Thursday, 2023-07-27

opendevreviewJeremy Stanley proposed opendev/system-config master: Use magic domain guessing in Mailman 3
opendevreviewJeremy Stanley proposed opendev/system-config master: Upgrade to latest Mailman 3 releases
opendevreviewJeremy Stanley proposed opendev/system-config master: Use magic domain guessing in Mailman 3
opendevreviewJeremy Stanley proposed opendev/system-config master: Upgrade to latest Mailman 3 releases
fricklerfungi: ianw: has again ended with "Unknown failure: 0" and /var/jitsi-meet/web/keys/cert.crt hasn't been updated. maybe this is related somehow to bionic being EOL? I would suggest to update the target cert file manually for now and maybe we can get the host updated before it expires again07:20
ianwhrm ...07:21
ianwPING (2001:4800:7819:104:be76:4eff:fe04:892f)) 56 data bytes07:23
ianw12 packets transmitted, 0 received, 100% packet loss, time 11247ms07:23
ianwmight be something dodgy with my ipv6 ... it works on ipv407:24
ianw[Thu Jul 27 02:46:58 UTC 2023] And the full chain certs is there: /etc/letsencrypt-certs/
ianwUnknown failure: 007:24
ianwindeed 07:24
fricklerworks fine for me, ssh even chose v6 by default07:24
ianwis that the driver or
fricklerthat's a good question07:25
ianwthe driver07:26
ianwthat interesting, the driver is basically handling two cases -- there's alread a cert (2) or there is no cert, and it has to issue one (3)07:27
ianwafter the issue, it should have to retry07:28
ianw"Thu Jul 27 02:46:57 UTC 2023] is already verified, skip dns-01."07:28
ianwhrm, is there already a valid dns auth?!  so basically it's not spitting out the "put this key into DNS for us to verify the domain"07:29
frickleryes, that's what I noted earlier for the first re-issue on 14th or so07:29
fricklerthe first attempt succeeded at dns auth, but failed to issue the cert after that07:30
fricklerand LE caches that dns auth success for some time07:30
ianwthere is ... dig TXT _acme-challenge.meetpad.opendev.org07:31
ianwright ... so the driver script (or, really, me who wrote that :) does not expect that07:31
ianwwe could either add a match for 0, which indicates we already have valid DNS auth tokens, or purge the _acme-challenge records (actually CNAMED to and try again07:32
fricklerI don't think the latter will remove the valid state on the LE side07:33
*** tobias-urdin-pto is now known as tobias-urdin07:34
ianwhrm, i feel like it must be checking incase the domain changed hands?  i don't know though07:34
*** amoralej is now known as amoralej|lunch11:04
*** amoralej|lunch is now known as amoralej12:40
fungimithr: anyone what?16:15
fungidid you need something?16:15
mithrumm no, this is my first time here so trying to find someone who can explain the structure of the keystone file structure more easily16:21
mithras in project structure*16:22
fungilooks like mithr left before i got back to the keyboard, but if they return (or are reading the web log for this channel), a pointer to the #openstack-keystone channel or the mailing list would be in order16:37
*** cloudnull4 is now known as cloudnull17:58
fricklerianw: I don't understand the difference between "issue" and "renew", in the latter case rc=0 seems to be handled properly, maybe just copy that?
Clark[m]frickler: I think issue is the very first cert issue with a new key. Renew is making a new cert for an existing key. Possibly just a new cert for a domain LE has previously issued a cert for.20:18
*** elodilles is now known as elodilles_pto20:35
Clark[m]fungi: any info yet on whether or not the lp bug update problem has been corrected with the image update?21:36
fungiClark[m]: i haven't heard, though i did reply to the starlingx-discuss ml thread about it21:39
ianwi think the way the terms are used in "issue" is the first request to either get back "no cert needed" or "time to renew (or a new cert) ... here's the TXT records to put in"21:55
ianwand then the renew is the second step, after we've been off and put in the TXT records and flushed them live, which tells LE "we're ready to go now"21:56 *really* wants to do this all in one step -- putting in the records via a DNS API -- which i guess is what many people want.  so it makes it a bit painful with the long --yes-i-really-want-this flag21:56
ianwwhat this does *not* handle is "time to renew, but hang on it looks like the TXT records are already OK, so here's your cert" (i.e. exit 0, afaics)21:57
ianwi was thinking about that, it seems to be a corner case of the prior cert issue being done successfully (thus TXT records in *and* us not having renewed any other certificates in between -- i.e. nothing else has come along and re-written the domain21:59
ianwthat domain is "ephemeral" in the sense that it's only good for one run of the system-config job.  but we don't flush it out at the end, either -- we just leave it until the next time we need to put TXT records in21:59
ianwbtw i have that initial comment 100% backwards.  "renew" is the first step.  "issue" is the second step (and only happens if renew says we need a new cert)22:13

Generated by 2.17.3 by Marius Gedminas - find it at!