Bug #3312
gerrit.osmocom.org x509 certificate expires in ~11 days
100%
Description
Not sure what is the target for renewal but please make sure it is automatically renewed before it becomes invalid.
+ ./check_ssl_certificate -H gerrit.osmocom.org -c 10 -w 28 m=Jun, d=13, h=02, m=56, s=18, y=2018, z=GMT check_ssl_certificates: WARNING - only 11 day(s) left for this certificate.
History
#2 Updated by laforge over 1 year ago
I think the problem is that we've migrated half of the services to the new
machine, but some remain on the old machine, and we cannot request certificates
for the same hostnames from both machine.
#3 Updated by laforge over 1 year ago
- Status changed from New to Feedback
- Assignee changed from laforge to zecke
- Priority changed from Normal to High
seems like not all related config was migrated, so the cron job starting the container with certbot does nothing.
Hoever, for some strange reason I currently cannot ssh into the old machine (rita) in order to copy the related data.
zecke - did you touch anything? I guess I'll have to reboot the machine if we can no longer log into it?
#4 Updated by zecke over 1 year ago
Strange...so SMTP seems to work (at least I got greylisted). I am going to use the hetzner reboot now.
#5 Updated by zecke over 1 year ago
Strange. As SMTP worked but port 40 didn't respond.. I wondered if the disk controller hanged itself again and rebooted. But the same problem persists. The SYN packets to the ssh port are blackholed.
I am sure that I ssh'ed into the machine after the FreeBSD upgrade. Do you know if someone else touched the pf.conf since then? Could you have a look at the diff of the sshd_config and the pf.conf? Maybe from a month ago to yesterday?
I am offline most of the morning but if we have the diff and know it is a firewall config then I can boot into the rescue system and fix the config.
#6 Updated by laforge over 1 year ago
Hi Holger,
thanks for your help.
given that it's tuesday, I'll probably not find time until [late] in the afternoon,
but for sure I can check the backups for any changes in pf.conf or sshd_config.
#7 Updated by zecke over 1 year ago
Okay. There are too many comments in the pf.conf. I might have commented it out for the gerrit rsync (but I think I did the FreeBSD10.4 upgrade) after that. We should be able to connect from host2.osmocom.org but that doesn't seem to work wither. I will reboot to a rescue system at night.
#8 Updated by laforge over 1 year ago
- Priority changed from High to Urgent
- ftp.osmocom.org (as it's not only port 80/443, but also FTP)
- lists.osmocom.org (SMTP)
- osmocom.org (SMTP)
so for gerrit/jenkins/projects/cgit and all the various legacy domains like bb.osmocom.org, valid certificates are installed again. However, the main project domai n osmocom.org is still unavailable.
zecke Did you reboot the machine? What was the result?
#9 Updated by laforge over 1 year ago
I now changed the dns zone to make osmocom.org point also to the new host2 IP address. Once zone changes propagate, people should be able to access https://osmocom.org/ with a valid certificate.
#10 Updated by laforge over 1 year ago
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100
old machine has certificate for lists+ftp only. New machine has cert for everything else.
