Page MenuHomePhabricator
Create Task
Maniphest T271808

The certificate for upload.beta.wmflabs.org expired on January 12, 2021.
Closed, ResolvedPublic
Actions

Description

https://upload.beta.wmflabs.org/wikipedia/commons/thumb/a/a4/2014-06-18_Rheinwerk_1.jpg/120px-2014-06-18_Rheinwerk_1.jpg

Expected behavior: Being able to connect to the domain with a non-expired certificate
What happen instead: I can connect to the domain, but have to accept the expired certificate first.

Reminds me of T267858.

Related Objects

Event Timeline

AlexisJazz created this task.Tue, Jan 12, 12:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Jan 12, 12:44 PM
AlexisJazz updated the task description. (Show Details)Tue, Jan 12, 12:45 PM
RhinosF1 added a subscriber: RhinosF1.Tue, Jan 12, 12:59 PM

Certificates last 3 months so probably similar issues

Vgutierrez added a subscriber: Vgutierrez.Tue, Jan 12, 1:32 PM
root@deployment-cache-upload06:/etc/acmecerts/unified/live# openssl x509 -dates -noout -in rsa-2048.crt
notBefore=Jan 12 01:23:09 2021 GMT
notAfter=Apr 12 01:23:09 2021 GMT
root@deployment-cache-upload06:/etc/acmecerts/unified/live# touch /srv/trafficserver/tls/etc/ssl_multicert.config
root@deployment-cache-upload06:/etc/acmecerts/unified/live# systemctl reload trafficserver-tls.service

It should be up & running now.. I'm not really familiar with the cloud puppetization but this doesn't mimic production behaviour

RhinosF1 closed this task as Resolved.Tue, Jan 12, 1:33 PM
RhinosF1 assigned this task to Vgutierrez.

Fixed per discussion on #wikimedia-traffic at least for another 90 days.

RhinosF1 added a comment.Tue, Jan 12, 1:33 PM

But yeah I guess this should be fixed/monitored better so it doesn't need manual reload.

Aklapper added a comment.Wed, Jan 13, 10:30 AM
In T271808#6739592, @RhinosF1 wrote:

But yeah I guess this should be fixed/monitored better so it doesn't need manual reload.

Is that worth a dedicated followup ticket under observability and Beta-Cluster-Infrastructure ?

RhinosF1 added a comment.Wed, Jan 13, 10:43 AM
In T271808#6742982, @Aklapper wrote:
In T271808#6739592, @RhinosF1 wrote:

But yeah I guess this should be fixed/monitored better so it doesn't need manual reload.

Is that worth a dedicated followup ticket under observability and Beta-Cluster-Infrastructure ?

I'd say yes.

Krenair added a comment.EditedThu, Jan 14, 12:31 AM
In T271808#6739578, @Vgutierrez wrote:
root@deployment-cache-upload06:/etc/acmecerts/unified/live# openssl x509 -dates -noout -in rsa-2048.crt
notBefore=Jan 12 01:23:09 2021 GMT
notAfter=Apr 12 01:23:09 2021 GMT
root@deployment-cache-upload06:/etc/acmecerts/unified/live# touch /srv/trafficserver/tls/etc/ssl_multicert.config
root@deployment-cache-upload06:/etc/acmecerts/unified/live# systemctl reload trafficserver-tls.service

It should be up & running now.. I'm not really familiar with the cloud puppetization but this doesn't mimic production behaviour

It should be roughly the same, we may have some differing hieradata.

In T271808#6743014, @RhinosF1 wrote:
In T271808#6742982, @Aklapper wrote:
In T271808#6739592, @RhinosF1 wrote:

But yeah I guess this should be fixed/monitored better so it doesn't need manual reload.

Is that worth a dedicated followup ticket under observability and Beta-Cluster-Infrastructure ?

I'd say yes.

We have T271778, which missed the upload part but does basically include this issue as the second bullet point.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL