Thank you Jeremy, that is exactly what we needed to know. Much appreciated, Stig
> On 20 Jun 2017, at 19:06, Jeremy Stanley <[email protected]> wrote: > > On 2017-06-20 18:07:54 +0100 (+0100), Stig Telfer wrote: >> Can anyone help me with restoring our blog feed on >> planet.openstack.org? Our blog ("StackHPC team blog") is not >> getting syndicated. In the planet.openstack.org page source, it's >> tagged with "internal server error" - is that something we can fix >> or the result of a transient outage, or…? > > It appears that planet is unable to connect to the HTTPS URL you've > supplied because https://www.stackhpc.com/ is using an X.509 cert > issued by "Let's Encrypt Authority X3" but is not supplying an > appropriate certificate chain up to a well-known authority trusted > by Ubuntu 16.04 (note some browsers, e.g. recent Firefox releases, > may include that cert directly in their trust set but many > command-line tools like wget/curl or other browsers still may not): > > https://www.ssllabs.com/ssltest/analyze.html?d=www.stackhpc.com > > "This server's certificate chain is incomplete." > > You likely need to configure your server to append the active > intermediate CA certificates linked at: > > https://letsencrypt.org/certificates/ > >> It seems like there are 26 blog feeds currently in this state >> (ours has been like it for a few weeks at least). > > I haven't checked them all exhaustively (if someone wants to > volunteer to clean up the planet config I'm happy to supply a copy > of the log from the latest run to aid in that effort), but among the > many HTTP not-found, database/internal server error responses, DNS > no-such-host and TCP connection timeout failures I have also found a > few more with similar HTTPS misconfigurations (though none so far > with certs issued by the same CA as yours). > >> Is this a known issue, and what needs doing to fix it? > > I would classify missing chain certs as a known issue, but one > you'll need to address on your end. Alternatively, you could switch > to using an http:// scheme in the planet config for your > syndication since you're apparently not unilaterally redirecting all > HTTP requests to HTTPS. > -- > Jeremy Stanley > _______________________________________________ > OpenStack-Infra mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
