[OpenStack-Infra] Planet feed on the blink

Stig Telfer stig.openstack at telfer.org
Wed Jun 21 06:16:44 UTC 2017 

Thank you Jeremy, that is exactly what we needed to know.

Much appreciated,
Stig

> On 20 Jun 2017, at 19:06, Jeremy Stanley <fungi at yuggoth.org> wrote:
> 
> On 2017-06-20 18:07:54 +0100 (+0100), Stig Telfer wrote:
>> Can anyone help me with restoring our blog feed on
>> planet.openstack.org?  Our blog ("StackHPC team blog") is not
>> getting syndicated.  In the planet.openstack.org page source, it's
>> tagged with "internal server error" - is that something we can fix
>> or the result of a transient outage, or…?
> 
> It appears that planet is unable to connect to the HTTPS URL you've
> supplied because https://www.stackhpc.com/ is using an X.509 cert
> issued by "Let's Encrypt Authority X3" but is not supplying an
> appropriate certificate chain up to a well-known authority trusted
> by Ubuntu 16.04 (note some browsers, e.g. recent Firefox releases,
> may include that cert directly in their trust set but many
> command-line tools like wget/curl or other browsers still may not):
> 
>    https://www.ssllabs.com/ssltest/analyze.html?d=www.stackhpc.com
> 
>    "This server's certificate chain is incomplete."
> 
> You likely need to configure your server to append the active
> intermediate CA certificates linked at:
> 
>    https://letsencrypt.org/certificates/
> 
>> It seems like there are 26 blog feeds currently in this state
>> (ours has been like it for a few weeks at least).
> 
> I haven't checked them all exhaustively (if someone wants to
> volunteer to clean up the planet config I'm happy to supply a copy
> of the log from the latest run to aid in that effort), but among the
> many HTTP not-found, database/internal server error responses, DNS
> no-such-host and TCP connection timeout failures I have also found a
> few more with similar HTTPS misconfigurations (though none so far
> with certs issued by the same CA as yours).
> 
>> Is this a known issue, and what needs doing to fix it?
> 
> I would classify missing chain certs as a known issue, but one
> you'll need to address on your end. Alternatively, you could switch
> to using an http:// scheme in the planet config for your
> syndication since you're apparently not unilaterally redirecting all
> HTTP requests to HTTPS.
> -- 
> Jeremy Stanley
> _______________________________________________
> OpenStack-Infra mailing list
> OpenStack-Infra at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

More information about the OpenStack-Infra mailing list