Page MenuHomePhabricator

Fix acme-chief DNS validation correctly
Closed, ResolvedPublic

Description

During the hectic DNS refactorings going on in T240285, T98006, etc... one of the consequences was removing the listener from port 53 on the authdnsNNNN boxes' own host IPs (vs service IP). This has broken acme_chief's ability to hit them for local challenge validation. There's a few different paths we can take for a proper fix on Monday, but for now I'm just doing the simplest reliable hack I can for the weekend and opening this ticket to remind to fix.

Details

Related Gerrit Patches:
operations/puppet : productionacme_chief: Hit auth dns servers on port 5353
operations/software/acme-chief : debiandebian: Add release 0.22 to changelog
operations/software/acme-chief : debianRelease 0.22
operations/software/acme-chief : debiandns-01: Support custom DNS server port
operations/software/acme-chief : masterRelease 0.22
operations/software/acme-chief : masterdns-01: Support custom DNS server port
operations/puppet : productionTemp fixup for acme_chief challenge validation

Event Timeline

BBlack triaged this task as High priority.Dec 12 2019, 8:43 PM
BBlack created this task.
Restricted Application added a project: Operations. · View Herald TranscriptDec 12 2019, 8:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 556806 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] Temp fixup for acme_chief challenge validation

https://gerrit.wikimedia.org/r/556806

Change 556806 merged by BBlack:
[operations/puppet@production] Temp fixup for acme_chief challenge validation

https://gerrit.wikimedia.org/r/556806

ema moved this task from Triage to DNS Infra on the Traffic board.Dec 13 2019, 8:47 AM
jcrespo moved this task from Backlog to Acknowledged on the Operations board.Dec 13 2019, 9:24 AM

Change 569754 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] dns-01: Support custom DNS server port

https://gerrit.wikimedia.org/r/569754

Change 569754 merged by Vgutierrez:
[operations/software/acme-chief@master] dns-01: Support custom DNS server port

https://gerrit.wikimedia.org/r/569754

Change 570035 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] Release 0.22

https://gerrit.wikimedia.org/r/570035

Change 570035 merged by Vgutierrez:
[operations/software/acme-chief@master] Release 0.22

https://gerrit.wikimedia.org/r/570035

Change 570037 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] debian: Add release 0.22 to changelog

https://gerrit.wikimedia.org/r/570037

Change 570039 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] dns-01: Support custom DNS server port

https://gerrit.wikimedia.org/r/570039

Change 570039 merged by Vgutierrez:
[operations/software/acme-chief@debian] dns-01: Support custom DNS server port

https://gerrit.wikimedia.org/r/570039

Change 570040 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] Release 0.22

https://gerrit.wikimedia.org/r/570040

Change 570040 merged by Vgutierrez:
[operations/software/acme-chief@debian] Release 0.22

https://gerrit.wikimedia.org/r/570040

Change 570037 merged by Vgutierrez:
[operations/software/acme-chief@debian] debian: Add release 0.22 to changelog

https://gerrit.wikimedia.org/r/570037

Change 570041 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Hit auth dns servers on port 5353

https://gerrit.wikimedia.org/r/570041

Mentioned in SAL (#wikimedia-operations) [2020-02-04T13:10:46Z] <vgutierrez> uploaded acme-chief 0.22 to apt.wm.o (buster) - T240614

Mentioned in SAL (#wikimedia-operations) [2020-02-04T13:23:48Z] <vgutierrez> upgrading acme-chief to version 0.22 - T240614

Change 570041 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Hit auth dns servers on port 5353

https://gerrit.wikimedia.org/r/570041

Vgutierrez closed this task as Resolved.Feb 4 2020, 1:34 PM
Vgutierrez claimed this task.
Vgutierrez added a subscriber: Vgutierrez.

Solved in acme-chief 0.22, now we can set an arbitrary DNS port to validate the DNS-01 challenges on the acme-chief side