modules/profile/manifests/mail/smarthost.pp: letsencrypt::cert::integrated { $cert_name:
Description
Description
Details
Details
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Andrew | T252199 Stop using letsencrypt::cert::integrated | |||
| Resolved | Andrew | T260834 Stop using letsencrypt::cert::integrated on mx-out*.cloudinfra |
Event Timeline
Comment Actions
Change 654295 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] profile::mail::smarthost: switch to acme-chief certs
Comment Actions
Change 654297 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] profile::mail::smarthost: add acme-chief certs
Comment Actions
Change 654297 merged by Andrew Bogott:
[operations/puppet@production] profile::mail::smarthost: add acme-chief certs
Comment Actions
Change 654299 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] Add cloudinfra-dns-manager to password_safelist
Comment Actions
Change 654299 merged by Andrew Bogott:
[operations/puppet@production] Add cloudinfra-dns-manager to password_safelist
Comment Actions
Mentioned in SAL (#wikimedia-cloud) [2021-01-05T12:12:07Z] <arturo> created puppet prefix mx-out and added hiera to use internal puppetmaster (T260834)
Comment Actions
Mentioned in SAL (#wikimedia-cloud) [2021-01-05T12:31:43Z] <arturo> refresh acme-chief config for mx certs https://gerrit.wikimedia.org/r/plugins/gitiles/cloud/instance-puppet/+/949f1b4e81f3a1c6d4f4825292343f1ee17c48a1%5E%21/ (T260834)
Comment Actions
Change 654415 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: mail: smarthost: drop support for letsencrypt::cert::integrated
Comment Actions
Mentioned in SAL (#wikimedia-cloud) [2021-01-05T12:41:12Z] <arturo> live-hacking cloudinfra-internal-puppetmaster02 with https://gerrit.wikimedia.org/r/c/operations/puppet/+/654415 (T260834)
Comment Actions
Change 654415 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: mail: smarthost: drop support for letsencrypt::cert::integrated
Comment Actions
Although puppet no longer fails in mx-out servers, I see this suspicious error message in the acme-chief server:
aborrero@cloudinfra-acme-chief-01:~$ sudo journalctl -u acme-chief.service -f Jan 05 12:55:32 cloudinfra-acme-chief-01 acme-chief-backend[16402]: Starting main loop... Jan 05 12:55:48 cloudinfra-acme-chief-01 acme-chief-backend[16402]: Handling new certificate event for mx / rsa-2048 Jan 05 12:55:49 cloudinfra-acme-chief-01 acme-chief-backend[16402]: Triggering DNS zone update... Jan 05 12:55:49 cloudinfra-acme-chief-01 acme-chief-backend[16402]: Running subprocess ['/usr/local/bin/acme-chief-designate-sync.py', '--remote-servers', '208.80.154.11', '208.80.154.135', '--', '_acme-challenge.mx-out.wmcloud.org', 'xxx', '_acme-challenge.mx-out.wmflabs.org', 'xxx', '_acme-challenge.mx-out01.cloudinfra.eqiad1.wikimedia.cloud', 'xxx', '_acme-challenge.mx-out01.wmcloud.org', 'xxx', '_acme-challenge.mx-out01.wmflabs.org', 'xxx', '_acme-challenge.mx-out02.cloudinfra.eqiad1.wikimedia.cloud', 'xxx, '_acme-challenge.mx-out02.wmcloud.org', 'xxx', '_acme-challenge.mx-out02.wmflabs.org', 'xxx'] Jan 05 12:55:50 cloudinfra-acme-chief-01 acme-chief-backend[16402]: Unexpected return code spawning DNS zone updater: 1 Jan 05 12:55:50 cloudinfra-acme-chief-01 acme-chief-backend[16402]: Failed to perform DNS zone update for certificate mx / rsa-2048
The certs were apparently generated:
aborrero@cloudinfra-acme-chief-01:~$ sudo ls -l /var/lib/acme-chief/certs/mx/live/ total 56 -rw-r--r-- 1 acme-chief acme-chief 0 Jan 5 12:54 ec-prime256v1.alt.chain.crt -rw-r--r-- 1 acme-chief acme-chief 473 Jan 5 12:54 ec-prime256v1.alt.chained.crt -rw-r----- 1 acme-chief acme-chief 700 Jan 5 12:54 ec-prime256v1.alt.chained.crt.key -rw-r--r-- 1 acme-chief acme-chief 0 Jan 5 12:54 ec-prime256v1.chain.crt -rw-r--r-- 1 acme-chief acme-chief 473 Jan 5 12:54 ec-prime256v1.chained.crt -rw-r----- 1 acme-chief acme-chief 700 Jan 5 12:54 ec-prime256v1.chained.crt.key -rw-r--r-- 1 acme-chief acme-chief 473 Jan 5 12:54 ec-prime256v1.crt -rw-r----- 1 acme-chief acme-chief 700 Jan 5 12:54 ec-prime256v1.crt.key -rw-r----- 1 acme-chief acme-chief 227 Jan 5 12:54 ec-prime256v1.key -rw-r--r-- 1 acme-chief acme-chief 0 Jan 5 12:54 rsa-2048.alt.chain.crt -rw-r--r-- 1 acme-chief acme-chief 1009 Jan 5 12:54 rsa-2048.alt.chained.crt -rw-r----- 1 acme-chief acme-chief 2688 Jan 5 12:54 rsa-2048.alt.chained.crt.key -rw-r--r-- 1 acme-chief acme-chief 0 Jan 5 12:54 rsa-2048.chain.crt -rw-r--r-- 1 acme-chief acme-chief 1009 Jan 5 12:54 rsa-2048.chained.crt -rw-r----- 1 acme-chief acme-chief 2688 Jan 5 12:54 rsa-2048.chained.crt.key -rw-r--r-- 1 acme-chief acme-chief 1009 Jan 5 12:54 rsa-2048.crt -rw-r----- 1 acme-chief acme-chief 2688 Jan 5 12:54 rsa-2048.crt.key -rw-r----- 1 acme-chief acme-chief 1679 Jan 5 12:54 rsa-2048.key
Comment Actions
Change 654295 merged by Andrew Bogott:
[operations/puppet@production] profile::mail::smarthost: switch to acme-chief certs
Comment Actions
acme-chief has a problem when interacting with designate. All generated certs are "snakeoil".