Nagios is alerting about CA Certs on puppetmasters being critical

Rail, you missed some bits in https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/HowTo/Remove_a_Puppetmaster I'll take care of it.

Oh. Thanks for pointing at the existing doc and sorry for the churn.

[root@ssl1.private.phx1 puppetagain-base-ca]# openssl crl -in puppetagain-base-ca.crl -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /CN=PuppetAgain Base CA/emailAddress=release@mozilla.com/OU=Release Engineering/O=Mozilla, Inc. Last Update: Nov 18 19:23:20 2014 GMT Next Update: Nov 15 19:23:20 2024 GMT Revoked Certificates: Serial Number: 01 Revocation Date: May 24 23:50:42 2012 GMT Serial Number: 04 Revocation Date: May 24 23:50:15 2012 GMT Serial Number: 07 Revocation Date: Apr 10 21:22:56 2013 GMT Serial Number: 08 Revocation Date: Apr 9 21:26:01 2013 GMT Serial Number: 09 Revocation Date: Jul 14 14:52:37 2014 GMT Serial Number: 0A Revocation Date: Jan 15 17:27:48 2014 GMT Serial Number: 0C Revocation Date: Nov 18 19:22:31 2014 GMT Serial Number: 0D Revocation Date: Nov 18 19:22:37 2014 GMT Serial Number: 0E Revocation Date: Jul 29 16:04:07 2014 GMT Serial Number: 0F Revocation Date: Nov 18 19:22:43 2014 GMT Serial Number: 10 Revocation Date: Nov 18 19:22:47 2014 GMT Serial Number: 11 Revocation Date: Jul 29 16:04:25 2014 GMT Signature Algorithm: sha1WithRSAEncryption 12:af:c6:45:37:53:71:7f:08:83:7a:ce:26:c8:40:c2:fe:63: 0a:25:0c:65:8e:60:b2:2c:14:7c:7a:3d:1b:12:e9:8c:29:57: 13:9b:57:03:aa:d0:cd:00:a8:7f:c9:96:a5:d9:b4:98:16:7f: 5a:69:fe:c4:5d:e9:34:01:d9:45:03:96:ca:00:f2:89:1a:e4: 6b:ab:c6:be:3a:82:32:54:b4:93:1c:f6:06:7c:9e:d1:71:76: 58:29:6f:f8:9e:1d:a7:d8:68:62:3b:ba:51:9e:64:d6:fe:f5: 41:03:78:c9:a6:a2:66:3b:04:89:36:60:8d:98:07:27:24:ca: c2:08 -----BEGIN X509 CRL----- MIICMTCCAZowDQYJKoZIhvcNAQEFBQAweDEcMBoGA1UEAxMTUHVwcGV0QWdhaW4g QmFzZSBDQTEiMCAGCSqGSIb3DQEJARYTcmVsZWFzZUBtb3ppbGxhLmNvbTEcMBoG A1UECxMTUmVsZWFzZSBFbmdpbmVlcmluZzEWMBQGA1UEChMNTW96aWxsYSwgSW5j LhcNMTQxMTE4MTkyMzIwWhcNMjQxMTE1MTkyMzIwWjCB8DASAgEBFw0xMjA1MjQy MzUwNDJaMBICAQQXDTEyMDUyNDIzNTAxNVowEgIBBxcNMTMwNDEwMjEyMjU2WjAS AgEIFw0xMzA0MDkyMTI2MDFaMBICAQkXDTE0MDcxNDE0NTIzN1owEgIBChcNMTQw MTE1MTcyNzQ4WjASAgEMFw0xNDExMTgxOTIyMzFaMBICAQ0XDTE0MTExODE5MjIz N1owEgIBDhcNMTQwNzI5MTYwNDA3WjASAgEPFw0xNDExMTgxOTIyNDNaMBICARAX DTE0MTExODE5MjI0N1owEgIBERcNMTQwNzI5MTYwNDI1WjANBgkqhkiG9w0BAQUF AAOBgQASr8ZFN1NxfwiDes4myEDC/mMKJQxljmCyLBR8ej0bEumMKVcTm1cDqtDN AKh/yZal2bSYFn9aaf7EXek0AdlFA5bKAPKJGuRrq8a+OoIyVLSTHPYGfJ7RcXZY KW/4nh2n2GhiO7pRnmTW/vVBA3jJpqJmOwSJNmCNmAcnJMrCCA== -----END X509 CRL-----

Oh, uh, there are still a lot of hosts signed with those masters' certs - so we'll have to re-puppetize those hosts first.

I re-puppetized buildbot-master01.srv.releng.use1.mozilla.com buildbot-master02.srv.releng.use1.mozilla.com buildbot-master03.srv.releng.use1.mozilla.com buildbot-master04.srv.releng.usw2.mozilla.com buildbot-master05.srv.releng.usw2.mozilla.com buildbot-master06.srv.releng.usw2.mozilla.com buildbot-master113.srv.releng.use1.mozilla.com buildbot-master114.srv.releng.use1.mozilla.com buildbot-master115.srv.releng.usw2.mozilla.com buildbot-master116.srv.releng.usw2.mozilla.com buildbot-master117.bb.releng.use1.mozilla.com buildbot-master118.bb.releng.usw2.mozilla.com buildbot-master70.srv.releng.use1.mozilla.com buildbot-master71.srv.releng.use1.mozilla.com buildbot-master72.srv.releng.usw2.mozilla.com buildbot-master73.srv.releng.usw2.mozilla.com buildbot-master74.srv.releng.usw2.mozilla.com buildbot-master75.srv.releng.use1.mozilla.com buildbot-master76.srv.releng.use1.mozilla.com buildbot-master77.srv.releng.use1.mozilla.com buildbot-master78.srv.releng.usw2.mozilla.com buildbot-master79.srv.releng.usw2.mozilla.com buildbot-master91.srv.releng.usw2.mozilla.com buildbot-master94.srv.releng.use1.mozilla.com proxxy1.srv.releng.use1.mozilla.com proxxy1.srv.releng.usw2.mozilla.com rpmpackager1.srv.releng.use1.mozilla.com ubuntu64packager1.srv.releng.use1.mozilla.com

And removed the certs. The alerts should go green soon.