Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build/vcs-test,x/net/http2/h2demo: certificate is expiring #47108

Closed
FiloSottile opened this issue Jul 9, 2021 · 9 comments
Closed

x/build/vcs-test,x/net/http2/h2demo: certificate is expiring #47108

FiloSottile opened this issue Jul 9, 2021 · 9 comments
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@FiloSottile
Copy link
Contributor

The vcs-test.golang.org certificate will expire on July 16th, which suggests renewal is failing.

The most likely reason is that it might be built with an old version of x/crypto/acme/autocert which still uses ACVEv1, which Let's Encrypt recently turned off. In that case we should look into why we didn't get any emails from Let's Encrypt.

Regardless, we maybe should have alerts for expiring certificates and for error logs.

/cc @golang/release

@FiloSottile FiloSottile added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Soon This needs action soon. (recent regressions, service outages, unusual time-sensitive situations) labels Jul 9, 2021
@gopherbot gopherbot added the Builders x/build issues (builders, bots, dashboards) label Jul 9, 2021
@gopherbot gopherbot added this to the Unreleased milestone Jul 9, 2021
@dmitshur
Copy link
Contributor

dmitshur commented Jul 9, 2021

Thanks for catching this.

In that case we should look into why we didn't get any emails from Let's Encrypt.

I believe it's because the autocert.Manager.Email field is simply unset. We should find an email address to use for this, and set it.

@heschi heschi self-assigned this Jul 14, 2021
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/334532 mentions this issue: vcs-test/vcweb: add Autocert notification email

@heschi heschi removed the Soon This needs action soon. (recent regressions, service outages, unusual time-sensitive situations) label Jul 14, 2021
@heschi
Copy link
Contributor

heschi commented Jul 14, 2021

Redeploying vcs-test fixed the problem; it was ~2 years old. Leaving this open to track adding the email.

@heschi
Copy link
Contributor

heschi commented Jul 14, 2021

@FiloSottile do you happen to know how to get the email address change to take effect? Autocert doesn't support explicit account updates from what I could see. If I blow away the cache directory and the private key along with it, does that mean a new account will be created with the email associated? I don't want to burn a ton of time preventing a problem that might at worst cause us a little bit of annoyance in a few years.

@FiloSottile
Copy link
Contributor Author

@heschi Yeah, you can blow away the cache and let it re-register.

@FiloSottile
Copy link
Contributor Author

http2.golang.org also has expired. It probably needs redeploying as well.

@heschi
Copy link
Contributor

heschi commented Jul 15, 2021

Right you are. Done. (No email there either yet.)

@heschi heschi changed the title x/build/vcs-test: certificate is expiring x/build/vcs-test,x/net/http2/h2demo: certificate is expiring Jul 15, 2021
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/334929 mentions this issue: http2/h2demo: add Autocert notification email

gopherbot pushed a commit to golang/net that referenced this issue Jul 16, 2021
Add golang-dev as the Autocert notification email so Let's Encrypt can
send us emails. golang-dev is not an ideal choice, but we need something
publicly accessible and there isn't an obvious better option. My
understanding is we should expect essentially no emails so I don't want
to worry too much about it.

Updates golang/go#47108.

Change-Id: Ic3b5b7554d516ea2840bb56499eb3b8f35bf2304
Reviewed-on: https://go-review.googlesource.com/c/net/+/334929
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot pushed a commit to golang/build that referenced this issue Jul 16, 2021
Add golang-dev as the Autocert notification email so Let's Encrypt can
send us emails. golang-dev is not an ideal choice, but we need something
publicly accessible and there isn't an obvious better option. My
understanding is we should expect essentially no emails so I don't want
to worry too much about it.

Updates golang/go#47108.

Change-Id: I22951984e0d48a59787d110b9cef32cbe3d9bc4a
Reviewed-on: https://go-review.googlesource.com/c/build/+/334532
Trust: Heschi Kreinick <heschi@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@heschi
Copy link
Contributor

heschi commented Jul 16, 2021

I've reregistered h2demo and vcs-test. Hopefully that does it. I don't see an easy way to view account details using autocert.

@heschi heschi closed this as completed Jul 16, 2021
dteh pushed a commit to dteh/fhttp that referenced this issue Jun 22, 2022
Add golang-dev as the Autocert notification email so Let's Encrypt can
send us emails. golang-dev is not an ideal choice, but we need something
publicly accessible and there isn't an obvious better option. My
understanding is we should expect essentially no emails so I don't want
to worry too much about it.

Updates golang/go#47108.

Change-Id: Ic3b5b7554d516ea2840bb56499eb3b8f35bf2304
Reviewed-on: https://go-review.googlesource.com/c/net/+/334929
Trust: Heschi Kreinick <heschi@google.com>
Run-TryBot: Heschi Kreinick <heschi@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@rsc rsc unassigned heschi Jun 23, 2022
@heschi heschi moved this to Done in Go Release Sep 27, 2022
@golang golang locked and limited conversation to collaborators Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
Archived in project
Development

No branches or pull requests

4 participants