Course harvester certificate is expired

[corylown]

There's some info about the certificate on this issue: https://github.com/sul-dlss/course_reserves/issues/410

Symptom is that the rake fetch_courses task to harvest courses from MaIS is failing with OpenSSL::SSL::SSLError: SSL_read: sslv3 alert certificate expired (OpenSSL::SSL::SSLError)

For next time, is there a way for us to get notified before the certificate expires?

[jcoyne]

Typically MaIS will send you email reminders if you are associated with the certificate. I'm guessing this cert is associated with some colleagues who no longer work here. More cert info is https://uit.stanford.edu/service/registry/certificates

[hudajkhan]

The puppet config for the certification file is here: https://github.com/sul-dlss/puppet/blob/production/hieradata/node/sul-reserves-prod.stanford.edu.eyaml#L111 . Stored in vault normally.

[hudajkhan]

I am going to go ahead and request a new one through the certificate manager for now. We can go through process details later. I haven't received any emails about the certification myself.

[hudajkhan]

Since this seems like a renewal as opposed to requesting a certificate from scratch, I've followed the instructions on the page above and submitted a ticket: INC02131135

[hudajkhan]

We have received a renewed certificate and I have uploaded it to vault.

[hudajkhan]

After some additional conversations with Helen and Josh, we have learned the following: The certificate we originally had was probably one shared with others. That particular one has since been deleted, in an effort to cut down on extra certificates. The certificate is now named "sul_harvester.cert" instead of "sul-harvester.cert". @jgreben has provided the new cert and key files.

The new files have been added to vault for both production and staging. We will need to put in a PR to course reserves to handle the file name change. We also need to update puppet for staging first, and then try the rake task manually to ensure that works correctly. After that, we can put in a PR for updating production.

[hudajkhan]

After much back and forth, what we now know is that the sul harvester certificate we had been using had since been removed. The sul_harvester certificate (with an underscore and not a hyphen) is not authorized for CourseClassXMLDoc and so the API requests for individual courses were failing with the certificate.

I have put in a new request for a certificate, and have named it sul-course.
Once I have the certificate, I'll test it out on staging and link the PRs to this issue.