Page MenuHomePhabricator

fix planet.wm.org redirect nitpick (was: missing from planet.discovery.wmnet Subject Alternative Name)
Closed, ResolvedPublic

Description

I have observed the following error while looking at unrelated things in the logs of ats-be:

Jul 13 09:04:09 cp1081 traffic_manager[1133]: [Jul 13 09:04:09.249] [ET_NET 63] ERROR: SSL connection failed for 'planet.wikimedia.org': error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Indeed the public hostname "planet.wikimedia.org" is missing from the certificate subjectAltName:

DNS:planet.discovery.wmnet, DNS:planet.svc.eqiad.wmnet, DNS:planet.svc.codfw.wmnet, DNS:planet1001.eqiad.wmnet, DNS:planet2001.codfw.wmnet, DNS:*.planet.wikimedia.org

Note that *.planet.wm.org is there, but planet.wm.org is missing.

We should:

  • fix the certificate
  • make sure these kind of errors end up in logstash

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 612282 had a related patch set uploaded (by Ema; owner: Ema):
[operations/puppet@production] ATS: send 'SSL connection failed' errors to logstash

https://gerrit.wikimedia.org/r/612282

It was never expected that planet without a language prefix exists.

It's just that i recently added the "blank" domain to config because i wanted to fix that it shows the error page if somebody manually enters it, maybe trying to find the overview of all existing languages.

And I did not finish that yet.. what you describe is the next step, add it to the cert. I'll do that. But it's not like something here was broken that wasn't like this for a long time.

And I did not finish that yet.. what you describe is the next step, add it to the cert. I'll do that. But it's not like something here was broken that wasn't like this for a long time.

Yes, thanks @Dzahn! I spotted this in the logs only now. :)

ema triaged this task as Low priority.Jul 14 2020, 2:59 PM

Change 612282 merged by Ema:
[operations/puppet@production] ATS: send 'SSL connection failed' errors to logstash

https://gerrit.wikimedia.org/r/612282

Mentioned in SAL (#wikimedia-operations) [2020-07-15T17:32:37Z] <mutante> puppetmaster - revoking cert for planet.discovery.wmnet, add planet.wikimedia.org, remove planet.svc records, remove specific and outdated hostnames (T257840)

Change 612904 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] ssl/planet: update cert for planet.discovery.wmnet

https://gerrit.wikimedia.org/r/612904

Change 612904 merged by Dzahn:
[operations/puppet@production] ssl/planet: update cert for planet.discovery.wmnet

https://gerrit.wikimedia.org/r/612904

Dzahn raised the priority of this task from Low to Medium.Jul 15 2020, 5:48 PM

@ema Cert has been fixed. I added planet.wikimedia.org in addition to *.planet.wikimedia.org and removed "svc.eqiad/codfw" records and hardcoded host names that did not exist anymore (1001/2001).

before: DNS:planet.discovery.wmnet, DNS:planet.svc.eqiad.wmnet, DNS:planet.svc.codfw.wmnet, DNS:planet1001.eqiad.wmnet, DNS:planet2001.codfw.wmnet, DNS:*.planet.wikimedia.org

now: DNS:planet.discovery.wmnet, DNS:planet.wikimedia.org, DNS:*.planet.wikimedia.org

With existing Apache config https://planet.wikimedia.org redirects to https://meta.wikimedia.org/wiki/Planet_Wikimedia

You should not see these errors anymore.

That works! Nitpick: https://planet.wikimedia.org/test should probably send me to https://meta.wikimedia.org/wiki/Planet_Wikimedia, instead it points to https://meta.wikimedia.org/wiki/Planet_Wikimediatest

You should not see these errors anymore.

Indeed, thank you.

Dzahn renamed this task from planet.wm.org missing from planet.discovery.wmnet Subject Alternative Name to fix planet.wm.org redirect nitpick (was: missing from planet.discovery.wmnet Subject Alternative Name).Jul 27 2020, 8:45 PM
Dzahn reopened this task as Open.
Dzahn lowered the priority of this task from Medium to Low.

Change 621802 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] planet: fix redirect to meta page, stop appending request URI path

https://gerrit.wikimedia.org/r/621802

Change 621802 merged by Dzahn:
[operations/puppet@production] planet: fix redirect to meta page, stop appending request URI path

https://gerrit.wikimedia.org/r/621802