Page MenuHomePhabricator
Create Task
Maniphest T271778

Issues with acme-chief cert rotation on deployment-prep, 2021-01-12
Open, Needs TriagePublic
Actions

Description

Your certificate (or certificates) for the names listed below will expire in 10 days (on 12 Jan 21 06:00 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

[...]
*.wikibooks.beta.wmflabs.org
*.wikimedia.beta.wmflabs.org
*.wikinews.beta.wmflabs.org
*.wikipedia.beta.wmflabs.org
*.wikiquote.beta.wmflabs.org
*.wikisource.beta.wmflabs.org
*.wikiversity.beta.wmflabs.org
*.wikivoyage.beta.wmflabs.org
*.wiktionary.beta.wmflabs.org
etc.

12th January arrived and it was still old so I went to take a look.

I found:

  • acme-chief on deployment-acme-chief03 had not begun to create a new certificate. It still seemed quite content with version 0d829dc82393450fa34fabd837364efa, with the usual hourly reloading. At around 02:22 I found and killed the acme-chief-backend process, which caused it to get restarted and it produced sudden activity, issuing the new cert as version 1c321ac6da0c4103bf630165d91bca2c. Why was this necessary?
  • After this, puppet on deployment-cache-text06 happily updated its local files in /etc/acmecerts, but ATS was still serving the old versions. I had to service trafficserver-tls restart to get it to load new certs from disk.

Related Objects

Event Timeline

Krenair created this task.Jan 12 2021, 2:34 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 12 2021, 2:34 AM
Krenair updated the task description. (Show Details)Jan 12 2021, 2:34 AM
Krenair added a comment.Jan 12 2021, 2:37 AM

re acme-chief part: It looks like the same thing happened to the mx and wikibase certs too. Haven't checked those updated on the machines that serve them.
Also spotted various prod ncredir certs in /etc/acme-chief/config.yaml that can't be doing any good.

Krenair mentioned this in T271808: The certificate for upload.beta.wmflabs.org expired on January 12, 2021..Jan 14 2021, 12:31 AM
taavi subscribed.Jan 14 2021, 6:10 AM
AlexisJazz subscribed.Jan 14 2021, 10:36 AM

No relation with T267561?

Krenair added a comment.Jan 14 2021, 1:27 PM

Unlikely

AlexisJazz added a comment.Jan 14 2021, 11:00 PM
In T271778#6747588, @Krenair wrote:

Unlikely

I was asking because T267006#6624466 (deployment-cache-upload06 is upload.beta.wmflabs.org I think?) and the problems started I think around T267858. But could be just coincidence.

Krenair added a comment.Jan 17 2021, 7:33 PM
In T271778#6749717, @AlexisJazz wrote:
In T271778#6747588, @Krenair wrote:

Unlikely

I was asking because T267006#6624466 (deployment-cache-upload06 is upload.beta.wmflabs.org I think?) and the problems started I think around T267858. But could be just coincidence.

This isn't about varnish, this is about acme-chief and the interaction between our puppet manifests and ATS

Bstorm mentioned this in T282264: Monitor certificate validity for Cloud VPS.May 7 2021, 6:35 PM
Samwilson subscribed.Aug 11 2021, 11:17 PM

Looks like *.wikimedia.beta.wmflabs.org expired again, on Tue, 10 Aug 2021 01:01:19 GMT.

Platonides subscribed.Aug 11 2021, 11:27 PM

It doesn't seem. It is serving a non-expired certificate generated on July:
Not Before: 7/11/2021
Not After: 10/9/2021

Samwilson added a comment.Aug 12 2021, 12:03 AM

Does https://upload.wikimedia.beta.wmflabs.org/ work for you?

RhinosF1 mentioned this in T293070: upload.wikimedia.beta.wmflabs.org certificate expired (October 2021).Oct 12 2021, 12:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits