[CentOS-devel] TLS issues koji.mbox.centos.org

Thu Jan 7 12:35:01 UTC 2021
Leon Fauster <leonfauster at googlemail.com>

Am 07.01.21 um 08:41 schrieb Fabian Arrotin:
> On 06/01/2021 23:45, Leon Fauster via CentOS-devel wrote:
>>
>> Two hours later: Its works again here, now. I have no idea what caused
>> the above response. Sorry for the noise. Thanks for the feedback, Leon
> 
> Hi Leon,
> 
> Reading inbox and so commenting just today :
> 
> As smooge pointed out, LetsEncrypt recently switched Intermediate CA
> cert (see https://letsencrypt.org/certificates/) from X1 to R3
> 
> It was reflected in our ansible automation *but* for that particular
> haproxy chain in front of openshift (for koji.mbox) it wasn't pointing
> to correct CAChain crt file (that needs to be concatenated)
> 
> That was identified and fixed in the mean time and extra-step added to
> automatically recheck before pushing to git the certs deployed then by
> ansible (as LetsEncrypt new CA validity is clearly shorter than before
> so they'll even rotate intermediate CA more frequently)
> 
> So I guess you tried just before the following fix was pushed/deployed :-)

A classical race condition :-) Thanks for depicting it.

--
Leon