RKemper added a comment.
Log of steps to generate tls certs for wcqs with cergen for https://gerrit.wikimedia.org/r/713958 ------------------------------------------------------------------------------------------------- `/srv/private` commit + 2 gerrit patches for TLS certs: ------------------------------------------------------- (1) `[/srv/private] Commit SHA => a761d97c6395aab546d0024c4fce1b7174f50aa0` (2) `[operations/puppet] Patch => https://gerrit.wikimedia.org/r/c/operations/puppet/+/715569` (3) `[labs/private] Patch => https://gerrit.wikimedia.org/r/c/labs/private/+/715570` --- Log of steps to generate tls certs for wcqs with cergen for https://gerrit.wikimedia.org/r/713958 ------------------------------------------------------------------------------------------------- **(1)** Create `/srv/private/modules/secret/secrets/certificates/certificate.manifests.d/wcqs.certs.yaml` on puppetmaster1001.eqiad.wmnet Here's what it looks like for WDQS currently: ryankemper@puppetmaster1001:~$ cat /srv/private/modules/secret/secrets/certificates/certificate.manifests.d/wdqs.certs.yaml wdqs.discovery.wmnet: authority: puppet_ca expiry: null alt_names: ["wdqs.discovery.wmnet","wdqs.svc.eqiad.wmnet","wdqs.svc.codfw.wmnet","wdqs.wikimedia.org","wdqs1005.eqiad.wmnet","query.wikidata.org"] key: password: REDACTED algorithm: ec So let's try the following for wcqs: wcqs.discovery.wmnet: authority: puppet_ca expiry: null alt_names: ["wcqs.discovery.wmnet","wcqs.svc.eqiad.wmnet","wcqs.svc.codfw.wmnet","commons-query.wikimedia.org"] key: password: REDACTED algorithm: ec `sudo git add modules/secret/secrets/certificates/certificate.manifests.d/wcqs.certs.yaml` **(2)** `sudo cergen -c 'wcqs.*' --generate --base-path /srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d` `=>` ryankemper@puppetmaster1001:/srv/private$ sudo cergen -c 'wcqs.*' --generate --base-path /srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d 2021-08-30 17:26:10,965 INFO cergen Generating certificates ['wcqs.discovery.wmnet'] with force=False 2021-08-30 17:26:10,965 INFO Certificate(wcqs.discovery.wmnet) Generating all files, force=False... 2021-08-30 17:26:10,967 INFO Certificate(wcqs.discovery.wmnet) Generating certificate file /usr/lib/python3/dist-packages/urllib3/connection.py:362: SubjectAltNameWarning: Certificate for puppetmaster1001.eqiad.wmnet has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning /usr/lib/python3/dist-packages/urllib3/connection.py:362: SubjectAltNameWarning: Certificate for puppetmaster1001.eqiad.wmnet has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning /usr/lib/python3/dist-packages/urllib3/connection.py:362: SubjectAltNameWarning: Certificate for puppetmaster1001.eqiad.wmnet has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning 2021-08-30 17:26:12,621 INFO Certificate(wcqs.discovery.wmnet) Generating CA certificate file 2021-08-30 17:26:12,622 INFO Certificate(wcqs.discovery.wmnet) Generating PKCS12 keystore file 2021-08-30 17:26:12,951 INFO Certificate(wcqs.discovery.wmnet) Generating Java keystore file 2021-08-30 17:26:13,931 INFO Certificate(wcqs.discovery.wmnet) Importing PuppetCA(puppetmaster1001.eqiad.wmnet_8140) cert into Java keystore 2021-08-30 17:26:15,092 INFO Certificate(wcqs.discovery.wmnet) Generating Java truststore file with CA certificate PuppetCA(puppetmaster1001.eqiad.wmnet_8140) Status of certificates ['wcqs.discovery.wmnet'] Certificate(wcqs.discovery.wmnet, authorities=[PuppetCA(puppetmaster1001.eqiad.wmnet_8140)]): /srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.key.private.pem: PRESENT (mtime: 2021-08-30T17:26:10.966004) /srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.key.public.pem: PRESENT (mtime: 2021-08-30T17:26:10.966004) /srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.crt.pem: PRESENT (mtime: 2021-08-30T17:26:12.618002) /srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/ca.crt.pem: PRESENT (mtime: 2021-08-30T17:26:12.618002) /srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.keystore.p12: PRESENT (mtime: 2021-08-30T17:26:12.638002) /srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.keystore.jks: PRESENT (mtime: 2021-08-30T17:26:14.426000) /srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/truststore.jks: PRESENT (mtime: 2021-08-30T17:26:15.441999) `#` Encrypt key using password set in `/srv/private/modules/secret/secrets/certificates/certificate.manifests.d/wcqs.certs.yaml` sudo openssl ec -in modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.key.private.pem -out /srv/private/modules/secret/secrets/ssl/wcqs.discovery.wmnet.key `=>` ryankemper@puppetmaster1001:/srv/private$ sudo openssl ec -in modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.key.private.pem -out /srv/private/modules/secret/secrets/ssl/wcqs.discovery.wmnet.key read EC key Enter PEM pass phrase: writing EC key `sudo git add modules/secret/secrets/ssl/wcqs.discovery.wmnet.key` `sudo git add modules/secret/secrets/certificates/wcqs.discovery.wmnet/` (okay now pause for a bit and check git status after adding everything:) ryankemper@puppetmaster1001:/srv/private$ git status On branch master Changes to be committed: (use "git reset HEAD <file>..." to unstage) new file: modules/secret/secrets/certificates/certificate.manifests.d/wcqs.certs.yaml new file: modules/secret/secrets/certificates/wcqs.discovery.wmnet/ca.crt.pem new file: modules/secret/secrets/certificates/wcqs.discovery.wmnet/truststore.jks new file: modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.crt.pem new file: modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.csr.pem new file: modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.key.private.pem new file: modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.key.public.pem new file: modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.keystore.jks new file: modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.keystore.p12 new file: modules/secret/secrets/ssl/wcqs.discovery.wmnet.key (Commit these changes, after opening up pathces for operations/puppet and labs/private so we can link them in the commit message for completeness' sake) (3) [operations/puppet] Copy `/srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.crt.pem` over to `operations/puppet` repo pathspec `files/ssl/wcqs.discovery.wmnet.crt` `scp ryankemper@puppetmaster1001.eqiad.wmnet:/srv/private/modules/secret/secrets/certificates/wcqs.discovery.wmnet/wcqs.discovery.wmnet.crt.pem .` && `mv -v wcqs.discovery.wmnet.crt.pem ~/wmf/operations/puppet/files/ssl/wcqs.discovery.wmnet.crt` (4) [labs/private] Add dummy secret key to `labs/private` repo under `modules/secret/secrets/ssl/wcqs.discovery.wmnet.key` with the following contents: -----BEGIN RSA PRIVATE KEY----- dummy -----END RSA PRIVATE KEY----- --- TASK DETAIL https://phabricator.wikimedia.org/T280001 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: RKemper Cc: EBernhardson, Aklapper, Zbyszko, Suran38, Biggs657, Invadibot, Lalamarie69, MPhamWMF, maantietaja, Juan90264, Alter-paule, Beast1978, CBogen, Un1tY, Akuckartz, Hook696, Kent7301, joker88john, CucyNoiD, Nandana, Namenlos314, Gaboe420, Giuliamocci, Cpaulf30, Lahi, Gq86, Af420, Bsandipan, Lucas_Werkmeister_WMDE, GoranSMilovanovic, QZanden, EBjune, merbst, LawExplorer, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Mbch331
_______________________________________________ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org
