While it was allowed before (can find the ticket), it seems that some rules changes on proxy, and now :
curl -I https://id.stg.fedoraproject.org/ipa/crl/MasterCRL.bin HTTP/2 301 date: Wed, 07 Jul 2021 07:04:40 GMT server: Apache strict-transport-security: max-age=31536000; preload x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: same-origin x-frame-options: DENY content-security-policy: frame-ancestors 'none' location: http://ipa01.stg.iad2.fedoraproject.org/ipa/crl/MasterCRL.bin cache-control: no-cache, private content-type: text/html; charset=iso-8859-1 apptime: D=3602 x-fedora-proxyserver: proxy01.stg.iad2.fedoraproject.org x-fedora-requestid: YOVSCEg-U7O7upZiFhEJKAAIxwU
So can we ensure that it's not redirected (301) but just really proxied ? as the target server isn't publicly reachable, breaking the services consuming/refreshing the CRL (like for koji using TLS authentication)
Worth knowing that it works fine for https://id.fedoraproject.org/ipa/crl/MasterCRL.bin (so not breaking prod) but only on STG, blocking now https://pagure.io/centos-infra/issue/374
Metadata Update from @humaton: - Issue tagged with: low-gain, low-trouble, ops
Fixed. When upgraded ipa put back in a redirect that we take out.
So, run of playbook fixed it.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.