[MediaWiki-commits] [Gerrit] rm root cert from chain - change (operations/puppet)

Tue, 04 Feb 2014 16:42:29 -0800 

Jeremyb has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/111387

Change subject: rm root cert from chain
......................................................................

rm root cert from chain

started with planet (which I did test against the currently running version)

see also I4fba98a3856f591f64eab30b91ce2f478fc4f271

Change-Id: I31253c0ee18793f2ff90d698c668b1a9f168c3b4
---
M manifests/certs.pp
1 file changed, 3 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/87/111387/1

diff --git a/manifests/certs.pp b/manifests/certs.pp
index 340652a..ed81af8 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -128,9 +128,10 @@
     if ( $ca ) {
         $cas = $ca
     } else {
-        # PEM files should be listed in order: intermediate -> intermediate -> 
... -> root
+        # PEM files should be listed in order: intermediate0 -> intermediate1 
-> ... -> intermediateN
         # If this is out of order either servers will fail to start, or will 
not properly
         # have SSL enabled.
+        # Do not include the root cert
         $cas = $name ? {
             "unified.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem",
             "star.wikimedia.org" => "RapidSSL_CA.pem RapidSSL_CA_2.pem 
GeoTrust_Global_CA.pem",
@@ -145,7 +146,7 @@
             "star.wikimediafoundation.org" => "RapidSSL_CA.pem 
GeoTrust_Global_CA.pem",
             "star.wmflabs.org" => "RapidSSL_CA.pem",
             "star.wmflabs" => "wmf-labs.pem",
-            "star.planet.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem 
DigiCert_High_Assurance_EV_Root_CA.pem",
+            "star.planet.wikimedia.org" => "DigiCertHighAssuranceCA-3.pem",
             default => "wmf-ca.pem",
         }
     }

-- 
To view, visit https://gerrit.wikimedia.org/r/111387
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I31253c0ee18793f2ff90d698c668b1a9f168c3b4
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Jeremyb <jer...@tuxmachine.com>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to