<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">We fell foul of this Ansible issue: <a href="https://github.com/ansible/ansible/issues/18996" class="">https://github.com/ansible/ansible/issues/18996</a><div class=""><br class=""></div><div class="">And now with a workaround our blog syndication is back up and running.</div><div class=""><br class=""></div><div class="">Thanks again,</div><div class="">Stig</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 21 Jun 2017, at 07:16, Stig Telfer <<a href="mailto:stig.openstack@telfer.org" class="">stig.openstack@telfer.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Thank you Jeremy, that is exactly what we needed to know.<br class=""><br class="">Much appreciated,<br class="">Stig<br class=""><br class=""><blockquote type="cite" class="">On 20 Jun 2017, at 19:06, Jeremy Stanley <<a href="mailto:fungi@yuggoth.org" class="">fungi@yuggoth.org</a>> wrote:<br class=""><br class="">On 2017-06-20 18:07:54 +0100 (+0100), Stig Telfer wrote:<br class=""><blockquote type="cite" class="">Can anyone help me with restoring our blog feed on<br class=""><a href="http://planet.openstack.org" class="">planet.openstack.org</a>?  Our blog ("StackHPC team blog") is not<br class="">getting syndicated.  In the <a href="http://planet.openstack.org" class="">planet.openstack.org</a> page source, it's<br class="">tagged with "internal server error" - is that something we can fix<br class="">or the result of a transient outage, or…?<br class=""></blockquote><br class="">It appears that planet is unable to connect to the HTTPS URL you've<br class="">supplied because <a href="https://www.stackhpc.com/" class="">https://www.stackhpc.com/</a> is using an X.509 cert<br class="">issued by "Let's Encrypt Authority X3" but is not supplying an<br class="">appropriate certificate chain up to a well-known authority trusted<br class="">by Ubuntu 16.04 (note some browsers, e.g. recent Firefox releases,<br class="">may include that cert directly in their trust set but many<br class="">command-line tools like wget/curl or other browsers still may not):<br class=""><br class="">   <a href="https://www.ssllabs.com/ssltest/analyze.html?d=www.stackhpc.com" class="">https://www.ssllabs.com/ssltest/analyze.html?d=www.stackhpc.com</a><br class=""><br class="">   "This server's certificate chain is incomplete."<br class=""><br class="">You likely need to configure your server to append the active<br class="">intermediate CA certificates linked at:<br class=""><br class="">   <a href="https://letsencrypt.org/certificates/" class="">https://letsencrypt.org/certificates/</a><br class=""><br class=""><blockquote type="cite" class="">It seems like there are 26 blog feeds currently in this state<br class="">(ours has been like it for a few weeks at least).<br class=""></blockquote><br class="">I haven't checked them all exhaustively (if someone wants to<br class="">volunteer to clean up the planet config I'm happy to supply a copy<br class="">of the log from the latest run to aid in that effort), but among the<br class="">many HTTP not-found, database/internal server error responses, DNS<br class="">no-such-host and TCP connection timeout failures I have also found a<br class="">few more with similar HTTPS misconfigurations (though none so far<br class="">with certs issued by the same CA as yours).<br class=""><br class=""><blockquote type="cite" class="">Is this a known issue, and what needs doing to fix it?<br class=""></blockquote><br class="">I would classify missing chain certs as a known issue, but one<br class="">you'll need to address on your end. Alternatively, you could switch<br class="">to using an http:// scheme in the planet config for your<br class="">syndication since you're apparently not unilaterally redirecting all<br class="">HTTP requests to HTTPS.<br class="">-- <br class="">Jeremy Stanley<br class="">_______________________________________________<br class="">OpenStack-Infra mailing list<br class=""><a href="mailto:OpenStack-Infra@lists.openstack.org" class="">OpenStack-Infra@lists.openstack.org</a><br class="">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra<br class=""></blockquote><br class=""><br class="">_______________________________________________<br class="">OpenStack-Infra mailing list<br class=""><a href="mailto:OpenStack-Infra@lists.openstack.org" class="">OpenStack-Infra@lists.openstack.org</a><br class="">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra</div></div></blockquote></div><br class=""></div></body></html>