Validity
Not Before: Thu, 30 Jul 2020 00:00:00 GMT Not After: Fri, 07 Oct 2022 12:00:00 GMT
Thanks. The people who can renew or order a new certificate are on PTO currently.
Metadata Update from @smooge: - Issue tagged with: high-gain, high-trouble, security
I am working on getting a temporary fix in place.
Metadata Update from @nb: - Issue assigned to nb
I generated a Let's Encrypt wildcard cert as a temporary fix - since I can't renew/order the normal DigiCert certs. I put it in place on the server and the server is back up for now.
Excellent, thanks!
The certificate for https://pkgs.fedoraproject.org/ also expired. Not After: Sun, 09 Oct 2022 08:52:12 GMT Could you please replace it as well?
I accidentally filed a ticket under releng: https://pagure.io/releng/issue/11076
But it needs to be fixed :(
The cert was actually deployed but httpd hadn't picked it up for some reason. Should be fixed now.
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review)
Is it possible to avoid this happening in future with auto-renewal or something? When it happened, a whole bunch of openQA tests failed, as we use fedorapeople.org as a handy place we can keep little files the tests need to download...
Yes. As a first cut I have added nagios checks for fedorapeople and a few other domains in https://pagure.io/fedora-infra/ansible/pull-request/1228
What about the DNS setup prevents having automatically renewing Let's Encrypt certificates using certbot or acme.sh or some other tool?
Our dns is managed by us, using a setup where updates are made to a git repo and the nameservers all pull from that git repo to update. There's no cerbot or tool integration to this setup, we would have to make it or re-work how out DNS is setup, or (most likely) delegate to a service that does have a plugin. It's possible to make work, we simply haven't done it yet. In the past we didn't need wildcards from letsencrypt (or they didn't offer them yet) and so we setup a system that works with http challenges. Those do work automatically via our ansible playbooks, it's just DNS / wildcard ones that currently do not. Hope that makes sense.
This popped up right after break. I updated the certs and it should need redoing in late March.
I've setup a nagios check to make sure we don't let this expire.
And for now I am just using letsencrypt. When we redo our dns setup we will see about handling this more automatically.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.