Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect cert on www-demo[1-5].allizom.org #1134

Closed
jgmize opened this issue Jul 8, 2019 · 1 comment

Comments

1 participant
@jgmize
Copy link
Member

commented Jul 8, 2019

Current cert: arn:aws:acm:us-west-2:236517346949:certificate/657b1ca0-8c09-4add-90a2-1243470a6b4
Previous (correct) cert: arn:aws:acm:us-west-2:236517346949:certificate/3865bd6b-c6e2-4c8b-b68d-45cf7ef0b455

@jgmize jgmize self-assigned this Jul 8, 2019

@jgmize

This comment has been minimized.

Copy link
Member Author

commented Jul 8, 2019

This was an issue where the ELB in question was originally created an managed by k8s, but then updated via AWS directly without updating the corresponding configuration in k8s.

$ kubectl get svc deis-router -o yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    dns.alpha.kubernetes.io/external: '*.oregon-b.moz.works'
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "1200"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:236517346949:certificate/657b1ca0-8c09-4add-90a2-1243470a6b45
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
  creationTimestamp: 2018-01-17T18:17:52Z
  labels:
    heritage: deis
  name: deis-router
  namespace: deis
  resourceVersion: "11925"
  selfLink: /api/v1/namespaces/deis/services/deis-router
  uid: bb45ebd7-fbb2-11e7-8853-0656fabf84c0
spec:
  clusterIP: 100.71.18.48
  externalTrafficPolicy: Cluster
  ports:
  - name: http
    nodePort: 31094
    port: 80
    protocol: TCP
    targetPort: 8080
  - name: https
    nodePort: 32530
    port: 443
    protocol: TCP
    targetPort: 8080
  - name: builder
    nodePort: 32418
    port: 2222
    protocol: TCP
    targetPort: 2222
  - name: healthz
    nodePort: 32413
    port: 9090
    protocol: TCP
    targetPort: 9090
  selector:
    app: deis-router
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: abb45ebd7fbb211e788530656fabf84c-1648510620.us-west-2.elb.amazonaws.com

I fixed the line service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:236517346949:certificate/657b1ca0-8c09-4add-90a2-1243470a6b45 above, changing the cert arn to arn:aws:acm:us-west-2:236517346949:certificate/3865bd6b-c6e2-4c8b-b68d-45cf7ef0b455

@jgmize jgmize closed this Jul 8, 2019

@metadave metadave added this to In progress (limit 12) in MozMEAO backend/infra Jul 15, 2019

@metadave metadave moved this from In progress (limit 12) to Complete in MozMEAO backend/infra Jul 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.