Project

General

Profile

Actions
Copy link

action #134522

closed

[alert] Certificate renewal on monitor.qa.suse.de might not be working causing alerts size:M

Added by mkittler over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Urgent
Assignee:
nicksinger
Category:
-
Target version:
openQA Project (public) - Ready
Start date:
2023-08-23
Due date:
2023-09-07
% Done:

0%

Estimated time:
Tags:
alert, infra

Description

Observation

According to https://stats.openqa-monitor.qa.suse.de/d/E9tyiQ17k/ssl-certificate-alerts?orgId=1 the SAN validity of the certificate on monitor.qa.suse.de is going to expire in less than 5 days. I've checked the certificate via martchus@monitor:~> sudo openssl x509 -noout -text -in /etc/dehydrated/certs/monitor.qa.suse.de/fullchain.pem and it is indeed going to expire on Aug 28 22:23:02 2023 GMT. Firefox tells me the same if I access https://stats.openqa-monitor.qa.suse.de.

The dehydrated timer was executed successfuly but a manual run of dehydrated --cron shows that dehydrated just hangs.

Acceptance Criteria

  • AC1: A new certificate is known to be avaialble and used
  • AC2: It is understood what the cause was and how to avoid it next time

Suggestions

  • Check why the certificate expiration is not renewed to be higher than 5 days, e.g. problems with dehydrated.service.
  • Understand why dehydrated hangs and does not produce a new certificate
  • Check if we can make the issue (whatever it is) better visible or workaround automatically in the future

Related issues 2 (1 open1 closed)

Related to openQA Infrastructure (public) - action #134819: Errors in salt minion and master log on osdNew2023-08-30

Actions
Copied to openQA Infrastructure (public) - action #167458: openqa.oqa.prg2.suse.org SAN validity alertResolvednicksinger

Actions
Actions
Copy link

Also available in: Atom PDF