BBlack has uploaded a new change for review.
https://gerrit.wikimedia.org/r/322666
Change subject: deploy new globalsign certs as inactive
......................................................................
deploy new globalsign certs as inactive
Change-Id: Iebf7e1a4abd49be53b36f9ba0948fd0c8ca78c53
---
M modules/role/manifests/cache/ssl/unified.pp
1 file changed, 13 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/66/322666/1
diff --git a/modules/role/manifests/cache/ssl/unified.pp
b/modules/role/manifests/cache/ssl/unified.pp
index ec7c7e7..984ded9 100644
--- a/modules/role/manifests/cache/ssl/unified.pp
+++ b/modules/role/manifests/cache/ssl/unified.pp
@@ -32,9 +32,21 @@
check_command =>
"check_ssl_unified!RSA!${check_cn}!${check_sans_str}",
}
+ # We can refactor this better later, with $certs_active varying on
datacenter
+ # for the 2016 set from GlobalSign + Digicert.
+ $certs = [
+ 'ecc-uni.wikimedia.org', 'uni.wikimedia.org',
+ 'globalsign-2016-ecdsa-unified', 'globalsign-2016-rsa-unified',
+ ]
+
+ $certs_active = [
+ 'ecc-uni.wikimedia.org', 'uni.wikimedia.org',
+ ]
+
tlsproxy::localssl { 'unified':
server_name => 'www.wikimedia.org',
- certs => ['ecc-uni.wikimedia.org', 'uni.wikimedia.org'],
+ certs => $certs,
+ certs_active => $certs_active,
default_server => true,
do_ocsp => true,
upstream_ports => [3120, 3121, 3122, 3123, 3124, 3125, 3126, 3127],
--
To view, visit https://gerrit.wikimedia.org/r/322666
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iebf7e1a4abd49be53b36f9ba0948fd0c8ca78c53
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
