Jeremyb has uploaded a new change for review. https://gerrit.wikimedia.org/r/111387
Change subject: rm root cert from chain ...................................................................... rm root cert from chain started with planet (which I did test against the currently running version) see also I4fba98a3856f591f64eab30b91ce2f478fc4f271 Change-Id: I31253c0ee18793f2ff90d698c668b1a9f168c3b4 --- M manifests/certs.pp 1 file changed, 3 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/87/111387/1 diff --git a/manifests/certs.pp b/manifests/certs.pp index 340652a..ed81af8 100644 --- a/manifests/certs.pp +++ b/manifests/certs.pp @@ -128,9 +128,10 @@ if ( $ca ) { $cas = $ca } else { - # PEM files should be listed in order: intermediate -> intermediate -> ... -> root + # PEM files should be listed in order: intermediate0 -> intermediate1 -> ... -> intermediateN # If this is out of order either servers will fail to start, or will not properly # have SSL enabled. + # Do not include the root cert $cas = $name ? { "unified.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem", "star.wikimedia.org" => "RapidSSL_CA.pem RapidSSL_CA_2.pem GeoTrust_Global_CA.pem", @@ -145,7 +146,7 @@ "star.wikimediafoundation.org" => "RapidSSL_CA.pem GeoTrust_Global_CA.pem", "star.wmflabs.org" => "RapidSSL_CA.pem", "star.wmflabs" => "wmf-labs.pem", - "star.planet.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem DigiCert_High_Assurance_EV_Root_CA.pem", + "star.planet.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem", default => "wmf-ca.pem", } } -- To view, visit https://gerrit.wikimedia.org/r/111387 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I31253c0ee18793f2ff90d698c668b1a9f168c3b4 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Jeremyb <jer...@tuxmachine.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits