Page MenuHomePhabricator

acme-chief staging time not working as expected
Closed, ResolvedPublic

Description

A quick review of /var/lib/acme-chief/certs/wikibase shows that the staging_time setting has been ignored:

drwxr-x---  2 acme-chief acme-chief 4.0K May 27 14:00 62aba44ab023477aa136b38ada6dc4f1
lrwxrwxrwx  1 acme-chief acme-chief   32 May 27 14:00 live -> 62aba44ab023477aa136b38ada6dc4f1
lrwxrwxrwx  1 acme-chief acme-chief   32 May 27 14:00 new -> 62aba44ab023477aa136b38ada6dc4f1

note that ctime for new and live is exactly the same and the cert issue date matches the live symlink ctime:

root@acmechief1001:/var/lib/acme-chief/certs/wikibase# openssl x509 -noout -dates -in live/rsa-2048.crt
notBefore=May 27 13:00:35 2019 GMT

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 17 2019, 3:44 PM
Vgutierrez triaged this task as High priority.Jun 17 2019, 3:44 PM
Vgutierrez added a project: Traffic.
Restricted Application added a project: Operations. · View Herald TranscriptJun 17 2019, 3:45 PM
Vgutierrez moved this task from Triage to TLS on the Traffic board.Jun 17 2019, 3:46 PM

Change 517605 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] acme_chief: Enforce staging time validation

https://gerrit.wikimedia.org/r/517605

Change 517605 merged by jenkins-bot:
[operations/software/acme-chief@master] acme_chief: Enforce staging time validation

https://gerrit.wikimedia.org/r/517605

Change 520694 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] Release 0.18

https://gerrit.wikimedia.org/r/520694

Change 520694 merged by Vgutierrez:
[operations/software/acme-chief@master] Release 0.18

https://gerrit.wikimedia.org/r/520694

Change 520697 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] acme_chief: Enforce staging time validation

https://gerrit.wikimedia.org/r/520697

Change 520698 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] Release 0.18

https://gerrit.wikimedia.org/r/520698

Change 520699 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] debian: Add release 0.18 to changelog

https://gerrit.wikimedia.org/r/520699

Change 520697 merged by jenkins-bot:
[operations/software/acme-chief@debian] acme_chief: Enforce staging time validation

https://gerrit.wikimedia.org/r/520697

Change 520698 merged by jenkins-bot:
[operations/software/acme-chief@debian] Release 0.18

https://gerrit.wikimedia.org/r/520698

Change 520699 merged by jenkins-bot:
[operations/software/acme-chief@debian] debian: Add release 0.18 to changelog

https://gerrit.wikimedia.org/r/520699

Mentioned in SAL (#wikimedia-operations) [2019-07-04T08:22:39Z] <vgutierrez> uploaded acme-chief 0.18 to apt.wikimedia.org (buster) - T225945

Mentioned in SAL (#wikimedia-operations) [2019-07-04T08:29:16Z] <vgutierrez> upgrading acme-chief to version 0.18 in acme-chief test instances - T225945

Change 521421 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] acme_chief: Avoid retrying too eagerly on CERTIFICATE_STAGED status

https://gerrit.wikimedia.org/r/521421

Change 521421 merged by Vgutierrez:
[operations/software/acme-chief@master] acme_chief: Avoid retrying too eagerly on CERTIFICATE_STAGED status

https://gerrit.wikimedia.org/r/521421

Change 521834 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] Release 0.19

https://gerrit.wikimedia.org/r/521834

Change 521834 merged by Vgutierrez:
[operations/software/acme-chief@master] Release 0.19

https://gerrit.wikimedia.org/r/521834

Change 522237 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] acme_chief: Avoid retrying too eagerly on CERTIFICATE_STAGED status

https://gerrit.wikimedia.org/r/522237

Change 522238 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] Release 0.19

https://gerrit.wikimedia.org/r/522238

Change 522239 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] debian: Add release 0.19 to changelog

https://gerrit.wikimedia.org/r/522239

Change 522237 merged by jenkins-bot:
[operations/software/acme-chief@debian] acme_chief: Avoid retrying too eagerly on CERTIFICATE_STAGED status

https://gerrit.wikimedia.org/r/522237

Change 522238 merged by jenkins-bot:
[operations/software/acme-chief@debian] Release 0.19

https://gerrit.wikimedia.org/r/522238

Change 522239 merged by jenkins-bot:
[operations/software/acme-chief@debian] debian: Add release 0.19 to changelog

https://gerrit.wikimedia.org/r/522239

Mentioned in SAL (#wikimedia-operations) [2019-07-12T06:28:46Z] <vgutierrez> uploaded acme-chief 0.19 to apt.wikimedia.org (buster) - T225945

Mentioned in SAL (#wikimedia-operations) [2019-07-12T06:35:11Z] <vgutierrez> upgrading acme-chief to version 0.19 in acme-chief test instances - T225945

Mentioned in SAL (#wikimedia-operations) [2019-07-15T08:01:06Z] <vgutierrez> upgrading acme-chief to version 0.19 in acme-chief production instances - T225945

Is it working as expected now?

Vgutierrez closed this task as Resolved.Mon, Aug 19, 6:12 AM

Yes :) it's working as expected.. latest renewal of unified and non-canonical-redirect certs set has been done with the proper staging time, as an example:

vgutierrez@acmechief1001:~$ sudo -i ls -alh /var/lib/acme-chief/certs/unified/
[..snip..]
drwxr-x---  2 acme-chief acme-chief 4.0K Jul 26 10:05 a40ba19e20ff4516bb7906d154cf5539
lrwxrwxrwx  1 acme-chief acme-chief   32 Aug  2 07:07 live -> a40ba19e20ff4516bb7906d154cf5539
lrwxrwxrwx  1 acme-chief acme-chief   32 Jul 26 08:00 new -> a40ba19e20ff4516bb7906d154cf5539
vgutierrez@acmechief1001:~$ sudo -i openssl x509 -noout -dates -in /var/lib/acme-chief/certs/unified/live/rsa-2048.crt
notBefore=Jul 26 07:00:47 2019 GMT
notAfter=Oct 24 07:00:47 2019 GMT

a40ba19e20ff4516bb7906d154cf5539 cert version has been created on July 26th but the live symlink has been updated on August 2nd after the 1 week staging time :)