search

tenex / rails-assets

The solution to assets management in Rails
https://rails-assets.org
MIT License
1.63k stars 69 forks source link

Possible failure of rails-assets.org TLS certificate renewal automation #461

Closed aleksandrs-ledovskis closed 3 years ago

aleksandrs-ledovskis commented 4 years ago

@joshjordan Could you please verify if certbot(?) is working adequately on rails-assets.org serving machine?

The current TLS certificate expiry is less than 30 days away (on 2020-01-26) and ACME client should have run the renewal/unless there's different threshold.

joshjordan commented 4 years ago

Certbot is fine, it’s nginx that isn’t picking up the new certificate. I’ll restart it today.

On Sun, Dec 29, 2019 at 10:51 AM Aleksandrs Ļedovskis < notifications@github.com> wrote:

@joshjordan https://github.com/joshjordan Could you please verify if certbot(?) is working adequately on rails-assets.org serving machine?

The current TLS certificate https://crt.sh/?id=2045205205 expiry is less than 30 days away (on 2020-01-26) and ACME client should have run the renewal/unless there's different threshold.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/tenex/rails-assets/issues/461?email_source=notifications&email_token=AAD7LSXKREY6FU6G5KIKXZTQ3DBPVA5CNFSM4KA6KCO2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IDENYRQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD7LSUPVB65ANBWYZ7MA4TQ3DBPVANCNFSM4KA6KCOQ .

aleksandrs-ledovskis commented 4 years ago

Indeed, I have missed it somehow that new cert was issued on 2019-12-27 (@ censys).

As failure to act would have caused an outage similar to ones we have experienced in 2019, would it be a tall order to introduce a daily/weekly/fortnightly Nginx restart cron task that would unconditionally do its job?

joshjordan commented 4 years ago

That actually does exist, but something Nginx-related is holding an open file handle on the old certificate. We’ve spent quite awhile debugging but have not turned up anything. Often we end up just doing manual restarts.

On Sun, Dec 29, 2019 at 1:42 PM Aleksandrs Ļedovskis < notifications@github.com> wrote:

Indeed, I have missed it somehow that new cert was issued on 2019-12-27 (@ censys https://censys.io/certificates/fd4559e44776bfaa0374435857aa3ae5b7111fb1ba2d29e2727c6de66c63bc36 ).

As failure to act would have caused an outage similar to ones we have experienced in 2019, would it be a tall order to introduce a daily/weekly/fortnightly Nginx restart cron task?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/tenex/rails-assets/issues/461?email_source=notifications&email_token=AAD7LSVTLBH2AAURDGVHO7TQ3DVRNA5CNFSM4KA6KCO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHZFXDA#issuecomment-569531276, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD7LSVMXJK6DG5EY7RECRLQ3DVRNANCNFSM4KA6KCOQ .

joshjordan commented 4 years ago

However, that’s not to say the issue is closed. Definitely still working on it, but not always actively.

On Sun, Dec 29, 2019 at 1:43 PM josh.jordan@gmail.com josh.jordan@gmail.com wrote:

That actually does exist, but something Nginx-related is holding an open file handle on the old certificate. We’ve spent quite awhile debugging but have not turned up anything. Often we end up just doing manual restarts.

On Sun, Dec 29, 2019 at 1:42 PM Aleksandrs Ļedovskis < notifications@github.com> wrote:

Indeed, I have missed it somehow that new cert was issued on 2019-12-27 (@ censys https://censys.io/certificates/fd4559e44776bfaa0374435857aa3ae5b7111fb1ba2d29e2727c6de66c63bc36 ).

As failure to act would have caused an outage similar to ones we have experienced in 2019, would it be a tall order to introduce a daily/weekly/fortnightly Nginx restart cron task?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/tenex/rails-assets/issues/461?email_source=notifications&email_token=AAD7LSVTLBH2AAURDGVHO7TQ3DVRNA5CNFSM4KA6KCO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHZFXDA#issuecomment-569531276, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD7LSVMXJK6DG5EY7RECRLQ3DVRNANCNFSM4KA6KCOQ .

aleksandrs-ledovskis commented 4 years ago

Maybe "restart" is a wrong approach then. How about stop/start? That should clear any open handles.

aleksandrs-ledovskis commented 4 years ago

Another idea that I've floated in one previous issue was move to CloudFlare fronted TLS termination. Do you hold any strong objection; are there technical/legal obstacles to implementation?

That would make this whole local-renewal a non-issue for a foreseeable future.

sheerun commented 4 years ago

maybe you are reloading nginx instead of restarting it