Re: [Post Fact FBR] update repoSpanner's SSL cert for pagure01

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, 16 Oct 2019 at 20:55 Stephen John Smoogen <smooge@xxxxxxxxx> wrote:
On Wed, 16 Oct 2019 at 12:41, Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>
> On Wed, Oct 16, 2019 at 10:47:00AM +0200, Pierre-Yves Chibon wrote:
> > Good Morning Everyone,
> >
> > This morning I found out that https://pagure.io/fedora-infrastructure was not
> > available, it was throwing a 500 error on every page/call.
> >
> > I checked the logs and found:
> > GitError: Error performing curl request: (60): Peer certificate cannot be
> > authenticated with given CA certificates
> >
> > The combination and "GitError" and a SSL related error led me to repoSpanner.
> > So with the help of Patrick, we confirmed that the SSL cert for pagure01 was
> > expiring on Oct 15th 2019.
> > We then regenerated that SSL cert.
> >
> > We thought the repospanner playbook was going to redeploy that cert so I ran it,
> > but it did not change anything (both in its run as well as in the symptoms
> > observed).
> >
> > We then found out that this piece is actually part of the pagure.yml playbook,
> > so I've ran it with `-t repospanner/server` to limit its effect.
> > Then I've restarted httpd, stunnel and repospanner@ansible.service on pagur01.
> > The first two were likely not necessary, the last one was to get the new cert in
> > use.
> >
> > So I would like retro-active approval for my actions since the systems I've
> > touched are frozen.
>
> So a few things:
>
> 1) +1 to the actions... thanks for fixing that!
>

Agreed +1


> 2) we need nagios monitoring those certs, or we need to just tear
> down that cluster if we aren't going to use it (which we are currently
> not).
>

Yep. These are difficult to monitor and build because we don't use
openssl to build them like other certs.. but the repospanner command
itself.

Just a note that the difference is purely when generating the certificates.
They’re standard PEM encoded certificates, and you could use OpenSSL for parsing or generating them.



> 3) We could also 'unrepospanner' that repo since we aren't using it
> and put the old one back.
>

Agreed.

> 4) pagure perhaps should gracefully print 'sorry, the repo is not
> available right now due to a repospanner problem' but otherwise work?
>

Might be good also

> For 2 and 3, perhaps we should discuss and decide.
>
> For 4, can you file a pagure bug (if you agree).
>
> kevin
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx



--
Stephen J Smoogen.
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux