Sister change for Ia5caff34d3fafaffc459e7572a4eef6bd94422ea and
removing earlier references to the mirror server in preparation for
building and adding the new one.
Change-Id: I7d506be85326835d5e77a0c9c461f2d457b1dfd3
A bunch of the sites we've started managing LE certs for are not
getting their expirations checked, so fix that. In particular, sites
recently moved off the multi-domain SAN cert for the old
static.openstack.org server (omitted the logs site as it's
deprecated), and many of the rebuilt CI mirrors (with the exception
of mirror01.gra1.ovh.opendev.org which is presently in a SHUTOFF
state for unknown reasons). Also add graphite which was previously
missed, and review-dev because we can now that it's no longer
sporting snakeoil.
When this merges, we're also going to start getting alerts for an
expired cert on mirror.gra1.ovh.opendev.org, unless someone gets a
chance to look into it first.
Change-Id: I98a98e0d2ff081c51c33d980274f3ee8c0266802
The insecure-ci-registry.opendev.org service uses an X.509 cert on
5000/tcp, so we should track this to catch when it's going to
expire.
Change-Id: I5d18599e5b5b258ce158f964cb1ff95df6dc6d92
The ssldomains file we use for our cert check is getting longish,
and sorting it will make entries easier to find.
Change-Id: Iad182ecee45274d6c8f336a97d20a3130e4b8abe
Now that opendev.org backends requests certs unique to each backend we
should check these backends directly and not only through the frontend.
This was if a specific backend doesn't end up updating with LE properly
we will catch it.
Change-Id: Icabb1bcb725937da45ae9aaef2c9da412a30a319
There have been several Web sites added to files.o.o which missed
getting x509 SSL/TLS certificate checking added through our
certcheck cron job. Add those now so we know in advance whether
they're at risk of expiration.
Change-Id: I3eda77f165348e510d43344b172cf5b56ce2b003
This removes groups.openstack.org as this service was shut down. Add new
opendev services behind ssl.
Change-Id: I14c667c8fbde07c3a52778bc2c5e93abf8f053a4
We don't manage the ssl cert (or anything else) on
openstackid-resources.openstack.org. Lets stop checking when its cert
expires as it appears to have auto renewing short term cert validity
(which results in a lot of email).
Change-Id: I9f08a09d76b2862de89a6ee022ade1ac637d9aeb
We have new domains hosted as vhosts on git.openstack.org. Add
certchecks for them. Also add zuul-ci.org.
Change-Id: I462d8464707d6427b4d88528a7914e03f184a89b
Based on an audit of certs I currently have record of ordering,
update the ssldomains list for our cert check to include everything
I know (and can confirm) is in production. Drop security since it's
rolled into the SubjectAltName set for the static.openstack.org cert
now. Also remove groups-dev from the list as it's the only one using
a snakeoil cert and we don't normally bother to check for expiration
on those. Keep www on the list even though Infra doesn't manage that
one, because its unanticipated expiration has impacted us in the
past and having a bit of extra warning there can't hurt.
Change-Id: I4a51d0cd15533a39d23e09735c9fda34398e957f
Add X.509 certificates, certificate chains and private keys for
https://developer.openstack.org/ and https://docs.openstack.org/
separately using SNI (as the list grows we can consider condensing
these into a single cert using ServerAltNames later).
Change-Id: Ia365be3363b611e5ee3b6dceb38ec311456466ec
This is a simple first deployment of an ethercalc service. It does not
come with authenticated redis or redis backups. It will however have
working ssl.
Change-Id: I8c434a6bff42bce75e67fb37665d213f3cc018c8
Depends-On: Id10247211d9643e81bb1b6e8fb67377ba6de873a
The SSL cert for jenkins.openstack.org was obtained in 2013 when
this interface was more heavily used by our developer community.
Since then we've rolled out 7 additional Jenkins masters and so this
is no longer a useful primary reference. The only real need for
authenticated connections to its WebUI at this point is systems
administrators performing maintenance and minimal local
configuration, for which ToFU of a self-signed cert is sufficient.
Change-Id: Ibf95983a2ac76c2e9e39bcfc99643e3cac401245
This syncs up the SSL cert check sites list to match the SSL certs
we have Puppet applying from our hiera list.
Change-Id: I02812af75a9c619856c7130be92e2b15ba370608
Added ask.openstack.org to the list of ssl certs we monitor,
also took the opportunity to alphabetize the list.
Change-Id: I251d6ee0df8b73f159a9d7844b5c89412a548919
Reviewed-on: https://review.openstack.org/31866
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Dan Prince <dprince@redhat.com>
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
Add monitoring of SSL certificates for openstack websites
Change-Id: I50b6a8aced7ae563381eb948ce4e8f854a6d85a9
Reviewed-on: https://review.openstack.org/30490
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
