Closed chmc3 closed 5 months ago
stea-uw
commented
6 months ago Deleting the in-progress verification in the site UI and allowing the DCV cron to try again seems to have fixed the issue. Some state must have gotten broken in Sectigo's stack somewhere.
Assigning to @chmc3 in case you want to verify, otherwise feel free to close this.
chmc3
commented
5 months ago Verified, and workaround is getting around this error from Sectigo.
chmc3
commented
5 months ago @stea-uw Just to double check before I open a case with Sectigo. Not urgent at all.
Domain uwtyeeclub.com is in the UW DNS https://barista.cac.washington.edu/dnsmgr/fqdn/uwtyeeclub.com
I assume the DCV tool did it's job, but I'm hoping to double check.
On the Sectigo side, the UI seems to indicate there's definitely something funky. The DCV status is valid until the 2024 expiration. But the "preview" of the record shows that there's an action pending.
Once I've confirmed that we did everything right on our end, I'll be able to finish this off with Sectigo. Thanks!
stea-uw
commented
5 months ago Yup, that seems right. I can see from the DNS that the correct child records were added: https://barista.cac.washington.edu/dnsmgr/fqdnindex/uwtyeeclub.com.
The Sectigo UI looks a little different from when I saw the issue, but that's probably fine. When I saw the issue, the domain was stuck in "pending validation". This one shows "validated" in the domain details.
FYI, it looks like DCV hasn't run in a few days due to a changed password. I updated the password and it should start working again.
From: Colin McCarthy @.> Sent: Tuesday, May 28, 2024 1:03 PM To: UWIT-IAM/cert-service @.> Cc: Stevie Weiss @.>; Mention @.> Subject: Re: [UWIT-IAM/cert-service] DCV tool did not complete DCV for "wa-k20.net" (Issue #75)
@stea-uwhttps://urldefense.com/v3/__https://github.com/stea-uw__;!!K-Hz7m0Vt54!nXhG5mQtYfsxVm8mYhT0QvyOgJeEuO8LOA_NvQzAwebHyO6B2GBRgONvtIJ-FnqjAGVPeoCJxpqsQ2OstJbe$ Just to double check before I open a case with Sectigo. Not urgent at all.
Domain uwtyeeclub.com is in the UW DNS https://barista.cac.washington.edu/dnsmgr/fqdn/uwtyeeclub.com
I assume the DCV tool did it's job, but I'm hoping to double check.
On the Sectigo side, the UI seems to indicate there's definitely something funky. The DCV status is valid until the 2024 expiration. But the "preview" of the record shows that there's an action pending.
Once I've confirmed that we did everything right on our end, I'll be able to finish this off with Sectigo. Thanks!
— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https://github.com/UWIT-IAM/cert-service/issues/75*issuecomment-2136014128__;Iw!!K-Hz7m0Vt54!nXhG5mQtYfsxVm8mYhT0QvyOgJeEuO8LOA_NvQzAwebHyO6B2GBRgONvtIJ-FnqjAGVPeoCJxpqsQ3QK7G3O$, or unsubscribehttps://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/BDCJI6BGM3K4BDU2UN5WGNDZETPITAVCNFSM6AAAAABG7FPT46VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZWGAYTIMJSHA__;!!K-Hz7m0Vt54!nXhG5mQtYfsxVm8mYhT0QvyOgJeEuO8LOA_NvQzAwebHyO6B2GBRgONvtIJ-FnqjAGVPeoCJxpqsQ7m9QOHt$. You are receiving this because you were mentioned.Message ID: @.***>
@jfuega reported that the DCV tool did not successfully complete the validation for wa-k20.net despite it being a domain in the UW DNS that normally would be covered by the old manual process. The likely suspect is that this DNS entry appears different from the other standard DNS entries. For reference, compare https://barista.cac.washington.edu/dnsmgr/fqdn/wa-k20.net to https://barista.cac.washington.edu/dnsmgr/fqdn/cac.washington.edu.
While this is likely an edge case, I suspect we will encounter similar problems in the future that stem out of the ill-defined requirements for the tool. Hopefully by finding the "edge cases" we will discover and build around that better definition.