Page MenuHomePhabricator
Create Task
Maniphest T197591

Check that Nextcloud and Collabora certificates updates properly
Closed, ResolvedPublic8 Estimated Story Points
Actions

Description

Make sure that the certificates for nextcloud.wikimedia.se and collabora.wikimedia.se are updated. This should be taken care of by the Nextcloud snap installation, failing that, drift@wikimedia.se should receive a mail.

The current certificates lasts until 2018-09-12.

Related Objects

Event Timeline

Sebastian_Berlin-WMSE created this task.Jun 18 2018, 12:39 PM
Vvjjkkii renamed this task from Check that nextcloud and collabora certificates updates properly to oqaaaaaaaa.Jul 1 2018, 1:03 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
CommunityTechBot renamed this task from oqaaaaaaaa to Check that nextcloud and collabora certificates updates properly.Jul 2 2018, 4:40 AM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
Jopparn renamed this task from Check that nextcloud and collabora certificates updates properly to Check that Nextcloud and Collabora certificates updates properly.Jul 6 2018, 2:13 PM
Jopparn subscribed.

Am I understanding correctly that nothing will be done with this until after 2018-09-12?

Sebastian_Berlin-WMSE added a comment.Jul 6 2018, 2:26 PM

I've added a reminder (to myself) to check this a week before that, unless we get an e-mail earlier. The certificates should have been updated by then.

Sebastian_Berlin-WMSE added a project: User-Sebastian_Berlin-WMSE.Jul 6 2018, 2:26 PM
Sebastian_Berlin-WMSE added a comment.Aug 31 2018, 8:28 AM

Apparently, the automatic update wasn't set up properly; we got mails about renewing manually. There is a link to how to do this automatically in the mails that I will have a look at.

Lokal_Profil added a comment.Aug 31 2018, 10:52 AM

Would you mind taking a look at the wikimedia.se one as well

Sebastian_Berlin-WMSE added a comment.Aug 31 2018, 11:47 AM

That one seems fine. The current certificate is valid until 2018-10-31 and was created 2018-08-02.

Sebastian_Berlin-WMSE moved this task from Backlog to This Week on the User-Sebastian_Berlin-WMSE board.Sep 3 2018, 5:37 AM
Sebastian_Berlin-WMSE set the point value for this task to 8.Sep 3 2018, 5:39 AM
Sebastian_Berlin-WMSE removed the point value for this task.
Sebastian_Berlin-WMSE set the point value for this task to 8.
Lokal_Profil added a comment.Sep 3 2018, 6:32 AM
In T197591#4548279, @Sebastian_Berlin-WMSE wrote:

That one seems fine. The current certificate is valid until 2018-10-31 and was created 2018-08-02.

Thanks. This one seems to be running in roots crontab and my crontab (with the latter failing). Probably just a leftover of some early experimenting.

Sebastian_Berlin-WMSE claimed this task.Sep 4 2018, 7:11 AM
Sebastian_Berlin-WMSE added a comment.EditedSep 6 2018, 10:40 AM

There seems to be some problem with access to a directory that Certbot needs.

Full log:

P7520 Nextcloud certbot failure
1$ sudo snap run nextcloud.renew-certs
2Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
3
4-------------------------------------------------------------------------------
5Processing
6/var/snap/nextcloud/current/certs/certbot/config/renewal/nextcloud.wikimedia.se.conf
7-------------------------------------------------------------------------------
8Cert is due for renewal, auto-renewing...
9Plugins selected: Authenticator nextcloud:webroot, Installer None
10Renewing an existing certificate
11Performing the following challenges:
12http-01 challenge for nextcloud.wikimedia.se
13http-01 challenge for collabora.wikimedia.se
14Using the webroot path /var/snap/nextcloud/current/certs/certbot for all domains.
15Waiting for verification...
16Cleaning up challenges
17Attempting to renew cert (nextcloud.wikimedia.se) from /var/snap/nextcloud/current/certs/certbot/config/renewal/nextcloud.wikimedia.se.conf produced an unexpected error: Failed authorization procedure. collabora.wikimedia.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://collabora.wikimedia.se/.well-known/acme-challenge/<HASH>: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
18<html><head>
19<title>404 Not Found</title>
20</head><body>
21<h1>Not Found</h1>
22<p", nextcloud.wikimedia.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://nextcloud.wikimedia.se/.well-known/acme-challenge/<HASH>: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
23<html><head>
24<title>404 Not Found</title>
25</head><body>
26<h1>Not Found</h1>
27<p". Skipping.
28All renewal attempts failed. The following certs could not be renewed:
29 /var/snap/nextcloud/current/certs/certbot/config/live/nextcloud.wikimedia.se/fullchain.pem (failure)
30
31-------------------------------------------------------------------------------
32
33All renewal attempts failed. The following certs could not be renewed:
34 /var/snap/nextcloud/current/certs/certbot/config/live/nextcloud.wikimedia.se/fullchain.pem (failure)
35-------------------------------------------------------------------------------
36Running post-hook command: restart-apache
37Output from restart-apache:
38Restarting apache... done
39
401 renew failure(s), 0 parse failure(s)
41
42IMPORTANT NOTES:
43 - The following errors were reported by the server:
44
45 Domain: collabora.wikimedia.se
46 Type: unauthorized
47 Detail: Invalid response from
48 http://collabora.wikimedia.se/.well-known/acme-challenge/<HASH>:
49 "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
50 <html><head>
51 <title>404 Not Found</title>
52 </head><body>
53 <h1>Not Found</h1>
54 <p"
55
56 Domain: nextcloud.wikimedia.se
57 Type: unauthorized
58 Detail: Invalid response from
59 http://nextcloud.wikimedia.se/.well-known/acme-challenge/<HASH>:
60 "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
61 <html><head>
62 <title>404 Not Found</title>
63 </head><body>
64 <h1>Not Found</h1>
65 <p"
66
67 To fix these errors, please make sure that your domain name was
68 entered correctly and the DNS A/AAAA record(s) for that domain
69 contain(s) the right IP address.
70

Sebastian_Berlin-WMSE added a comment.Sep 11 2018, 7:39 AM

I've managed to get Nextcloud to work again and renew the certificate. The solution was to copy /var/snap/nextcloud/current/certs/ from an old backup when the certificate worked. After this, I managed to renew the certificates, now valid until December 10. This goes for both nextcloud.wikimedia.se and collabora.wikimedia.se. Not sure if it will manage to renew automatically next time, so I'll keep an eye on that.

Also, while Collabora seems to be up and running, Nextcloud can't connect to it, for some reason.

Sebastian_Berlin-WMSE mentioned this in T204023: Check that nextcloud and collabora certificates updates properly, take two.Sep 11 2018, 7:44 AM
Sebastian_Berlin-WMSE moved this task from This Week to Done on the User-Sebastian_Berlin-WMSE board.Sep 11 2018, 9:28 AM

Collabora is up again and seems to work. Not sure if I did something important or if you just have to wait a bit after a server reboot.

Sebastian_Berlin-WMSE closed this task as Resolved.Sep 18 2018, 5:27 AM
Sebastian_Berlin-WMSE moved this task from Backlog to Done on the WMSE-Organisational-Development-2018 board.Oct 5 2018, 9:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL