jenkins-infra-bot
commented
2 years ago - Message added on IRC to let other admin know
- Current CRL (in the repository https://github.com/jenkins-infra/openvpn) confirms the analysis:
$ openssl crl -in ./cert/pki/crl.pem -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /CN=vpn.jenkins.io Last Update: May 10 09:01:19 2021 GMT Next Update: Nov 6 09:01:19 2021 GMT # ... - Updated the CRL:
$ openssl crl -in ./cert/pki/crl.pem -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /CN=vpn.jenkins.io Last Update: Nov 6 11:02:41 2021 GMT Next Update: May 5 11:02:41 2022 GMT # ... - PR to `staging` branch: https://github.com/jenkins-infra/openvpn/pull/116
- PR to `master` branch (to trigger a container rebuild): https://github.com/jenkins-infra/openvpn/pull/117
- Container built and deployed successfully on trusted.ci.jenkins.io: https://trusted.ci.jenkins.io:1443/job/Containers/job/openvpn/775/ (Image `jenkinsciinfra/openvpn:fa4372` and `jenkinsciinfra/openvpn:latest` both with the digest `sha256:c37db000b9cab1571f4faf0499cc6012582231d8d35cb24feeef3ff824a9c5de`)
Since Saturday 06 november, 09:28 UTC, the authentication is refused by the VPN.
On the machine, the container logs shows the following error:
As per https://github.com/jenkins-infra/openvpn#howto-review-certificate-revocation-list, it means that the CRL has expired and need to be renewed.
Originally reported by dduportal, imported from: Update CRL for VPN (Nov 2021)