Page MenuHomePhabricator
Create Task
Maniphest T244232

acme-chief should be able to refresh OCSP stapling response even if the renewal process fails
Closed, ResolvedPublic
Actions

Description

As seen on T243948, currently acme-chief won't refresh the OCSP stapling response if for any reason it's unable to renew the certificate. Taking into account that a cert lives up to 3 months and OCSP responses only 1 week, acme-chief needs to renew them even if the renewal process is failing

Details

ProjectBranchLines +/-Subject
operations/software/acme-chiefdebian+10 -0debian: Add release 0.35 to changelog
operations/software/acme-chiefdebian+2 -2Release 0.35
operations/software/acme-chiefdebian+21 -7acme-chief: Unlink certificate renewal and OCSP handling
operations/software/acme-chiefmaster+2 -2Release 0.35
operations/software/acme-chiefmaster+21 -7acme-chief: Unlink certificate renewal and OCSP handling
Customize query in gerrit

Related Objects
Search...

Event Timeline

Vgutierrez triaged this task as Medium priority.Feb 4 2020, 1:41 PM
Vgutierrez created this task.
Vgutierrez moved this task from Backlog to TLS on the Traffic board.
Vgutierrez mentioned this in T243948: SSL CRITICAL - OCSP staple validity for www.wikipedia.bg has X seconds left.
jcrespo awarded a token.Feb 4 2020, 3:31 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

BBlack moved this task from Backlog to Minor TODO on the Traffic-Icebox board.Apr 13 2022, 8:31 PM
BCornwall claimed this task.Jul 26 2022, 3:53 PM
gerritbot added a comment.Aug 5 2022, 6:26 PM

Change 820795 had a related patch set uploaded (by BCornwall; author: BCornwall):

[operations/software/acme-chief@master] WIP: Run OCSP functions even if certs fail

https://gerrit.wikimedia.org/r/820795

gerritbot added a project: Patch-For-Review.Aug 5 2022, 6:26 PM
BCornwall changed the task status from Open to In Progress.Aug 24 2022, 7:22 PM
BCornwall raised the priority of this task from Medium to High.Aug 24 2022, 7:29 PM
gerritbot added a comment.Nov 3 2022, 3:37 PM

Change 820795 merged by Vgutierrez:

[operations/software/acme-chief@master] acme-chief: Unlink certificate renewal and OCSP handling

https://gerrit.wikimedia.org/r/820795

Vgutierrez mentioned this in rOSAC0f575af5fd61: acme-chief: Unlink certificate renewal and OCSP handling.Nov 3 2022, 3:53 PM
gerritbot added a comment.Nov 3 2022, 3:54 PM

Change 852917 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/software/acme-chief@master] Release 0.35

https://gerrit.wikimedia.org/r/852917

gerritbot added a comment.Nov 3 2022, 4:01 PM

Change 852917 merged by Vgutierrez:

[operations/software/acme-chief@master] Release 0.35

https://gerrit.wikimedia.org/r/852917

Vgutierrez mentioned this in rOSACe1adf172189f: Release 0.35.Nov 3 2022, 4:02 PM
gerritbot added a comment.Nov 3 2022, 4:17 PM

Change 852950 had a related patch set uploaded (by Vgutierrez; author: BCornwall):

[operations/software/acme-chief@debian] acme-chief: Unlink certificate renewal and OCSP handling

https://gerrit.wikimedia.org/r/852950

gerritbot added a comment.Nov 3 2022, 4:17 PM

Change 852951 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/software/acme-chief@debian] Release 0.35

https://gerrit.wikimedia.org/r/852951

gerritbot added a comment.Nov 3 2022, 4:35 PM

Change 852950 merged by jenkins-bot:

[operations/software/acme-chief@debian] acme-chief: Unlink certificate renewal and OCSP handling

https://gerrit.wikimedia.org/r/852950

Vgutierrez mentioned this in rOSAC571d39a078e9: acme-chief: Unlink certificate renewal and OCSP handling.Nov 3 2022, 4:36 PM
gerritbot added a comment.Nov 3 2022, 4:37 PM

Change 852951 merged by jenkins-bot:

[operations/software/acme-chief@debian] Release 0.35

https://gerrit.wikimedia.org/r/852951

Vgutierrez mentioned this in rOSAC004b2af4b223: Release 0.35.Nov 3 2022, 4:38 PM
Maintenance_bot removed a project: Patch-For-Review.Nov 3 2022, 5:31 PM
gerritbot added a comment.Nov 7 2022, 11:57 AM

Change 853951 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/software/acme-chief@debian] debian: Add release 0.35 to changelog

https://gerrit.wikimedia.org/r/853951

gerritbot added a project: Patch-For-Review.Nov 7 2022, 11:57 AM
gerritbot added a comment.Nov 7 2022, 12:02 PM

Change 853951 merged by Vgutierrez:

[operations/software/acme-chief@debian] debian: Add release 0.35 to changelog

https://gerrit.wikimedia.org/r/853951

Vgutierrez mentioned this in rOSAC4144adb51552: debian: Add release 0.35 to changelog.Nov 7 2022, 12:14 PM
Stashbot mentioned this in T262251: acme-chief shouldn't try to perform OCSP stapling of expired certs.Nov 14 2022, 10:07 AM

Mentioned in SAL (#wikimedia-operations) [2022-11-14T10:07:29Z] <vgutierrez> upload acme-chief 0.35 to apt.wm.o (buster-wikimedia) - T244232 T262251

BCornwall closed this task as Resolved.Nov 14 2022, 4:55 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL