Poking around on my debian bookworm instance, I found /usr/local/share/ca-certificates/wmf_ca_2017_2020.crt, which looks like an expired SSL certificate:
Certificate: Data: Version: 3 (0x2) Serial Number: 9f:14:76:9e:ea:f4:18:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020 Validity Not Before: Jul 19 20:43:26 2017 GMT Not After : Jul 18 20:43:26 2020 GMT Subject: C = US, ST = California, L = San Francisco, O = Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020
Does this do anything useful? Does it do any harm?
It's a CA certificate, a certificate issued by an authority (in this case WMF itself) that you could use to verify certs issued by it were valid.
Since it's expired it doesn't do anything useful but also shouldn't do any harm.
It's there because it still gets installed in the "base" class (profile::base::certificates) in puppet.
https://wikitech.wikimedia.org/wiki/HTTPS/WMF_CA
On Tue, Dec 19, 2023 at 4:23 PM Roy Smith roy@panix.com wrote:
Poking around on my debian bookworm instance, I found /usr/local/share/ca-certificates/wmf_ca_2017_2020.crt, which looks like an expired SSL certificate:
Certificate: Data: Version: 3 (0x2) Serial Number: 9f:14:76:9e:ea:f4:18:c3 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, L = San Francisco, O =
Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020
Validity Not Before: Jul 19 20:43:26 2017 GMT Not After : Jul 18 20:43:26 2020 GMT Subject: C = US, ST = California, L = San Francisco, O =Wikimedia Foundation, OU = Operations, CN = WMF CA 2017-2020
Does this do anything useful? Does it do any harm? _______________________________________________ Cloud mailing list -- cloud@lists.wikimedia.org List information: https://lists.wikimedia.org/postorius/lists/cloud.lists.wikimedia.org/
On Wed, Dec 20, 2023 at 7:00 PM roy@panix.com wrote:
Is there a current one? The reason I ask is I'm trying to install OpenSearch and ended up going down a rabbit hole with self-signed certificates per their instructions. I'm operating on the ragged edge of how well I understand how certificates work ☹️. If there was a WMF cert I could drop in, that would be great.
Instead of having a certificate in your VM, I would suggest using the web proxy [1] provided by Cloud VPS. In this way, traffic from the internet to the web proxy is secured by the proxy's own SSL certificate, while traffic from the web proxy to your Cloud VPS instance does not use SSL at all. This means you need to disable SSL in OpenSearch, and let the proxy handle it.
[1] https://wikitech.wikimedia.org/wiki/Help:Using_a_web_proxy_to_reach_Cloud_VP...