retrying policy currently ignores self_signed status
Closed, ResolvedPublic

Description

Our current retrying policy applies exponential backoff to the following states:

  • CSR_PUSHED
  • CHALLENGES_VALIDATED
  • CHALLENGES_PUSHED

And slow retries (1 day) to:

  • CHALLENGES_REJECTED
  • CERTIFICATE_ISSUED

At the same time, certcentral will set the status of a certificate to SELF_SIGNED when a non-recoverable error is found during the certificate issuance process.
Let's consider a brand new certificate, on config reload certcentral assigns the status INITIAL, generates the self signed certificate and moves it to SELF_SIGNED status. After that, certcentral will attempt to get a valid certificate from the configured ACME directory. If the process fails with a non-resumable error like the one described in T207737 certcentral will end setting the status again to SELF_SIGNED:

INITIAL --> SELF_SIGNED --> LE rejects the CSR --> SELF_SIGNED --> LE rejects the CSR --> SELF_SIGNED...

This is exactly the behaviour observed in the logs attached in T208326.

Certcentral must consider this as an additional status where the retrying policy is honoured rather than abusing the SELF_SIGNED status to restart the certificate issuance process from cercentral's point of view.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 31 2018, 9:02 AM
Vgutierrez triaged this task as Normal priority.Oct 31 2018, 9:03 AM

Change 470790 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] certcentral: Stop abusing SELF_SIGNED status to signal errors

https://gerrit.wikimedia.org/r/470790

Change 470790 merged by jenkins-bot:
[operations/software/certcentral@master] certcentral: Stop abusing SELF_SIGNED status to signal errors

https://gerrit.wikimedia.org/r/470790

Change 471760 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@master] Release 0.5

https://gerrit.wikimedia.org/r/471760

Change 471760 merged by Vgutierrez:
[operations/software/certcentral@master] Release 0.5

https://gerrit.wikimedia.org/r/471760

Change 471761 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] certcentral: Stop abusing SELF_SIGNED status to signal errors

https://gerrit.wikimedia.org/r/471761

Change 471763 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] Release 0.5

https://gerrit.wikimedia.org/r/471763

Change 471761 merged by jenkins-bot:
[operations/software/certcentral@debian] certcentral: Stop abusing SELF_SIGNED status to signal errors

https://gerrit.wikimedia.org/r/471761

Change 471763 merged by jenkins-bot:
[operations/software/certcentral@debian] Release 0.5

https://gerrit.wikimedia.org/r/471763

Change 471764 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/certcentral@debian] debian: add release 0.5 to changelog

https://gerrit.wikimedia.org/r/471764

Change 471764 merged by jenkins-bot:
[operations/software/certcentral@debian] debian: add release 0.5 to changelog

https://gerrit.wikimedia.org/r/471764

Stashbot added a subscriber: Stashbot.

Mentioned in SAL (#wikimedia-operations) [2018-11-05T16:48:41Z] <vgutierrez> uploaded certcentral 0.5 to apt.wikimedia.org (stretch) - T208572 T208378

Vgutierrez closed this task as Resolved.Nov 6 2018, 1:10 PM