Opened 3 years ago

Closed 3 years ago

#25233 closed defect (fixed)

weschniakowii shows old certificate for ooni.tpo in ~1/6 cases

Reported by: darkk Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Our prometheus instance alerted that ooni.tpo certificate expires in less than 25 days. Seems, one of httpd workers at weschniakowii (2001:6b0:5a:5000::5, is stuck with old certificate.

Majority of probes see new certificate with Not Before 2018-02-02T00:37:31Z, but ~1/6 of probes see old one with Not Before 2017-12-04T00:40:56Z that expires in couple of weeks.

The issue is observable both with IPv4 and IPv6.

Please, restart the worker before cert expires :-) Also, it may be interesting to understand the reason for worker to spend week and a half in "graceful restart" mode. Maybe that's some bug or something like slowloris attack going on.

Child Tickets

Change History (1)

comment:1 Changed 3 years ago by weasel

Resolution: fixed
Status: newclosed

Good catch. Apache has been restarted.

Note: See TracTickets for help on using tickets.