[heroes] Fixed Let's Encrypt
Hi all, this is just to inform you that we addressed the issues with Let's Encrypt in the openSUSE infrastructure and renewed the certificates (in time), so no outages are to be expected. The certificate was about to expire on Oct 8, and automatic issuance did no longer wore (we were made aware of this by Thorsten Bro in time). For - as to now - unclear reasons, "kinit" was missing on the machine responsible for this (crtmgr.infra.opensuse.org). Kerberos is needed in some script to update the DNS records needed for authorization. Most probably this happened due to an upgrade, and the one doing the upgrade, didn't realize right away, since it takes a while until the problem manifests itself. Simply installing krb5-client, did the trick, so this should work automatically again for the future now. Best regards, Karol Babioch
Hi all, Am 26.09.19 um 15:52 schrieb Karol Babioch:
Hi all,
For - as to now - unclear reasons, "kinit" was missing on the machine responsible for this (crtmgr.infra.opensuse.org). Kerberos is needed in some script to update the DNS records needed for authorization.
Thanks for taking care, as I was unable to spare some time for this at the moment. I'm overwhelmed by a lot of new things and my ToDo-List is just growing - especially the private one - so some hobbys as openSUSE need to step back for a while. Just to explain why kinit / kerberos is needed there. The public DNS setup of openSUSE is a bit of a mess, due to the domain handled by MF IT "Infobloxx" network. For this reason, when we want to push our zone to the public world, we need to push it against special IP addresses of MicroFocus. As we decided to use infra.o.o for the internal addressing managed by FreeIPA - we need to clean-up this somehow, before we push the zone externally. So what happens is this. crtmgr got a KerberOS ticket (kinit needed) to identify as a DNS-Administrator against freeipa.infra.o.o - with "nsupdate -g" [1] to update the records in FreeIPA zone Now we have a shiny FreeIPA zone for .opensuse.org containing all TXT records we need for Let's Encrypt but as Nameservers it contains (as it is correct for the internal view) freeipa.infra.opensuse.org Because of this, there is a PowerDNS script running on chip? I guess it is chip, but I would need to double-check. This PowerDNS script watches the openSUSE.org zone from FreeIPA and whenever there is a change it gets triggered. The only thing it does is running a small filter-regex script in Ruby by darix removing the .infra.o.o domain names out of the .o.o zone file and pushes it with a notification to the MF name servers. And *tada* we have a working zone file out there. How you can see this? Easy, compare the zone file records for NS (name servers) you get on any machine of the infra.o.o network compared to the public .o.o zone - it differs in exactly the nameserver but both come from the same machine called FreeIPA - managed in LDAP database and updated via crtmgr (at least for the text records for Let's Encrypt) Easy, isn't it? :D Remember to always have fun ... [1] how "nsupdate -g" works https://gist.github.com/genadipost/2d5eb75e0a46ca4e5ac756d640b2da5a Best regards, Thorsten -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Do we plan to get this out of MF DNS Servers? On 2019-09-26 21:33, Thorsten B. wrote:
Hi all,
Hi all,
For - as to now - unclear reasons, "kinit" was missing on the machine responsible for this (crtmgr.infra.opensuse.org). Kerberos is needed in some script to update the DNS records needed for authorization. Thanks for taking care, as I was unable to spare some time for this at
Am 26.09.19 um 15:52 schrieb Karol Babioch: the moment. I'm overwhelmed by a lot of new things and my ToDo-List is just growing - especially the private one - so some hobbys as openSUSE need to step back for a while.
Just to explain why kinit / kerberos is needed there.
The public DNS setup of openSUSE is a bit of a mess, due to the domain handled by MF IT "Infobloxx" network. For this reason, when we want to push our zone to the public world, we need to push it against special IP addresses of MicroFocus. As we decided to use infra.o.o for the internal addressing managed by FreeIPA - we need to clean-up this somehow, before we push the zone externally. So what happens is this.
crtmgr got a KerberOS ticket (kinit needed) to identify as a DNS-Administrator against freeipa.infra.o.o - with "nsupdate -g" [1] to update the records in FreeIPA zone
Now we have a shiny FreeIPA zone for .opensuse.org containing all TXT records we need for Let's Encrypt but as Nameservers it contains (as it is correct for the internal view) freeipa.infra.opensuse.org
Because of this, there is a PowerDNS script running on chip? I guess it is chip, but I would need to double-check. This PowerDNS script watches the openSUSE.org zone from FreeIPA and whenever there is a change it gets triggered. The only thing it does is running a small filter-regex script in Ruby by darix removing the .infra.o.o domain names out of the .o.o zone file and pushes it with a notification to the MF name servers.
And *tada* we have a working zone file out there. How you can see this? Easy, compare the zone file records for NS (name servers) you get on any machine of the infra.o.o network compared to the public .o.o zone - it differs in exactly the nameserver but both come from the same machine called FreeIPA - managed in LDAP database and updated via crtmgr (at least for the text records for Let's Encrypt)
Easy, isn't it? :D
Remember to always have fun ...
[1] how "nsupdate -g" works https://gist.github.com/genadipost/2d5eb75e0a46ca4e5ac756d640b2da5a
Best regards,
Thorsten
On 9/27/19 4:41 PM, Karol Babioch wrote:
Am 27.09.19 um 10:39 schrieb Ricardo Klein:
Do we plan to get this out of MF DNS Servers?
There is a project for this ongoing, and we are considering openSUSE for this migration ;-). Details are not yet decided upon/public.
I'd volunteer to set up PowerDNS with LDAP backend with several replicas for opensuse.org. (I'm still not familiar with salt though because I use ansible for my own stuff.) Ciao, Michael. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
Michael Strc3b6der wrote:
On 9/27/19 4:41 PM, Karol Babioch wrote:
Am 27.09.19 um 10:39 schrieb Ricardo Klein:
Do we plan to get this out of MF DNS Servers?
There is a project for this ongoing, and we are considering openSUSE for this migration ;-). Details are not yet decided upon/public.
I'd volunteer to set up PowerDNS with LDAP backend with several replicas for opensuse.org.
Ditto, but BIND with mysql backends. -- Per Jessen, Zürich (17.0°C) Member, openSUSE Heroes -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
participants (5)
-
Karol Babioch -
Michael Ströder -
Per Jessen -
Ricardo Klein -
Thorsten B.