[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 Bryan Davis bda...@wikimedia.org changed: What|Removed |Added See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=69269 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 Bryan Davis bda...@wikimedia.org changed: What|Removed |Added See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=68387 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #94 from Bryan Davis bda...@wikimedia.org --- (In reply to Matthew Flaschen from comment #93) If cost is the issue, did we consider setting up our own certificate authority (chained to an existing root)? It's an upfront cost, but as I understand it that means no per-cert cost. Google and Microsoft both have them, just to name a couple. Getting a delegated signing certificate is a huge deal actually. Once you have one, any certificate you sign is trusted by all who trust your upstream signer. The x509 protocol does not make it possible to construct a trusted signing certificate that is restricted to a particular domain. As such, any trusted signer who issues delegate signing certificates must impose strict practices and regular audits of those practices on any delegate organization. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 Greg Grossmeier g...@wikimedia.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #91 from Greg Grossmeier g...@wikimedia.org --- Won't Fix'ing this for now. A) We have self-signed certs in place on Beta B) Real certs are expensive C) There hasn't been any team come with a specific use case where buying the real certs would make sense. Feel free to reopen if any of the above changes. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 se4598 se4...@se4598.eu changed: What|Removed |Added Status|RESOLVED|REOPENED CC||se4...@se4598.eu Resolution|WONTFIX |--- --- Comment #92 from se4598 se4...@se4598.eu --- This bug seems to be drifted away from the initial comment. (In reply to Antoine hashar Musso from comment #0) We need certificates generated by 'Labs CA' for the entries listed in role::protoproxy::ssl::beta and some more. I guess the easiest would be to create *.beta.wmflabs.org cert that will also contains the following DNS entries: So (In reply to Greg Grossmeier from comment #91) Won't Fix'ing this for now. A) We have self-signed certs in place on Beta We still don't have valid self-signed certs for beta since eqiad migration as far as I know. At least nginx refuses to starts because of cert mismatch. As I was told in bug 63538 that this (certs) is handled here, I REOPEN. Please generate new (self-signed) certs. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #93 from Matthew Flaschen mflasc...@wikimedia.org --- I can think of three significant problems with self-signed certificates: 1. It trains people to ignore SSL warnings, which means they ignore them when it's a legit problem. 2. It causes problems with automated tests (not clear if all of these have been worked around). 3. It's a real pain when testing manually because you have to visit https://bits.beta.wmflabs.org/ (and maybe also upload.beta.wmflabs.org) manually in Firefox. FWIW, https://en.wikipedia.beta.wmflabs.org isn't working at all (not even invalid) right now (can't connect), but I assume that's temporary If cost is the issue, did we consider setting up our own certificate authority (chained to an existing root)? It's an upfront cost, but as I understand it that means no per-cert cost. Google and Microsoft both have them, just to name a couple. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 Antoine hashar Musso has...@free.fr changed: What|Removed |Added Blocks||63538 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #86 from Antoine hashar Musso has...@free.fr --- The beta cluster has for Varnish instances with a Nginx HTTPS proxy installed. Nginx refuses to start because the star.wmflabs.org certificate is invalid: root@deployment-cache-bits01:~# /etc/init.d/nginx start Starting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file(/etc/ssl/private/star.wmflabs.org.key) failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) nginx: configuration file /etc/nginx/nginx.conf test failed To fix it we would need a few certificates to be installed on the instances via the role::protoproxy::ssl::beta puppet class in manifests/role/protoproxy.pp star.wmflabs.org would cover the entries: bits.beta.wmflabs.org upload.beta.wmflabs.org wikidata.beta.wmflabs.org We would need *.wikimedia.beta.wmflabs.org and *.wikipedia.beta.wmflabs.org certs as well. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 Daniel Zahn dz...@wikimedia.org changed: What|Removed |Added CC||dz...@wikimedia.org --- Comment #87 from Daniel Zahn dz...@wikimedia.org --- https://gerrit.wikimedia.org/r/#/c/111386/ https://gerrit.wikimedia.org/r/#/c/126008/1 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #88 from Daniel Zahn dz...@wikimedia.org --- for *.wmflabs.org, the self-signed cert has recently been replaced with one from RapidSSL , at first the chained file, which is created by puppet was wrong, the above changes should have fixed that. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #89 from Daniel Zahn dz...@wikimedia.org --- (In reply to Antoine hashar Musso from comment #86) star.wmflabs.org would cover the entries: bits.beta.wmflabs.org upload.beta.wmflabs.org wikidata.beta.wmflabs.org I'm afraid it can't and *.wmflabs.org is not *.beta.wmflabs.org (only one level of wildcard possible). But ask RobH to make sure. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #90 from Antoine hashar Musso has...@free.fr --- I'm afraid it can't and *.wmflabs.org is not *.beta.wmflabs.org (only one level of wildcard possible). But ask RobH to make sure. Ah indeed my bad. Sorry :-] -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #85 from Matthew Flaschen mflasc...@wikimedia.org --- (In reply to Greg Grossmeier from comment #84) * Setup was(is?) annoying because of the lack of easy way to secure these private certs from other non-WMF root labs users. I thought comment 65 and comment 67 said the access to private keys without an NDA part was solved. Antoine said he did the sudo configuration (see comment 67); I'm not sure if it's checked yet. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 Greg Grossmeier g...@wikimedia.org changed: What|Removed |Added Priority|Highest |Normal Assignee|g...@wikimedia.org |wikibugs-l@lists.wikimedia. ||org --- Comment #84 from Greg Grossmeier g...@wikimedia.org --- (Lowering priority and unassigning from self) Status, afaict: * Price was annoying, but we've identified the 7 we want (comment 77, comment 79, and comment 83). * Setup was(is?) annoying because of the lack of easy way to secure these private certs from other non-WMF root labs users. Marc/RobH: Let me know if I have that wrong and if there's anything else we can do right now. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 Marc A. Pelletier m...@uberbox.org changed: What|Removed |Added CC||m...@uberbox.org --- Comment #76 from Marc A. Pelletier m...@uberbox.org --- Because of the necessity to have a default CA sign this, we need to buy individual certificates. Please provide a definite list of domain names, and I'll get that ball rolling. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #77 from Greg Grossmeier g...@wikimedia.org --- login.wikipedia.beta.wmflabs.org meta.wikipedia.beta.wmflabs.org en.wikipedia.beta.wmflabs.org bits.beta.wmflabs.org upload.beta.wmflabs.org (for some icons on meta/login) That's all I can see from the network calls. Antoine/Chris/Chris: confirm? -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com changed: What|Removed |Added CC||legoktm.wikipe...@gmail.com --- Comment #78 from Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com --- http://meta.wikimedia.beta.wmflabs.org/wiki/Special:SiteMatrix is the full list. There are some weird ones like 'ee-prototype'. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #79 from Chris McMahon cmcma...@wikimedia.org --- http://commons.wikimedia.beta.wmflabs.org/ is important -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #80 from Greg Grossmeier g...@wikimedia.org --- (In reply to Kunal Mehta (Legoktm) from comment #78) http://meta.wikimedia.beta.wmflabs.org/wiki/Special:SiteMatrix is the full list. For the avoidance of doubt: we're not doing them all, just a subset. SSL certs are a racket and expensive. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #81 from Marc A. Pelletier m...@uberbox.org --- Yeah, we can't do all; we can't even reasonably all the necessary wildcards to cover the whole matrix. I have six now; any more? -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #82 from Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com --- (In reply to Greg Grossmeier from comment #80) For the avoidance of doubt: we're not doing them all, just a subset. SSL certs are a racket and expensive. Oh, missed that above. Makes sense :) -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #83 from Chris Steipp cste...@wikimedia.org --- wikidata.beta.wmflabs.org might be nice, since I know a few gadgets go cross domain to it. I think the dewiki community also wanted to have de.wikipedia.beta.wmflabs.org, but unless we get a discount for buying them at one time, it would probably be good to wait until we have browser tests running against that wiki. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #74 from Chris McMahon cmcma...@wikimedia.org --- We have stopped running browser tests over https. I think we still want SSL for labs, but I don't know of anyone actively working on that right now. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #75 from Chris Steipp cste...@wikimedia.org --- I think we do want it, on a limited set of subdomains to keep the cost down. Beta's: - loginwiki (so we can check SUL interactions) - metawiki (so OAuth works correctly and securely) - another wiki, maybe enwiki? (to catch other SUL login/wgSecureLogin issues) - Oh, and to make enwiki work, the bits domain would also need a cert -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #71 from Andre Klapper aklap...@wikimedia.org --- Greg and RobLa: RT ticket states you wanted to discuss how to proceed here. Any updates (or should this not be highest priority)? -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #72 from Antoine hashar Musso has...@free.fr --- Still highest priority. We want to get that done while I am in SF, hopefully this afternoon (PST time). -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #73 from Antoine hashar Musso has...@free.fr --- (In reply to comment #72) Still highest priority. We want to get that done while I am in SF, hopefully this afternoon (PST time). Sorry, was referring to another bug :-/ Regarding SSL certificates on beta, I am not sure what the status is. Maybe Greg/Chris would know. We might have a workaround now or simply stopped running browser tests over HTTPS. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #70 from Krinkle krinklem...@gmail.com --- Would it be an option to flatten our subdomains? We'd only need beta.wmflabs.org and *.beta.wmflabs.org to be in the certificate (at e.g. DigiCert, those wildcards are $1425 for 3 years includes root and *) For example: * beta.wmflabs.org * bits.beta.wmflabs.org * wikimedia.beta.wmflabs.org * commons-wikimedia.beta.wmflabs.org * wikipedia.beta.wmflabs.org * en-wikipedia.beta.wmflabs.org * nl-wikibooks.beta.wmflabs.org * en-m-wikibooks.beta.wmflabs.org * en-m-wikinews.beta.wmflabs.org -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #69 from Andre Klapper aklap...@wikimedia.org --- Reason in comment 16 is past (testing of new default HTTPS access), but warning message in Selenium probably still justifies highest prio? (for four months now) (In reply to comment #68) The related ticket is https://rt.wikimedia.org/Ticket/Display.html?id=6116 To summarize the RT ticket: Prices offered by SSL vendors felt out of scope. Greg and RobLa: RT ticket states you wanted to discuss how to proceed here. Any updates? -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #68 from Antoine hashar Musso has...@free.fr --- Buying certs is pending approval according to RobH a few days ago. The related ticket is https://rt.wikimedia.org/Ticket/Display.html?id=6116 -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #67 from Antoine hashar Musso has...@free.fr --- I have cleaned up permissions on the deployment-prep labs project (ie: beta cluster). The project admins are now limited to people from the Wikimedia ops and mw-core teams. Root access has been limited to people having signed a non disclosure agreement with Wikimedia. The reason for this change is to let us put real SSL certificates on the Varnish caches which would let us support HTTPS on the beta cluster. We want to keep access to the certificates restricted, hence the change. Please review the list of admins and sudo policy for the deployment-prep project on: https://wikitech.wikimedia.org/wiki/Special:NovaProject https://wikitech.wikimedia.org/wiki/Special:NovaSudoer -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501 --- Comment #66 from Ryan Kaldari rkald...@wikimedia.org --- 1. Remove projectadmin permissions from volunteers I also just removed TheDJ since he didn't have an NDA on file and he didn't respond to my email asking if he wanted to sign one. 2. Clean up sudo policies to disallow root on varnish systems (that will have real certs) Apparently the sudo policies are set up at https://wikitech.wikimedia.org/wiki/Special:NovaSudoer. It looks like most of them have sudo enabled for ALL hosts. I imagine disabling their root privileges on varnish systems just entails unchecking some of these hosts. Unfortunately, I'm not sure which of these hosts are varnish systems. Is it all 4 of the deployment-cache hosts? Any others? 3. Buy * certs Good to hear that's in progress. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 48501] beta: Get SSL certificates for *.{projects}.beta.wmflabs.org
https://bugzilla.wikimedia.org/show_bug.cgi?id=48501
Greg Grossmeier g...@wikimedia.org changed:
What|Removed |Added
Summary|[OPS] beta: Get SSL |beta: Get SSL certificates
|certificates for|for
|*.{projects}.beta.wmflabs.o |*.{projects}.beta.wmflabs.o
|rg |rg
--- Comment #65 from Greg Grossmeier g...@wikimedia.org ---
(In reply to comment #46)
Summary of IRC conversation:
1. Remove projectadmin permissions from volunteers
{{DONE}}, see list of members at:
https://wikitech.wikimedia.org/wiki/Nova_Resource:Deployment-prep
2. Clean up sudo policies to disallow root on varnish systems (that will have
real certs)
Not sure what needs to happen here. Tips/Pointers? I think Antoine had some
ideas?
3. Buy * certs
In progress: https://rt.wikimedia.org/Ticket/Display.html?id=6116
--
You are receiving this mail because:
You are on the CC list for the bug.
___
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
