| frickler | ianw: nope, the first way round was correct, cf. https://paste.opendev.org/show/bm93jMfe1HqRFTaWhltY/ where I collected all the logs | 08:02 |
|---|---|---|
| frickler | 1407: issue => Certificate request issued, renew => unexpected error 1 (some internal LE hickup probably during cert creation) | 08:03 |
| frickler | 1507: issue => Cert generated since the dns-01 from 1407 was still valid => error 0 since driver.sh doesn't handle that case | 08:04 |
| frickler | 2707: same thing after renaming the .conf files | 08:04 |
| frickler | not sure how long the auth will be valid, I was originally thinking 7d but we're past that already | 08:05 |
| frickler | we could either try to rename the key, which should generate a new one and force a re-auth, or just wait a bit more and see when the dns-01 expires, possibly combined with manually cleaning up the auth zone | 08:06 |
| frickler | or we could find how to properly make driver.sh and our playbooks around it handle the current situation | 08:07 |
| frickler | the "meetpad01.opendev.org is already verified, skip dns-01." is why I think cleaning up records won't help though, since that sounds as if LE doesn't really look at DNS at all in the current status | 08:08 |
| frickler | another option might be to add another name into the list to force a re-issue, like meetpad02.opendev.org | 08:09 |
| *** gthiemon1e is now known as gthiemonge | 09:52 | |
| *** amoralej is now known as amoralej|lunch | 13:09 | |
| fungi | well, those servers are still running bionic. if we built jammy replacements the current issue would go away (though we wouldn't have addressed the set of conditions that led to the cert renewal deadlock, so it could conceivably bite us again some time in the future) | 13:13 |
| *** amoralej|lunch is now known as amoralej | 13:48 | |
| *** gibi is now known as gibi_pto | 16:15 | |
| *** promethe- is now known as prometheanfire | 19:05 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!