Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2685

Expired SSL cert pkg.jenkins.io

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: etc
    • Labels:
      None
    • Similar Issues:

      Description

      The SSL cert for https://pkg.jenkins.io has expired again, please renew.

      BTW: That wouldn't have happened if LetsEncrypt certs were used, because their "certbot" renews them automatically.

        Attachments

          Issue Links

            Activity

            Hide
            olblak Olivier Vernin added a comment -

            To solve this issues

            • Update Fastly configuration to use the backend pkg.origin.jenkins.io instead of pkg.jenkins.io
            • Add apache configuration for pkg.origin.jenkins.io
            • Update letsencrypt api used in /etc/letsencrypt/cli.ini
            • run `certbot run --apache`
            Show
            olblak Olivier Vernin added a comment - To solve this issues Update Fastly configuration to use the backend pkg.origin.jenkins.io instead of pkg.jenkins.io Add apache configuration for pkg.origin.jenkins.io Update letsencrypt api used in /etc/letsencrypt/cli.ini run `certbot run --apache`
            Hide
            olblak Olivier Vernin added a comment -

            Thanks for the reporting this, we'll try to look at it as soon as we can

            > BTW: That wouldn't have happened if LetsEncrypt certs were used, because their "certbot" renews them automatically.

            We do but the problem here is multiple, while Fastly correctly renew pkg.jenkins.io certificate at his level. the backend still use `pkg.jenkins.io` endpoint and that certificate can't be renewed as it doesn't pass the HTTP check now that `pkg.jenkins.io` redirect to Fastly.
            I update the backend to use pkg.origin.jenkins.io instead of pkg.jenkins.io

            The second issue is that the certbot version installed on pkg.origin.jenkins.io is quiet old and need to be upgrade as it relies on the ACME api v1 and we can't request a new certificate for pkg.origine.jenkins.io.
            https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

            Show
            olblak Olivier Vernin added a comment - Thanks for the reporting this, we'll try to look at it as soon as we can > BTW: That wouldn't have happened if LetsEncrypt certs were used, because their "certbot" renews them automatically. We do but the problem here is multiple, while Fastly correctly renew pkg.jenkins.io certificate at his level. the backend still use `pkg.jenkins.io` endpoint and that certificate can't be renewed as it doesn't pass the HTTP check now that `pkg.jenkins.io` redirect to Fastly. I update the backend to use pkg.origin.jenkins.io instead of pkg.jenkins.io The second issue is that the certbot version installed on pkg.origin.jenkins.io is quiet old and need to be upgrade as it relies on the ACME api v1 and we can't request a new certificate for pkg.origine.jenkins.io. https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-unauthenticated-resource-gets/74380

              People

              Assignee:
              olblak Olivier Vernin
              Reporter:
              dhs Dirk Heinrichs
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: