renew ssl certificate for iddev #9530

New issue

Closed

opened 2020-12-14 10:37:04 +00:00 by suanand · 6 comments

suanand commented 2020-12-14 10:37:04 +00:00

Copy link

Describe what you would like us to do:

---

Kindly renew SSL certificate at iddev.fedorainfracloud.org

Exception: HTTPSConnectionPool(host='iddev.fedorainfracloud.org', port=443): Max retries exceeded with url: /openidc/Token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1122)')))

When do you need this to be done by? (YYYY/MM/DD)

---

2020/12/31

# Describe what you would like us to do: ---- Kindly renew SSL certificate at **iddev.fedorainfracloud.org** ``` Exception: HTTPSConnectionPool(host='iddev.fedorainfracloud.org', port=443): Max retries exceeded with url: /openidc/Token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1122)'))) ``` # When do you need this to be done by? (YYYY/MM/DD) ---- 2020/12/31

smooge commented 2020-12-14 12:28:42 +00:00

Copy link

We only give power/ping to this system. I don't see that we set up letsencrypt for the server so it was done by the admins of the box.

What I have done:
0. Checked playbooks to see if iddev was using certgetter for certs. (No)

1. Checked certgetter01 just in case the certs were there.
2. logged into iddev to see what was going on.
3. run yum update (this does not seem to have been done in a long time)
4. ran systemctl status certbot-renew.service

This gave the error

-- Subject: Unit certbot-renew.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit certbot-renew.service has begun starting up.
Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Processing /etc/letsencrypt/renewal/iddev.fedorainfracloud.org.conf
Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Cert is due for renewal, auto-renewing...
Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Plugins selected: Authenticator standalone, Installer None
Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Renewing an existing certificate
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Performing the following challenges:
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: http-01 challenge for iddev.fedorainfracloud.org
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Cleaning up challenges
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Attempting to renew cert (iddev.fedorainfracloud.org) from /etc/letsencrypt/renewal/iddev.fedorainfracloud.org.conf produced an une
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: All renewal attempts failed. The following certs could not be renewed:
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: /etc/letsencrypt/live/iddev.fedorainfracloud.org/fullchain.pem (failure)

Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: All renewal attempts failed. The following certs could not be renewed:
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: /etc/letsencrypt/live/iddev.fedorainfracloud.org/fullchain.pem (failure)
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: 1 renew failure(s), 0 parse failure(s)
Dec 14 12:17:15 iddev.fedorainfracloud.org systemd[1]: certbot-renew.service: main process exited, code=exited, status=1/FAILURE
Dec 14 12:17:15 iddev.fedorainfracloud.org systemd[1]: Failed to start This service automatically renews any certbot certificates found.

We only give power/ping to this system. I don't see that we set up letsencrypt for the server so it was done by the admins of the box. What I have done: 0. Checked playbooks to see if iddev was using certgetter for certs. (No) 1. Checked certgetter01 just in case the certs were there. 2. logged into iddev to see what was going on. 3. run yum update (this does not seem to have been done in a long time) 4. ran ```systemctl status certbot-renew.service``` This gave the error ``` -- Subject: Unit certbot-renew.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit certbot-renew.service has begun starting up. Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Saving debug log to /var/log/letsencrypt/letsencrypt.log Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Processing /etc/letsencrypt/renewal/iddev.fedorainfracloud.org.conf Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Cert is due for renewal, auto-renewing... Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Plugins selected: Authenticator standalone, Installer None Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Renewing an existing certificate Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Performing the following challenges: Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: http-01 challenge for iddev.fedorainfracloud.org Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Cleaning up challenges Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Attempting to renew cert (iddev.fedorainfracloud.org) from /etc/letsencrypt/renewal/iddev.fedorainfracloud.org.conf produced an une Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: All renewal attempts failed. The following certs could not be renewed: Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: /etc/letsencrypt/live/iddev.fedorainfracloud.org/fullchain.pem (failure) ``` Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: All renewal attempts failed. The following certs could not be renewed: Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: /etc/letsencrypt/live/iddev.fedorainfracloud.org/fullchain.pem (failure) Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: 1 renew failure(s), 0 parse failure(s) Dec 14 12:17:15 iddev.fedorainfracloud.org systemd[1]: certbot-renew.service: main process exited, code=exited, status=1/FAILURE Dec 14 12:17:15 iddev.fedorainfracloud.org systemd[1]: Failed to start This service automatically renews any certbot certificates found. ```

smooge commented 2020-12-14 12:28:43 +00:00

Copy link

Metadata Update from @smooge:

• Issue assigned to smooge
• Issue tagged with: cloud, low-gain, medium-trouble, ops

**Metadata Update from @smooge**: - Issue assigned to smooge - Issue tagged with: cloud, low-gain, medium-trouble, ops

smooge commented 2020-12-14 12:30:50 +00:00

Copy link

I found that I needed to stop apache

[root@iddev ~][PROD]# systemctl stop httpd
[root@iddev ~][PROD]# /usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew --force-renewal --standalone

and this updated the certs. I have restarted apache. I believe that the scripts for certbot have updated and the system owner will need to make changes in their configurations.

I found that I needed to stop apache ``` [root@iddev ~][PROD]# systemctl stop httpd [root@iddev ~][PROD]# /usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew --force-renewal --standalone ``` and this updated the certs. I have restarted apache. I believe that the scripts for certbot have updated and the system owner will need to make changes in their configurations.

smooge commented 2020-12-14 12:30:50 +00:00

Copy link

Metadata Update from @smooge:

• Issue close_status updated to: Fixed
• Issue status updated to: Closed (was: Open)

**Metadata Update from @smooge**: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)

smooge commented 2020-12-14 19:03:29 +00:00

Copy link

Metadata Update from @smooge:

• Issue priority set to: Waiting on Assignee (was: Needs Review)

**Metadata Update from @smooge**: - Issue priority set to: Waiting on Assignee (was: Needs Review)

suanand commented 2020-12-15 05:34:18 +00:00

Author

Copy link

works for me now; thanks!

works for me now; thanks!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels   

announcement

  

authentication

Authentication related issues

  

automate

  

aws

Issues related to Amazon Web Services

  

backlog

Tasks that will take longer then ~4 hours to do

  

blocked

Issue is blocked

  

bodhi

Issues with Bodhi

  

ci

Continuous Integration

  

Closed As

Duplicate

Closed with the reason of Duplicate

  

Closed As

Fixed

Closed with the reason of Fixed

  

Closed As

Fixed with Explanation

Closed with the reason of Fixed with Explanation

  

Closed As

Initiative Worthy

Closed with the reason of Initiative Worthy

  

Closed As

Insufficient data

Closed with the reason of Insufficient data

  

Closed As

Invalid

Closed with the reason of Invalid

  

Closed As

Spam

Closed with the reason of Spam

  

Closed As

Upstream

Closed with the reason of Upstream

  

Closed As/Will Not

Can Not fix

Closed with the reason of Will Not/Can Not fix

  

cloud

Items in FedoraInfraCloud or COmmunishift

  

communishift

issues/questions about os.edorainfracloud.org ( Community OpenShift)

  

copr

COPR system (run by other team)

  

database

Issues related to databases

  

deprecated

Tools which Infrastructure may not be able to fix

  

dev

Tasks requiring some dev work

  

discourse

outsourced tool

  

dns

Changes or problems with DNS

  

downloads

rsync,dl.fp.o,AWS,torrents

  

easyfix

  

epel

Issues relating to epel

  

factory2

Generic issues for the factory2 team

  

firmitas

  

gitlab

  

greenwave

Issues with greenwave

  

hardware

Problem is with Fedora Infrastructure Owned/Leased Hardware

  

help wanted

  

high-gain

task that gets us a lot / is important / makes many people happy

  

high-trouble

task that is complex/long/difficult

  

iad2

Something to do with the iad2 datacenter

  

koji

Issues with the build system

  

koschei

Items needing Koschei team

  

lists

issues with lists

  

low-gain

tasks that gets us little / isn't very important / makes only 1 person or few happy

  

low-trouble

task that is easy/short

  

mbs

Issues with mbs.fedoraproject.org

  

medium-gain

task that gets us some / is somewhat important / makes some people happy

  

medium-trouble

task that is medium complex / difficult

  

mini-initiative

Something that is bigger than one person but not a full initiative

  

mirrorlists

Way to tell systems where downloads are

  

monitoring

  

Needs investigation

  

notifier

  

odcs

On Demand Compose Service issues

  

OpenShift

Issues with OpenShift

  

ops

ops problem now...

  

OSBS

OpenShift Build System issues in Fedora

  

outage

  

packager_workflow_blocker

Blocks the packager workflow

  

pagure

Issues with pagure.io

  

permissions

Items which need permissions set in outside tools

  

Priority

Needs Review

Priority of Needs Review

  

Priority

Next Meeting

Priority of Next Meeting

  

Priority

🔥 URGENT 🔥

Priority of 🔥 URGENT 🔥

  

Priority

Waiting on Assignee

Priority of Waiting on Assignee

  

Priority

Waiting on External

Priority of Waiting on External

  

Priority

Waiting on Reporter

Priority of Waiting on Reporter

  

rabbitmq

issues with the message broker

  

rdu-cc

Items doing with RDU Community Cage

  

release-monitoring

release-monitoring.org (Anitya)

  

releng

For problems which should be in the releng ticket system

  

repoSpanner

Issues with repoSpanner

  

request-for-resources

  

s390x

The secondary architecture hardware and problems related with it

  

security

  

SMTP

Email issues outside of lists (DMARC, SPF, aliases)

  

src.fp.o

Issues related to src.fedoraproject.org

  

staging

Issues in staging

  

taiga

outsourced tool

  

unfreeze

Patches to be applied after freeze is lifted

  

waiverdb

Issues with waiverdb

  

websites-general

General items with a website focus

  

wiki

Issues with the Wiki

No labels

announcement

authentication

automate

aws

backlog

blocked

bodhi

ci

Closed As

Duplicate

Closed As

Fixed

Closed As

Fixed with Explanation

Closed As

Initiative Worthy

Closed As

Insufficient data

Closed As

Invalid

Closed As

Spam

Closed As

Upstream

Closed As/Will Not

Can Not fix

cloud

communishift

copr

database

deprecated

dev

discourse

dns

downloads

easyfix

epel

factory2

firmitas

gitlab

greenwave

hardware

help wanted

high-gain

high-trouble

iad2

koji

koschei

lists

low-gain

low-trouble

mbs

medium-gain

medium-trouble

mini-initiative

mirrorlists

monitoring

Needs investigation

notifier

odcs

OpenShift

ops

OSBS

outage

packager_workflow_blocker

pagure

permissions

Priority

Needs Review

Priority

Next Meeting

Priority

🔥 URGENT 🔥

Priority

Waiting on Assignee

Priority

Waiting on External

Priority

Waiting on Reporter

rabbitmq

rdu-cc

release-monitoring

releng

repoSpanner

request-for-resources

s390x

security

SMTP

src.fp.o

staging

taiga

unfreeze

waiverdb

websites-general

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Infrastructure/fedora-infrastructure#9530

No description provided.