#10073 IPA CRL isn't downloadable from STG env
Closed: Fixed 3 years ago by kevin. Opened 3 years ago by arrfab.

While it was allowed before (can find the ticket), it seems that some rules changes on proxy, and now :

curl -I https://id.stg.fedoraproject.org/ipa/crl/MasterCRL.bin
HTTP/2 301 
date: Wed, 07 Jul 2021 07:04:40 GMT
server: Apache
strict-transport-security: max-age=31536000; preload
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: same-origin
x-frame-options: DENY
content-security-policy: frame-ancestors 'none'
location: http://ipa01.stg.iad2.fedoraproject.org/ipa/crl/MasterCRL.bin
cache-control: no-cache, private
content-type: text/html; charset=iso-8859-1
apptime: D=3602
x-fedora-proxyserver: proxy01.stg.iad2.fedoraproject.org
x-fedora-requestid: YOVSCEg-U7O7upZiFhEJKAAIxwU

So can we ensure that it's not redirected (301) but just really proxied ? as the target server isn't publicly reachable, breaking the services consuming/refreshing the CRL (like for koji using TLS authentication)


Worth knowing that it works fine for https://id.fedoraproject.org/ipa/crl/MasterCRL.bin (so not breaking prod) but only on STG, blocking now https://pagure.io/centos-infra/issue/374

Metadata Update from @humaton:
- Issue tagged with: low-gain, low-trouble, ops

3 years ago

Fixed. When upgraded ipa put back in a redirect that we take out.

So, run of playbook fixed it.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Done