Expired SSL certificates

openstreetmap / operations

OSMF Operations Working Group issue tracking

https://operations.osmfoundation.org/

98 stars 13 forks source link

Expired SSL certificates #887

Closed pedrocamargo closed 1 year ago

pedrocamargo commented 1 year ago

As per the title.

--2023-05-29 07:44:15-- https://dev.overpass-api.de/clone//2023-05-25/replicate_id Resolving dev.overpass-api.de (dev.overpass-api.de)... 95.217.37.171, 2a01:4f9:2b:2fd4::2 Connecting to dev.overpass-api.de (dev.overpass-api.de)|95.217.37.171|:443... connected. ERROR: The certificate of 'dev.overpass-api.de' is not trusted. ERROR: The certificate of 'dev.overpass-api.de' has expired. The certificate has expired

tomhughes commented 1 year ago

Well complain to the operators of overpass-api.de then - it is not one of our sites.

tomhughes commented 1 year ago

For the record I alerted somebody with better knowledge of who can fix this a some hours ago, about two hours after it expired as it triggered deployment failures for us.

mmd-osm commented 1 year ago

Let’s encrypt certificate renewal job should take care of it. It should be working again tomorrow by the latest without any further manual intervention needed. If that’s not the case, I can also check why it’s not updating.

tomhughes commented 1 year ago

If that was working then it would have renewed a month ago - most likely the renewal timer is not running or something.

mmd-osm commented 1 year ago

Yes, that's a good point. In fact the server has been set up from scratch around end of February, and the certificate renewal job might no longer run like it used to in the past.

mmd-osm commented 1 year ago

Back in February, @lonvia mentioned that some of the dev server settings are managed by Ansible. I believe the config should cover automated certificate renewal: https://github.com/fossgis-routing-server/ansible_openstreetmap.de/tree/master/roles/letsencrypt/tasks

Although certificates have been last updated on the dev server on Apr 25 (which is about 1 month before expiry), they still carry May 29 as end-of-validity date. So the update process seems to be somehow running, but not 100% as expected.

I can't figure out, if there's some issue when requesting a new certificate, or maybe replacing the old cert with a new one doesn't work for some reason, and the update process would simply fall back to the old cert.

As I'm totally unfamiliar with this part of the config, that's all I can tell at this time.

grischard commented 1 year ago

@mmd-osm when that has happened to me, it was as simple as restarting nginx to load the new certificates