#7269 New push certs for registry.stg.fedoraproject.org
Closed: Fixed 11 months ago Opened a year ago by cverna.

  • Describe what you need us to do:
    Currently we cannot push new images to registry.stg.fedoraproject.org, I think the certs we are using have expired and we did renew only the production's one not stg.

  • When do you need this? (YYYY/MM/DD)
    When possible

  • When is this no longer needed or useful? (YYYY/MM/DD)

  • If we cannot complete your request, what is the impact?


Metadata Update from @mizdebsk:
- Issue tagged with: staging

a year ago

ok. I think I have fixed this, it was just the cert name that was now wrong.

Can you please try again now and see if it works?

Metadata Update from @kevin:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

a year ago

ok. I think I have fixed this, it was just the cert name that was now wrong.
Can you please try again now and see if it works?

@mohanboddu tried to do a release today and it failed with the following error
"FATA[0000] Error writing blob: Error initiating layer upload to /v2/fedora/blobs/uploads/ in registry.stg.fedoraproject.org: unauthorized: authentication required"

The release is run from compose-x86-01.phx2.fedoraproject.org and skopeo uses the certs which are stored under /etc/docker/certs.d/registry.stg.fedoraproject.org

@cverna,

That hostname isn't in staging, and I believe there are firewalls preventing staging from communicating with production, which likely explains that error.

ok. I think I got it figured.

The playbook was only installing the staging certs on releng staging hosts (ie, composer.stg, not compose-x86-01, since it's a prod host.

I removed the conditional there and ran the playbook and the certs look right on both ends now.

We may need to do this also with the candidate registery if thats also needing to be pushed to by prod hosts.

@bowlofeggs We do block staging talking to most (all except the 'staging friendly' ansible group), but we don't block prod hosts talking to staging.

@mohanboddu can you try again from compose-x86-01 now?

ok. I think I got it figured.
The playbook was only installing the staging certs on releng staging hosts (ie, composer.stg, not compose-x86-01, since it's a prod host.
I removed the conditional there and ran the playbook and the certs look right on both ends now.
We may need to do this also with the candidate registery if thats also needing to be pushed to by prod hosts.

Yes I think this is needed for candidate-registry too

@bowlofeggs We do block staging talking to most (all except the 'staging friendly' ansible group), but we don't block prod hosts talking to staging.
@mohanboddu can you try again from compose-x86-01 now?

This is now working :fireworks:

Metadata Update from @cverna:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

11 months ago

Login to comment on this ticket.

Metadata