We fell foul of this Ansible issue: https://github.com/ansible/ansible/issues/18996 <https://github.com/ansible/ansible/issues/18996>
And now with a workaround our blog syndication is back up and running. Thanks again, Stig > On 21 Jun 2017, at 07:16, Stig Telfer <[email protected]> wrote: > > Thank you Jeremy, that is exactly what we needed to know. > > Much appreciated, > Stig > >> On 20 Jun 2017, at 19:06, Jeremy Stanley <[email protected]> wrote: >> >> On 2017-06-20 18:07:54 +0100 (+0100), Stig Telfer wrote: >>> Can anyone help me with restoring our blog feed on >>> planet.openstack.org? Our blog ("StackHPC team blog") is not >>> getting syndicated. In the planet.openstack.org page source, it's >>> tagged with "internal server error" - is that something we can fix >>> or the result of a transient outage, or…? >> >> It appears that planet is unable to connect to the HTTPS URL you've >> supplied because https://www.stackhpc.com/ is using an X.509 cert >> issued by "Let's Encrypt Authority X3" but is not supplying an >> appropriate certificate chain up to a well-known authority trusted >> by Ubuntu 16.04 (note some browsers, e.g. recent Firefox releases, >> may include that cert directly in their trust set but many >> command-line tools like wget/curl or other browsers still may not): >> >> https://www.ssllabs.com/ssltest/analyze.html?d=www.stackhpc.com >> >> "This server's certificate chain is incomplete." >> >> You likely need to configure your server to append the active >> intermediate CA certificates linked at: >> >> https://letsencrypt.org/certificates/ >> >>> It seems like there are 26 blog feeds currently in this state >>> (ours has been like it for a few weeks at least). >> >> I haven't checked them all exhaustively (if someone wants to >> volunteer to clean up the planet config I'm happy to supply a copy >> of the log from the latest run to aid in that effort), but among the >> many HTTP not-found, database/internal server error responses, DNS >> no-such-host and TCP connection timeout failures I have also found a >> few more with similar HTTPS misconfigurations (though none so far >> with certs issued by the same CA as yours). >> >>> Is this a known issue, and what needs doing to fix it? >> >> I would classify missing chain certs as a known issue, but one >> you'll need to address on your end. Alternatively, you could switch >> to using an http:// scheme in the planet config for your >> syndication since you're apparently not unilaterally redirecting all >> HTTP requests to HTTPS. >> -- >> Jeremy Stanley >> _______________________________________________ >> OpenStack-Infra mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra > > > _______________________________________________ > OpenStack-Infra mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
