#11245 DANE TLSA record for fedoraproject.org seems outdated
Closed: Fixed with Explanation a year ago by kevin. Opened 2 years ago by fdelapena.

$ danetool --check fedoraproject.org
Resolving 'fedoraproject.org:https'...
Obtaining certificate from '2604:1580:fe00:0:dead:beef:cafe:fed1:443'...
Querying DNS for fedoraproject.org (tcp:443)...
_443._tcp.fedoraproject.org. IN TLSA ( 01 01 01 a268847da80175457baf603df3b0ab9cc99d1f6bb84b83c351f97e9e6f397bb4 )
Certificate usage: End-entity (01)
Certificate type:  SubjectPublicKeyInfo (01)
Contents:     SHA2-256 hash (01)
Data:         a268847da80175457baf603df3b0ab9cc99d1f6bb84b83c351f97e9e6f397bb4

Verification: Verification failed. The certificate differs. 

This check could be automated to prevent new issues as the danetool exit code is not 0 when the check fails.


Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

2 years ago

I've updated the records since we actually were getting users noticing this. ;(

danetool --check fedoraproject.org
Resolving 'fedoraproject.org:https'...
Obtaining certificate from '2620:52:3:1:dead:beef:cafe:fed7:443'...
Querying DNS for fedoraproject.org (tcp:443)...
_443._tcp.fedoraproject.org. IN TLSA ( 03 01 01 5441af1dc3c6df9a6bd408daea995bd1a5e328404a271a575f11b4feebd93b09 )
Certificate usage: Local end-entity (03)
Certificate type:  SubjectPublicKeyInfo (01)
Contents:         SHA2-256 hash (01)
Data:         5441af1dc3c6df9a6bd408daea995bd1a5e328404a271a575f11b4feebd93b09

Verification: Certificate matches. 

However. We should add a nagios check so this doesn't happen to us again... so leaving open for that.

@kevin i'm keen at learning this -- is adding this check super involved?

Not super hard, just anoying. ;)

You should be able to look at history in the ansible git repo for when other custom checks were added.

Should just need a small script 'check_fedoraproject_dane' or something made that calls the danetool check above and returns the right status for ok vs critical, then adding it I guess on noc01/nagios_server to run there? Also I guess we need to install gnutls / danetool there for it to work.

Let me know if you want more detailed info and I can try and get it or if thats enough to start in with. :)

okay, had a crack at it -- not sure the nagios config side of things is correct though, so def needs a review :)

https://pagure.io/fedora-infra/ansible/pull-request/1405

Metadata Update from @ryanlerch:
- Issue assigned to ryanlerch

2 years ago

[backlog refinement]
PR is still open and waiting for adjustments

going to close the PR, but keep this issue open -- no real use doing this in nagios since the work is being done by @dkirwan to bring up zabbix.

Metadata Update from @ryanlerch:
- Issue marked as depending on: #11393
- Issue tagged with: blocked

2 years ago

Metadata Update from @ryanlerch:
- Assignee reset

2 years ago

Sure, I guess. We will likely should make the check in zabbix when we move to it too tho... :)

Metadata Update from @zlopez:
- Issue untagged with: blocked

2 years ago

Metadata Update from @kevin:
- Issue assigned to kevin

2 years ago

Metadata Update from @kevin:
- Issue unmarked as depending on: #11393

a year ago

I'm going to close this now. Will document it and we can work on a zabbix check when we get to it.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog