2016-12-22 Jenkins SSL Expired
- Graham O'Regan (Unlicensed)
Owned by Graham O'Regan (Unlicensed)
22 Dec 2016
Loading data...
| Date |
|
| Authors | Grante Marshall (Unlicensed) Graham O'Regan (Unlicensed) |
| Status | Complete |
| Summary | The LetsEncrypt SSL certificate expired |
| Impact | developers were unable to access Jenkins |
Root Cause
The LetsEncrypt certificates had expired because the renewal hadn't been automated.
Trigger
The expiry date of the certs was reached.
Resolution
The certs were manually renewed using the following process;
- Login to the VM
run the following command:
$ sudo letsencrypt renew Processing /etc/letsencrypt/renewal/build-hee.transformcloud.net.conf 2016-12-22 10:24:10,890:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/build-hee.transformcloud.net.conf produced an unexpected error: Failed authorization procedure.dev-api.transformcloud.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for dev-api.transformcloud.net. Skipping.
Check that the new certs have been created check the following directory for new entries;
$ sudo ls -la /etc/letsencrypt/archive/
Restart the webserver
$ sudo systemctl restart apache2.service
Detection
The team recieved warnings when trying to view Jenkins.
Action Items
| Action Item | Type | Owner | Issue |
|---|---|---|---|
| Certs were renewed manually | mitigate | Grante Marshall (Unlicensed) |
Timeline
- 10:30 Grante Marshall (Unlicensed) noticed that Jekins cert weren't working
- 10:39 Grante Marshall (Unlicensed) ran the update command but hit issues with the fact that we had certs for an invalid domain as we are no longer using dev-api.transformcloud.net
Supporting Information
None
Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213