OSC getting lots of SSL_CERT CRITICAL errors looking for SCT
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charm-openstack-service-checks |
Fix Released
|
Undecided
|
Chi Wai CHAN |
Bug Description
I have deployed latest/edge (e8a92c1) to work around another issue and now I have tons of SSL errors in Nagios such as:
SSL_CERT CRITICAL aodh.os.internal: Cannot find Signed Certificate Timestamps(SCT)
I'm using vault issued certificates and, as I understand it, there will never be any SCT for certificates issued by vault nor self-signed certificates. I think it makes sense to ignore sct by default.
We can do this by adding --ignore-sct to the _render_
Additionally, when the check_ssl_cert check script was added, it changed how the check_http script is generated. Previously, if the endpoint was https, the check_http config was re-written to have the -S but now, instead of overwriting the check_http config, we add a new check_ssl_cert config. This leaves behind the check_http config which will fail because it's trying to make an http connection to an https port. This causes one of the two alerts in Nagios:
HTTP WARNING: HTTP/1.1 400 Bad Request - 628 bytes in 0.206 second response time
HTTP CRITICAL - Invalid HTTP response received from host on port 9312: HTTP/1.1 400 Bad Request
I think the code around lines 780 to 820 of lib_openstack_
The attached patch is an example fix for both these issues.
Related branches
- 🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration)
- Erhan Sunar (community): Approve
- Eric Chen: Approve
- BootStack Reviewers: Pending requested
-
Diff: 112 lines (+34/-25)2 files modifiedsrc/lib/lib_openstack_service_checks.py (+28/-21)
src/tests/unit/test_lib.py (+6/-4)
- Eric Chen: Approve
- 🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration)
- Robert Gildein: Approve
- Erhan Sunar (community): Approve
- BootStack Reviewers: Pending requested
-
Diff: 80 lines (+14/-5)2 files modifiedsrc/lib/lib_openstack_service_checks.py (+8/-1)
src/tests/unit/test_lib.py (+6/-4)
tags: | added: bseng-546 |
Changed in charm-openstack-service-checks: | |
assignee: | nobody → Chi Wai CHAN (raychan96) |
Changed in charm-openstack-service-checks: | |
status: | New → In Progress |
Changed in charm-openstack-service-checks: | |
status: | In Progress → Fix Committed |
Changed in charm-openstack-service-checks: | |
milestone: | none → 23.01 |
Changed in charm-openstack-service-checks: | |
status: | Fix Committed → Fix Released |
I looked at the two merge requests. They look like good solutions to me.
Apologies for double-loading two issues in one bug.