Page MenuHomePhabricator
Create Task
Maniphest T267858

The certificate for upload.beta.wmflabs.org expired on November 13, 2020.
Closed, ResolvedPublic
Actions

Description

https://upload.beta.wmflabs.org/

Expected behavior: Being able to connect to the domain with a non-expired certificate
What happen instead: I can connect to the domain, but have to accept the expired certificate first.

Related Objects
Search...

Event Timeline

AlexisJazz created this task.Nov 14 2020, 2:39 PM
Restricted Application added a project: Traffic. · View Herald TranscriptNov 14 2020, 2:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Krenair subscribed.Nov 14 2020, 2:56 PM

Cert was renewed:

root@deployment-acme-chief03:~# openssl x509 -in /var/lib/acme-chief/certs/unified/live/rsa-2048.crt -noout -text | grep After
            Not After : Jan 12 05:01:51 2021 GMT

And the upload cache box has it too:

root@deployment-cache-upload06:~# openssl x509 -in /etc/acmecerts/unified/live/rsa-2048.crt -noout -text | grep After
            Not After : Jan 12 05:01:51 2021 GMT

Must've not been reloaded by ATS for some reason.

Restricted Application added a project: SRE. · View Herald TranscriptNov 14 2020, 2:56 PM
Krenair added a comment.Nov 14 2020, 3:01 PM

For some reason I had to do a full restart of the trafficserver-tls service on the cache-upload06 VM but it has loaded the latest cert now:

root@deployment-cache-upload06:~# openssl s_client -connect upload.beta.wmflabs.org:443 2>/dev/null | openssl x509 -noout -text | grep After
            Not After : Jan 12 06:00:26 2021 GMT
Krenair claimed this task.Nov 14 2020, 3:07 PM
Krenair added a subscriber: Vgutierrez.

@Vgutierrez FYI in case this could happen in prod too, I haven't been keeping track of changes lately. If we think it won't happen again or won't happen in prod (e.g. maybe it didn't restart because puppet is erroring somewhere in varnish code on this box?) then I guess we can close this

AlexisJazz added a subscriber: hashar.EditedNov 14 2020, 3:17 PM

Works now, thanks.

@hashar Could there be a relation with T267561? (very wild guess)

Vgutierrez added a comment.Nov 16 2020, 2:30 PM
In T267858#6622251, @Krenair wrote:

@Vgutierrez FYI in case this could happen in prod too, I haven't been keeping track of changes lately. If we think it won't happen again or won't happen in prod (e.g. maybe it didn't restart because puppet is erroring somewhere in varnish code on this box?) then I guess we can close this

We haven't experienced this issue in prod, the renewal cycle goes as expected and puppet triggers the reload of trafficserver-tls, but puppet erroring as you mentioned could be causing the issue for you in beta

Krenair closed this task as Resolved.Nov 16 2020, 7:55 PM
AlexisJazz mentioned this in T271808: The certificate for upload.beta.wmflabs.org expired on January 12, 2021..Jan 12 2021, 12:44 PM
AlexisJazz mentioned this in T271778: Issues with acme-chief cert rotation on deployment-prep, 2021-01-12.Jan 14 2021, 11:00 PM
AlexisJazz mentioned this in T293251: The certificate for upload.wikimedia.beta.wmflabs.org expired on October 9, 2021..Oct 13 2021, 2:04 PM
AlexisJazz mentioned this in T293070: upload.wikimedia.beta.wmflabs.org certificate expired (October 2021).Oct 13 2021, 2:10 PM
AlexisJazz added a parent task: T293585: [epic] The SSL certificate for Beta cluster domains fails to properly renew & deploy.Oct 17 2021, 9:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL