[OpenStack-Infra] Planet feed on the blink
Jeremy Stanley
fungi at yuggoth.org
Tue Jun 20 18:06:56 UTC 2017
On 2017-06-20 18:07:54 +0100 (+0100), Stig Telfer wrote:
> Can anyone help me with restoring our blog feed on
> planet.openstack.org? Our blog ("StackHPC team blog") is not
> getting syndicated. In the planet.openstack.org page source, it's
> tagged with "internal server error" - is that something we can fix
> or the result of a transient outage, or…?
It appears that planet is unable to connect to the HTTPS URL you've
supplied because https://www.stackhpc.com/ is using an X.509 cert
issued by "Let's Encrypt Authority X3" but is not supplying an
appropriate certificate chain up to a well-known authority trusted
by Ubuntu 16.04 (note some browsers, e.g. recent Firefox releases,
may include that cert directly in their trust set but many
command-line tools like wget/curl or other browsers still may not):
https://www.ssllabs.com/ssltest/analyze.html?d=www.stackhpc.com
"This server's certificate chain is incomplete."
You likely need to configure your server to append the active
intermediate CA certificates linked at:
https://letsencrypt.org/certificates/
> It seems like there are 26 blog feeds currently in this state
> (ours has been like it for a few weeks at least).
I haven't checked them all exhaustively (if someone wants to
volunteer to clean up the planet config I'm happy to supply a copy
of the log from the latest run to aid in that effort), but among the
many HTTP not-found, database/internal server error responses, DNS
no-such-host and TCP connection timeout failures I have also found a
few more with similar HTTPS misconfigurations (though none so far
with certs issued by the same CA as yours).
> Is this a known issue, and what needs doing to fix it?
I would classify missing chain certs as a known issue, but one
you'll need to address on your end. Alternatively, you could switch
to using an http:// scheme in the planet config for your
syndication since you're apparently not unilaterally redirecting all
HTTP requests to HTTPS.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20170620/13cea3ed/attachment.sig>
More information about the OpenStack-Infra
mailing list