| === Laney is now known as Guest13167 | ||
| Mikaela | Hi, is it known issue that Launchpad cannot import repositories through CloudFlare (SSL)? | 11:23 |
|---|---|---|
| Mikaela | https://code.launchpad.net/~progval/limnoria/testing imports from https://git.mikaela.info/Limnoria.git and import fails with error "bzrlib.errors.CertificateError: Certificate error: hostname 'git.mikaela.info' doesn't match either of 'ssl2000.cloudflare.com', 'cloudflare.com', '*.cloudflare.com'" while the ceritifcate is valid for *.mikaela.info https://paste.mikaela.info/view/b70bcadd#L56 (in Finnish | 11:23 |
| Mikaela | sorry) | 11:23 |
| wgrant_ | Mikaela: That error is correct; you can reproduce it in a browser. | 11:31 |
| === wgrant_ is now known as wgrant | ||
| wgrant | Mikaela: The certificate presented by CloudFlare doesn't match the hostname. | 11:32 |
| Mikaela | wgrant: I am unable to reproduce it in browser while CloudFlare is enabled, it's currently temporarily disabled | 11:32 |
| Mikaela | enabled again, should start going through cloudflare in 5 minutes | 11:32 |
| Mikaela | wgrant: paste.mikaela.info should have same certificate, are you able to reproduce this error there? | 11:33 |
| wgrant | Mikaela: paste.mikaela.info works. | 11:37 |
| Mikaela | git.mikaela.info should have no issues either and Chrome here doesn't complain. I can also try other browser | 11:37 |
| wgrant | Ah, works now. | 11:37 |
| wgrant | I suspect CloudFlare replication latency. | 11:38 |
| Mikaela | https://launchpadlibrarian.net/193888435/progval-limnoria-testing.log is still failing though | 11:39 |
| Mikaela | bzrlib.errors.CertificateError: Certificate error: hostname 'git.mikaela.info' doesn't match either of 'ssl2000.cloudflare.com', 'cloudflare.com', '*.cloudflare.com' | 11:39 |
| wgrant | Sure, it works from a node in what looks like Sydney. | 11:39 |
| wgrant | I presume they document the worst-case certificate replication times somewhere. | 11:39 |
| Mikaela | So it should start working after that certificate is replicated? | 11:39 |
| wgrant | Remember that CloudFlare has numerous frontends all over the world, and they won't all update instantly when you change the configuration. | 11:40 |
| wgrant | Hm, where did that branch go? | 11:40 |
| Mikaela | I am just wondering why that error message doesn't list all domains, it looks like it has the same certificate | 11:40 |
| wgrant | The certificate that was presented by CloudFlare was for just those three domains. | 11:41 |
| Mikaela | Launchpad https://code.launchpad.net/~progval/limnoria/testing and it goes to https://git.mikaela.info/Limnoria.git/ | 11:41 |
| wgrant | That would have been from a CloudFlare node in London somewhere, which presumably doesn't have the certificate yet. | 11:41 |
| Mikaela | weird, you should see more certificates in the web browser | 11:41 |
| wgrant | *I* do. | 11:41 |
| wgrant | I'm not in Launchpad's datacentre. | 11:41 |
| wgrant | You need to wait for the certificate to replicate throughout CloudFlare's infrastructure. | 11:41 |
| Mikaela | From what I see in my web browser, that certificate was issued in 2014-10-02 and expires 2015-10-01 | 11:42 |
| Mikaela | it's now using http | 11:42 |
| Mikaela | and now it cannot find the branch | 11:43 |
| wgrant | When did you create that vhost on CloudFlare? | 11:47 |
| Mikaela | 13:15+0200 | 11:47 |
| Mikaela | and now I disabled it again as it's using http and I don't have valid certificate. | 11:48 |
| wgrant | What does CloudFlare say about normal replication delays? | 11:48 |
| Mikaela | or if you mean mikaela.info (the certificate is valid for *.mikaela.info), that was probably early 2014 | 11:48 |
| wgrant | Anyway, this isn't a Launchpad problem. Once CloudFlare becomes consistent it will all work. | 11:48 |
| wgrant | The creation date of the certificate isn't relevant. What matters is when the configuration for that vhost on CloudFlare changed. | 11:49 |
| Mikaela | I am unable to find any delays documented | 11:49 |
| Mikaela | even if the certificate is for *.mikaela.info not git.mikaela.info? | 11:49 |
| wgrant | If a CloudFlare server in London doesn't know that git.mikaela.info exists, it's not going to know to return that certificate for it. | 11:49 |
| Mikaela | I actually happen to have VPS in London and I can check whaat it returns | 11:50 |
| Mikaela | it reports self signed certificate so disabling cloudflare probably has propagated or if it's what you think it was never enabled there | 11:52 |
| wgrant | Enabling/disabling CloudFlare would presumably incur DNS cache timeouts. | 11:53 |
| Mikaela | This current error is even more unclear to me https://launchpadlibrarian.net/193889024/progval-limnoria-testing.log | 11:53 |
| Mikaela | https://www.whatsmydns.net/#A/git.mikaela.info appears to say that London nameserver finds nothing | 11:53 |
| wgrant | That's *probably* a 404, but it's difficult to say. | 11:53 |
| Mikaela | but as that nameserver doesn't find google.fi either, I wouldn't rely on it | 11:54 |
| wgrant | I'd configure CloudFlare how you wantit, wait an hour or so, and try the HTTPS URL again. | 11:54 |
| Mikaela | Thanks, I will try that now | 11:54 |
| wgrant | Always remember that services like CloudFlare are eventually consistent | 11:54 |
| wgrant | You can't atomically update servers across the world like that. | 11:54 |
| Mikaela | It has been surprisingly fast around the world and Launchpad is the only place where I have had any issues using it | 11:55 |
| wgrant | Perhaps certificates replicate more slowly. | 11:55 |
| Mikaela | probably possible, I am trying again in hour | 11:56 |
| Mikaela | which seems to be 15+0200 | 11:56 |
| Mikaela | in case you are interested, diral.mikaela.info which is VPS on DigitalOcean London 1 datacenter is currently receiving valid certificate | 11:57 |
| Mikaela | when curling git.mikaela.info | 11:58 |
| wgrant | None of my London hosts on unrelated networks are seeing a valid cert yet. | 11:59 |
| wgrant | Mikaela: Oh, the "No branch found at location" is because there's no git smart HTTP server at that URL. | 12:01 |
| wgrant | Only the long-deprecated dumb HTTP protocol. | 12:01 |
| wgrant | http://git-scm.com/book/be/v2/Git-on-the-Server-Smart-HTTP | 12:02 |
| wgrant | We removed support for git over dumb HTTP several years ago. | 12:02 |
| Mikaela | I see, I will now also start invitigating that | 12:03 |
| wgrant | (it's deprecated for a reason, too -- pulls over the dumb protocols are terrifyingly slow) | 12:03 |
| Mikaela | I hope this also exists for nginx as I am not going to learn Apach | 12:04 |
| Mikaela | it does | 12:04 |
| === Guest13167 is now known as Laney | ||
| === seelaman` is now known as seelaman | ||
| candrea | hey there -- this user https://bugs.launchpad.net/~gamal-m-oha-med122000 has started creating some bug reports containing spam, could you please stop him? | 16:45 |
| === yofel_ is now known as yofel | ||
| === lifeless_ is now known as lifeless | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!