Page MenuHomePhabricator
Create Task
Maniphest T240614

Fix acme-chief DNS validation correctly
Closed, ResolvedPublic
Actions

Description

During the hectic DNS refactorings going on in T240285, T98006, etc... one of the consequences was removing the listener from port 53 on the authdnsNNNN boxes' own host IPs (vs service IP). This has broken acme_chief's ability to hit them for local challenge validation. There's a few different paths we can take for a proper fix on Monday, but for now I'm just doing the simplest reliable hack I can for the weekend and opening this ticket to remind to fix.

Details

SubjectRepoBranchLines +/-
acme_chief: Hit auth dns servers on port 5353operations/puppetproduction+3 -10
debian: Add release 0.22 to changelogoperations/software/acme-chiefdebian+7 -0
Release 0.22operations/software/acme-chiefdebian+2 -2
dns-01: Support custom DNS server portoperations/software/acme-chiefdebian+28 -12
Release 0.22operations/software/acme-chiefmaster+2 -2
dns-01: Support custom DNS server portoperations/software/acme-chiefmaster+28 -12
Temp fixup for acme_chief challenge validationoperations/puppetproduction+10 -1
Customize query in gerrit

Related Objects

Event Timeline

BBlack triaged this task as High priority.Dec 12 2019, 8:43 PM
BBlack created this task.
Restricted Application added a project: SRE. · View Herald TranscriptDec 12 2019, 8:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Dec 12 2019, 8:45 PM

Change 556806 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Temp fixup for acme_chief challenge validation

https://gerrit.wikimedia.org/r/556806

gerritbot added a project: Patch-For-Review.Dec 12 2019, 8:45 PM

Change 556806 merged by BBlack:
[operations/puppet@production] Temp fixup for acme_chief challenge validation

https://gerrit.wikimedia.org/r/556806

Maintenance_bot removed a project: Patch-For-Review.Dec 12 2019, 9:10 PM
ema moved this task from Backlog to Some old column on the Traffic board.Dec 13 2019, 8:47 AM
jcrespo moved this task from Backlog to Acknowledged on the SRE board.Dec 13 2019, 9:24 AM
gerritbot added a comment.Feb 4 2020, 8:07 AM

Change 569754 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] dns-01: Support custom DNS server port

https://gerrit.wikimedia.org/r/569754

gerritbot added a project: Patch-For-Review.Feb 4 2020, 8:07 AM
gerritbot added a comment.Feb 4 2020, 12:26 PM

Change 569754 merged by Vgutierrez:
[operations/software/acme-chief@master] dns-01: Support custom DNS server port

https://gerrit.wikimedia.org/r/569754

gerritbot added a comment.Feb 4 2020, 12:30 PM

Change 570035 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] Release 0.22

https://gerrit.wikimedia.org/r/570035

gerritbot added a comment.Feb 4 2020, 12:35 PM

Change 570035 merged by Vgutierrez:
[operations/software/acme-chief@master] Release 0.22

https://gerrit.wikimedia.org/r/570035

gerritbot added a comment.Feb 4 2020, 12:45 PM

Change 570037 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] debian: Add release 0.22 to changelog

https://gerrit.wikimedia.org/r/570037

gerritbot added a comment.Feb 4 2020, 12:46 PM

Change 570039 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] dns-01: Support custom DNS server port

https://gerrit.wikimedia.org/r/570039

gerritbot added a comment.Feb 4 2020, 12:50 PM

Change 570039 merged by Vgutierrez:
[operations/software/acme-chief@debian] dns-01: Support custom DNS server port

https://gerrit.wikimedia.org/r/570039

gerritbot added a comment.Feb 4 2020, 12:51 PM

Change 570040 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] Release 0.22

https://gerrit.wikimedia.org/r/570040

gerritbot added a comment.Feb 4 2020, 12:56 PM

Change 570040 merged by Vgutierrez:
[operations/software/acme-chief@debian] Release 0.22

https://gerrit.wikimedia.org/r/570040

gerritbot added a comment.Feb 4 2020, 12:57 PM

Change 570037 merged by Vgutierrez:
[operations/software/acme-chief@debian] debian: Add release 0.22 to changelog

https://gerrit.wikimedia.org/r/570037

gerritbot added a comment.Feb 4 2020, 1:01 PM

Change 570041 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Hit auth dns servers on port 5353

https://gerrit.wikimedia.org/r/570041

Stashbot added a comment.Feb 4 2020, 1:10 PM

Mentioned in SAL (#wikimedia-operations) [2020-02-04T13:10:46Z] <vgutierrez> uploaded acme-chief 0.22 to apt.wm.o (buster) - T240614

Stashbot added a comment.Feb 4 2020, 1:23 PM

Mentioned in SAL (#wikimedia-operations) [2020-02-04T13:23:48Z] <vgutierrez> upgrading acme-chief to version 0.22 - T240614

gerritbot added a comment.Feb 4 2020, 1:30 PM

Change 570041 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Hit auth dns servers on port 5353

https://gerrit.wikimedia.org/r/570041

Vgutierrez closed this task as Resolved.Feb 4 2020, 1:34 PM
Vgutierrez claimed this task.
Vgutierrez subscribed.

Solved in acme-chief 0.22, now we can set an arbitrary DNS port to validate the DNS-01 challenges on the acme-chief side

Vgutierrez mentioned this in T243948: SSL CRITICAL - OCSP staple validity for www.wikipedia.bg has X seconds left.Feb 4 2020, 1:42 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 4 2020, 2:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL