$ danetool --check fedoraproject.org Resolving 'fedoraproject.org:https'... Obtaining certificate from '2604:1580:fe00:0:dead:beef:cafe:fed1:443'... Querying DNS for fedoraproject.org (tcp:443)... _443._tcp.fedoraproject.org. IN TLSA ( 01 01 01 a268847da80175457baf603df3b0ab9cc99d1f6bb84b83c351f97e9e6f397bb4 ) Certificate usage: End-entity (01) Certificate type: SubjectPublicKeyInfo (01) Contents: SHA2-256 hash (01) Data: a268847da80175457baf603df3b0ab9cc99d1f6bb84b83c351f97e9e6f397bb4 Verification: Verification failed. The certificate differs.
This check could be automated to prevent new issues as the danetool exit code is not 0 when the check fails.
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
I've updated the records since we actually were getting users noticing this. ;(
danetool --check fedoraproject.org Resolving 'fedoraproject.org:https'... Obtaining certificate from '2620:52:3:1:dead:beef:cafe:fed7:443'... Querying DNS for fedoraproject.org (tcp:443)... _443._tcp.fedoraproject.org. IN TLSA ( 03 01 01 5441af1dc3c6df9a6bd408daea995bd1a5e328404a271a575f11b4feebd93b09 ) Certificate usage: Local end-entity (03) Certificate type: SubjectPublicKeyInfo (01) Contents: SHA2-256 hash (01) Data: 5441af1dc3c6df9a6bd408daea995bd1a5e328404a271a575f11b4feebd93b09 Verification: Certificate matches.
However. We should add a nagios check so this doesn't happen to us again... so leaving open for that.
@kevin i'm keen at learning this -- is adding this check super involved?
Not super hard, just anoying. ;)
You should be able to look at history in the ansible git repo for when other custom checks were added.
Should just need a small script 'check_fedoraproject_dane' or something made that calls the danetool check above and returns the right status for ok vs critical, then adding it I guess on noc01/nagios_server to run there? Also I guess we need to install gnutls / danetool there for it to work.
Let me know if you want more detailed info and I can try and get it or if thats enough to start in with. :)
okay, had a crack at it -- not sure the nagios config side of things is correct though, so def needs a review :)
https://pagure.io/fedora-infra/ansible/pull-request/1405
Metadata Update from @ryanlerch: - Issue assigned to ryanlerch
[backlog refinement] PR is still open and waiting for adjustments
going to close the PR, but keep this issue open -- no real use doing this in nagios since the work is being done by @dkirwan to bring up zabbix.
Metadata Update from @ryanlerch: - Issue marked as depending on: #11393 - Issue tagged with: blocked
Metadata Update from @ryanlerch: - Assignee reset
Sure, I guess. We will likely should make the check in zabbix when we move to it too tho... :)
Metadata Update from @zlopez: - Issue untagged with: blocked
Metadata Update from @kevin: - Issue assigned to kevin
Metadata Update from @kevin: - Issue unmarked as depending on: #11393
I'm going to close this now. Will document it and we can work on a zabbix check when we get to it.
Metadata Update from @kevin: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.