https://flocktofedora.org/ has an expired certificate. Can you please check what happened -- presumably there's some automation to renew from Let's Encrypt -- and update it?
Thank you!
Urgent since Nest is right around the corner!
I can't reproduce the problem here, can you give more details ? (unless someone renewed the certificate in the mean time)
Reproducer:
$ curl --resolve flocktofedora.org:443:140.211.169.196 -I https://flocktofedora.org curl: (60) SSL certificate problem: certificate has expired More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Metadata Update from @mizdebsk: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: ops
I think this may be some caching or the like
$ curl -ILv https://flocktofedora.org * Trying 85.236.55.6:443... * Connected to flocktofedora.org (85.236.55.6) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=flocktofedora.org * start date: Jun 11 12:33:15 2021 GMT * expire date: Sep 9 12:33:14 2021 GMT <------------------------------------------------------- * subjectAltName: host "flocktofedora.org" matched cert's "flocktofedora.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x565171acebf0) > HEAD / HTTP/2 > Host: flocktofedora.org > user-agent: curl/7.76.1 > accept: */*
I get the same expire date from my browser, both firefox and chrome
Yeah, it seems to happen with only some of the cloudflare hosts. Maybe only 140.211.169.196?
Metadata Update from @mohanboddu: - Issue tagged with: medium-gain, medium-trouble
Metadata Update from @mizdebsk: - Issue assigned to mizdebsk
The issue affects only proxy06, which has outdated certificates and keys for flocktofedora.org and a few other websites. I'll fix it by running ansible-playbook groups/proxies.yml -l proxy06.fedoraproject.org
ansible-playbook groups/proxies.yml -l proxy06.fedoraproject.org
The issue should be fixed.
Metadata Update from @mizdebsk: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.