SSL certificate on ci.jenkins.io and assets.ci.jenkins.io expires 28 Mar 2024

[MarkEWaite]

Service(s)

ci.jenkins.io

Summary

The https://ci.jenkins.io SSL certificate expires 28 Mar 2024 (10 days from now).

Reproduction steps

1. Open https://ci.jenkins.io in a web browser
2. Open the connection properties for the newly opened page
3. Open the SSL certificate details and see that the SSL certificate expires 28 Mar 2024

[dduportal]

Logs on the machine (/var/log/certbot-renew-all.log as per the root's crotnab) shows the following failure:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ci.jenkins.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate ci.jenkins.io with error: Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['controller.internal.cloudapp.net@2024-01-25T09:41:49Z (f920)', 'controller.internal.cloudapp.net@2023-07-04T14:24:49Z (5a32)']

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/assets.ci.jenkins.io/fullchain.pem (failure)
  /etc/letsencrypt/live/ci.jenkins.io/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[dduportal]

Dry run works though, when triggered manually:

/usr/local/bin/certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/assets.ci.jenkins.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for assets.ci.jenkins.io

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ci.jenkins.io.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for ci.jenkins.io

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/assets.ci.jenkins.io/fullchain.pem (success)
  /etc/letsencrypt/live/ci.jenkins.io/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[dduportal]

Found the issue:

• Migrate ci.jenkins.io to the sponsored subscription #3913 migrated the ci.jenkins.io VM, which created a new "Lets Encrypt" account with the new VM's hostname
• Same issue as SSL certificate for ci.jenkins.io expires in 23 days #3740 (comment): there were 2 accounts
• Removed the older one and forced-renew the certificate: It now shows 16 June 2024 as expiration date.

[dduportal]

Thanks @MarkEWaite for raising this issue!

I'll now close it as it is fixed, and we'll discuss potential follow ups: most probably the upgrade to puppet 7/8 will allows us to use a letsencrypt module without this issue (or changing provisioning system)
=> we could also improve our monitoring