Closed aleksandrs-ledovskis closed 3 years ago
Certbot is fine, it’s nginx that isn’t picking up the new certificate. I’ll restart it today.
On Sun, Dec 29, 2019 at 10:51 AM Aleksandrs Ļedovskis < notifications@github.com> wrote:
@joshjordan https://github.com/joshjordan Could you please verify if certbot(?) is working adequately on rails-assets.org serving machine?
The current TLS certificate https://crt.sh/?id=2045205205 expiry is less than 30 days away (on 2020-01-26) and ACME client should have run the renewal/unless there's different threshold.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/tenex/rails-assets/issues/461?email_source=notifications&email_token=AAD7LSXKREY6FU6G5KIKXZTQ3DBPVA5CNFSM4KA6KCO2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IDENYRQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD7LSUPVB65ANBWYZ7MA4TQ3DBPVANCNFSM4KA6KCOQ .
Indeed, I have missed it somehow that new cert was issued on 2019-12-27 (@ censys).
As failure to act would have caused an outage similar to ones we have experienced in 2019, would it be a tall order to introduce a daily/weekly/fortnightly Nginx restart cron task that would unconditionally do its job?
That actually does exist, but something Nginx-related is holding an open file handle on the old certificate. We’ve spent quite awhile debugging but have not turned up anything. Often we end up just doing manual restarts.
On Sun, Dec 29, 2019 at 1:42 PM Aleksandrs Ļedovskis < notifications@github.com> wrote:
Indeed, I have missed it somehow that new cert was issued on 2019-12-27 (@ censys https://censys.io/certificates/fd4559e44776bfaa0374435857aa3ae5b7111fb1ba2d29e2727c6de66c63bc36 ).
As failure to act would have caused an outage similar to ones we have experienced in 2019, would it be a tall order to introduce a daily/weekly/fortnightly Nginx restart cron task?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/tenex/rails-assets/issues/461?email_source=notifications&email_token=AAD7LSVTLBH2AAURDGVHO7TQ3DVRNA5CNFSM4KA6KCO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHZFXDA#issuecomment-569531276, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD7LSVMXJK6DG5EY7RECRLQ3DVRNANCNFSM4KA6KCOQ .
However, that’s not to say the issue is closed. Definitely still working on it, but not always actively.
On Sun, Dec 29, 2019 at 1:43 PM josh.jordan@gmail.com josh.jordan@gmail.com wrote:
That actually does exist, but something Nginx-related is holding an open file handle on the old certificate. We’ve spent quite awhile debugging but have not turned up anything. Often we end up just doing manual restarts.
On Sun, Dec 29, 2019 at 1:42 PM Aleksandrs Ļedovskis < notifications@github.com> wrote:
Indeed, I have missed it somehow that new cert was issued on 2019-12-27 (@ censys https://censys.io/certificates/fd4559e44776bfaa0374435857aa3ae5b7111fb1ba2d29e2727c6de66c63bc36 ).
As failure to act would have caused an outage similar to ones we have experienced in 2019, would it be a tall order to introduce a daily/weekly/fortnightly Nginx restart cron task?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/tenex/rails-assets/issues/461?email_source=notifications&email_token=AAD7LSVTLBH2AAURDGVHO7TQ3DVRNA5CNFSM4KA6KCO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHZFXDA#issuecomment-569531276, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD7LSVMXJK6DG5EY7RECRLQ3DVRNANCNFSM4KA6KCOQ .
Maybe "restart" is a wrong approach then. How about stop/start? That should clear any open handles.
Another idea that I've floated in one previous issue was move to CloudFlare fronted TLS termination. Do you hold any strong objection; are there technical/legal obstacles to implementation?
That would make this whole local-renewal a non-issue for a foreseeable future.
maybe you are reloading nginx instead of restarting it
@joshjordan Could you please verify if
certbot
(?) is working adequately on rails-assets.org serving machine?The current TLS certificate expiry is less than 30 days away (on 2020-01-26) and ACME client should have run the renewal/unless there's different threshold.