Project

General

Profile

Bug #3312

gerrit.osmocom.org x509 certificate expires in ~11 days

Added by zecke 6 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
-
Target version:
-
Start date:
06/02/2018
Due date:
% Done:

100%

Spec Reference:

Description

Not sure what is the target for renewal but please make sure it is automatically renewed before it becomes invalid.

+ ./check_ssl_certificate -H gerrit.osmocom.org -c 10 -w 28
m=Jun, d=13, h=02, m=56, s=18, y=2018, z=GMT
check_ssl_certificates: WARNING - only 11 day(s) left for this certificate.

History

#1 Updated by zecke 6 months ago

It expires the 13th of June.

#2 Updated by laforge 6 months ago

I think the problem is that we've migrated half of the services to the new
machine, but some remain on the old machine, and we cannot request certificates
for the same hostnames from both machine.

#3 Updated by laforge 6 months ago

  • Status changed from New to Feedback
  • Assignee changed from laforge to zecke
  • Priority changed from Normal to High

seems like not all related config was migrated, so the cron job starting the container with certbot does nothing.

Hoever, for some strange reason I currently cannot ssh into the old machine (rita) in order to copy the related data.

zecke - did you touch anything? I guess I'll have to reboot the machine if we can no longer log into it?

#4 Updated by zecke 6 months ago

Strange...so SMTP seems to work (at least I got greylisted). I am going to use the hetzner reboot now.

#5 Updated by zecke 6 months ago

Strange. As SMTP worked but port 40 didn't respond.. I wondered if the disk controller hanged itself again and rebooted. But the same problem persists. The SYN packets to the ssh port are blackholed.

I am sure that I ssh'ed into the machine after the FreeBSD upgrade. Do you know if someone else touched the pf.conf since then? Could you have a look at the diff of the sshd_config and the pf.conf? Maybe from a month ago to yesterday?

I am offline most of the morning but if we have the diff and know it is a firewall config then I can boot into the rescue system and fix the config.

#6 Updated by laforge 6 months ago

Hi Holger,

thanks for your help.

given that it's tuesday, I'll probably not find time until [late] in the afternoon,
but for sure I can check the backups for any changes in pf.conf or sshd_config.

#7 Updated by zecke 6 months ago

Okay. There are too many comments in the pf.conf. I might have commented it out for the gerrit rsync (but I think I did the FreeBSD10.4 upgrade) after that. We should be able to connect from host2.osmocom.org but that doesn't seem to work wither. I will reboot to a rescue system at night.

#8 Updated by laforge 6 months ago

  • Priority changed from High to Urgent
I've meanwhile issued new certificates for those domains which have DNS pointing to the new machine. That's basically everything except
  • ftp.osmocom.org (as it's not only port 80/443, but also FTP)
  • lists.osmocom.org (SMTP)
  • osmocom.org (SMTP)

so for gerrit/jenkins/projects/cgit and all the various legacy domains like bb.osmocom.org, valid certificates are installed again. However, the main project domai n osmocom.org is still unavailable.

zecke Did you reboot the machine? What was the result?

#9 Updated by laforge 6 months ago

I now changed the dns zone to make osmocom.org point also to the new host2 IP address. Once zone changes propagate, people should be able to access https://osmocom.org/ with a valid certificate.

#10 Updated by laforge 6 months ago

  • Status changed from Feedback to Resolved
  • % Done changed from 0 to 100

old machine has certificate for lists+ftp only. New machine has cert for everything else.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)