all affected servers, i.e, the servers running the webservers using the certificate to be renewed.
- merge public key patch into the operations/puppet.git repo.
- replace the old private key with the new one in the /srv/private repo in production puppetmaster.
- scp private key to nova-proxy servers and put it into /etc/ssl/private.
- enable and run puppet agent in one of the server to see if all public/private keys are in place. Restart nginx to see if it can start with no issues with the new certificate.
- if all was fine in the previous test, continue to all other servers.
Example of replacing *.wmflabs.org
A collection of example Phabricator tasks:
- T206223 *.wmflabs.org cert needs renewing
- T174611 update *.wmflabs.org by 2017-10-16
- T237066 Push renewed *.wmflabs.org certificate and new private key to cluster (expires 2019-11-16)
TODO: add command examples