Page MenuHomePhabricator
Create Task
Maniphest T204993

Update certspotter
Open, Needs TriagePublic
Actions

Description

In January 2017 we started using certspotter (T155807: Monitor Certificate Transparency (CT) logs) to monitor CT logs for things being issued for our domains.
At some point, CT servers started failing a lot and this generated cronspam (T162327: certspotter on einsteinium has issues talking to external, T159137: certspotter: Error retrieving STH from log).
Eventually the cron was disabled in https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/428367/
Unfortunately the list of CT servers was hardcoded. Newer certspotter versions have apparently fixed this, so we should update to a new version that doesn't have the issue and re-enable.
(opened per discussion in #wikimedia-traffic earlier)

Details

SubjectRepoBranchLines +/-
certspotter: switch to a local CT logs listoperations/puppetproduction+200 -3
certspotter: update package and replace cron with systemd timeroperations/puppetproduction+48 -41
Revert "certspotter: temporarily disable cron job"operations/puppetproduction+0 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krenair created this task.Sep 20 2018, 5:58 PM
Restricted Application added a project: SRE. · View Herald TranscriptSep 20 2018, 5:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Krenair added a parent task: T204994: Integrate certspotter with certcentral to avoid certspotter notifying us on legitimate certs generated by our certcentral boxes.Sep 20 2018, 6:02 PM
MoritzMuehlenhoff added subscribers: faidon, MoritzMuehlenhoff.Sep 24 2018, 10:10 AM

Adding the Debian maintainer :-) This seems fixed in 0.9-1 so updating stretch-backports to 0.9 could fix this.

MoritzMuehlenhoff triaged this task as Medium priority.Sep 24 2018, 10:10 AM
ema moved this task from Backlog to TLS on the Traffic board.Oct 1 2018, 9:13 AM
faidon added a comment.Oct 3 2018, 12:06 AM
In T204993#4610222, @MoritzMuehlenhoff wrote:

Adding the Debian maintainer :-) This seems fixed in 0.9-1 so updating stretch-backports to 0.9 could fix this.

This is now done :)

Krenair added a comment.Oct 6 2018, 5:45 PM

So now we just pin the certspotter package to release a=stretch-backports?

Krenair added a comment.EditedOct 6 2018, 5:47 PM

Actually it looks like it wasn't in stretch to stretch-backports has highest priority anyway. So the host just needs the package upgraded..?

faidon added a comment.Oct 9 2018, 10:14 AM

einstenium and tegmen still run jessie and I didn't build a version for jessie-wikimedia. I believe they're being migrated to stretch as we speak, so maybe we should just wait for that.

Krenair added a comment.Oct 9 2018, 10:45 AM

T202782: upgrade icinga server to stretch and replace einsteinium for einsteinium, not sure about tegmen

Krenair added a comment.Nov 22 2018, 11:59 PM

@faidon: Is this now done?

MoritzMuehlenhoff added subscribers: herron, Dzahn, colewhite.Nov 23 2018, 8:05 AM

The Icinga servers in production are now running 0.9-1~bpo9+1, but the Cron job still needs to be re-instated.

gerritbot subscribed.Nov 23 2018, 11:01 AM

Change 475453 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] Revert "certspotter: temporarily disable cron job"

https://gerrit.wikimedia.org/r/475453

gerritbot added a project: Patch-For-Review.Nov 23 2018, 11:01 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 10:25 PM
Dzahn added a comment.Oct 23 2020, 9:47 PM

What is the status of this nowadays? I ran across it in a different matter while looking for absented crons and found the TODO and link in code that points over here and to the pending patch above. It's been some time since November 2018. Can we just re-enable it or is there more to it?

gerritbot added a comment.Nov 18 2020, 6:48 PM

Change 475453 had a related patch set uploaded (by Dzahn; owner: Alex Monk):
[operations/puppet@production] Revert "certspotter: temporarily disable cron job"

https://gerrit.wikimedia.org/r/475453

gerritbot added a comment.Nov 18 2020, 6:51 PM

Change 475453 merged by Dzahn:
[operations/puppet@production] Revert "certspotter: temporarily disable cron job"

https://gerrit.wikimedia.org/r/475453

Dzahn added a comment.Nov 18 2020, 6:59 PM

on icinga1001, alert1001: crons reactivated:

Notice: /Stage[main]/Certspotter/Cron[certspotter]/ensure: created
Dzahn closed this task as Resolved.Nov 18 2020, 7:32 PM
Dzahn claimed this task.

What I know here is:

  • meanwhile icinga servers are on buster
  • reviewers approved reverting the "disable cron job"
  • I merged it, crons are enabled again and announced it on IRC
  • on icinga1001 there is certspotter 0.9-1~bpo9+1
  • this ticket is from 2018

So based on that I am now assuming we can call it resolved.

Dzahn reopened this task as Open.Nov 19 2020, 12:00 AM

After seeing quite a bit of cronspam from this, I reverted the change again and reopening this.

The list of servers needs to be updated it seems. There are "misbehaving" and non-existing servers. f.e.:

Get https://ct.ws.symantec.com/ct/v1/get-sth: dial tcp: lookup ct.ws.symantec.com on 10.3.0.1:53: server misbehaving

Get https://ctlog-gen2.api.venafi.com/ct/v1/get-sth: dial tcp: lookup ctlog-gen2.api.venafi.com on 10.3.0.1:53: server misbehaving

 Get https://ct2.digicert-ct.com/log/ct/v1/get-sth: dial tcp: lookup ct2.digicert-ct.com on 10.3.0.1:53: no such host

see details in root mail from icinga1001 of today, Nov 18th 2020.

Dzahn removed Dzahn as the assignee of this task.Nov 19 2020, 12:00 AM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM
BBlack subscribed.

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

ssingh claimed this task.Feb 28 2022, 3:10 PM
gerritbot added a comment.Mar 4 2022, 3:28 PM

Change 768065 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] certspotter: update package and replace cron with systemd timer

https://gerrit.wikimedia.org/r/768065

Stashbot added a comment.Mar 10 2022, 3:33 PM

Mentioned in SAL (#wikimedia-operations) [2022-03-10T15:33:23Z] <sukhe> upload certspotter 0.10-1wm1 to apt.wm.o - T204993

gerritbot added a comment.Mar 10 2022, 3:36 PM

Change 768065 merged by Ssingh:

[operations/puppet@production] certspotter: update package and replace cron with systemd timer

https://gerrit.wikimedia.org/r/768065

gerritbot added a comment.Apr 1 2022, 3:27 PM

Change 776217 had a related patch set uploaded (by Ssingh; author: Ssingh):

[operations/puppet@production] certspotter: switch to a local CT logs list

https://gerrit.wikimedia.org/r/776217

gerritbot added a comment.Apr 4 2022, 2:48 PM

Change 776217 merged by Ssingh:

[operations/puppet@production] certspotter: switch to a local CT logs list

https://gerrit.wikimedia.org/r/776217

BBlack moved this task from Backlog to Revive/Active? on the Traffic-Icebox board.Apr 7 2022, 9:08 PM
ssingh edited projects, added Traffic; removed Traffic-Icebox.Apr 12 2022, 1:38 PM
MoritzMuehlenhoff added a comment.Feb 10 2023, 8:36 AM

0.15 has been uploaded to Debian and certspotter is now a proper daemon:
https://tracker.debian.org/news/1419591/accepted-certspotter-0150-1-source-into-unstable/

BCornwall moved this task from TLS to Ready for work on the Traffic board.Mar 24 2023, 10:43 PM
BCornwall raised the priority of this task from Medium to Needs Triage.Mar 30 2023, 8:58 PM
BCornwall removed a project: SRE.
BCornwall moved this task from Ready for work to Backlog on the Traffic board.Mar 30 2023, 9:01 PM
BCornwall closed subtask T303593: increase of network errors on alert1001 after certspotter has been enabled as Resolved.May 1 2023, 4:59 PM
Aklapper removed a project: Patch-For-Review.Fri, Apr 12, 11:01 AM
ssingh removed ssingh as the assignee of this task.Mon, Apr 15, 1:51 PM
ssingh subscribed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL