During the hectic DNS refactorings going on in T240285, T98006, etc... one of the consequences was removing the listener from port 53 on the authdnsNNNN boxes' own host IPs (vs service IP). This has broken acme_chief's ability to hit them for local challenge validation. There's a few different paths we can take for a proper fix on Monday, but for now I'm just doing the simplest reliable hack I can for the weekend and opening this ticket to remind to fix.
Description
Details
Related Objects
Event Timeline
Change 556806 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Temp fixup for acme_chief challenge validation
Change 556806 merged by BBlack:
[operations/puppet@production] Temp fixup for acme_chief challenge validation
Change 569754 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] dns-01: Support custom DNS server port
Change 569754 merged by Vgutierrez:
[operations/software/acme-chief@master] dns-01: Support custom DNS server port
Change 570035 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] Release 0.22
Change 570035 merged by Vgutierrez:
[operations/software/acme-chief@master] Release 0.22
Change 570037 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] debian: Add release 0.22 to changelog
Change 570039 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] dns-01: Support custom DNS server port
Change 570039 merged by Vgutierrez:
[operations/software/acme-chief@debian] dns-01: Support custom DNS server port
Change 570040 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] Release 0.22
Change 570040 merged by Vgutierrez:
[operations/software/acme-chief@debian] Release 0.22
Change 570037 merged by Vgutierrez:
[operations/software/acme-chief@debian] debian: Add release 0.22 to changelog
Change 570041 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Hit auth dns servers on port 5353
Mentioned in SAL (#wikimedia-operations) [2020-02-04T13:10:46Z] <vgutierrez> uploaded acme-chief 0.22 to apt.wm.o (buster) - T240614
Mentioned in SAL (#wikimedia-operations) [2020-02-04T13:23:48Z] <vgutierrez> upgrading acme-chief to version 0.22 - T240614
Change 570041 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Hit auth dns servers on port 5353
Solved in acme-chief 0.22, now we can set an arbitrary DNS port to validate the DNS-01 challenges on the acme-chief side