Bug 1389791 - d.g.o ssl is broken
Summary: d.g.o ssl is broken
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: GlusterFS
Classification: Community
Component: project-infrastructure
Version: mainline
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: bugs@gluster.org
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-28 16:20 UTC by Joe Julian
Modified: 2016-11-04 09:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 09:01:45 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Embargoed:

Attachments (Terms of Use)

Description Joe Julian 2016-10-28 16:20:29 UTC 
$ openssl s_client -connect download.gluster.org:443       
CONNECTED(00000003)
140333208389272:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1477671433
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

$ curl -D - -v https://download.gluster.org
* Rebuilt URL to: https://download.gluster.org/
*   Trying 23.253.208.221...
* TCP_NODELAY set
* Connected to download.gluster.org (23.253.208.221) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Comment 1 Nigel Babu 2016-11-03 02:07:50 UTC 
I'm not able to reproduce this error. Joe, are you still seeing this?
Comment 2 Joe Julian 2016-11-03 02:12:14 UTC 
Kaleb restarted Apache and misc found (and I believe fixed) an Ansible bug that prevented it from restarting Apache.
Comment 3 M. Scherer 2016-11-04 09:01:45 UTC 
So the issue was that we did some change on apache (like various refactoring of the configuration file). This got applied in production and this should have resulted into a apache restart. However, due to https://github.com/ansible/ansible-modules-core/pull/4777 and due to use using a specific transport, the playbook were silently failing at the step "restart httpd", who then , for a unknow reason, was in some weird state. 

Short term solution:
Restart apache.

Mid term: we have to wait for ansible 2.2, which got released this week, and/or a backport of the bug fix. Both should happen soon (and automatically), so I suspect


Long term, we need to :
- lack of reporting on ansible side (which is on my todolist)
- lack of monitoring (also on todo list)

Both would have permitted a faster turn around.

Also, managing to not schedule conferences for me while Nigel is out on PTO would be better, but I can't ask to the organiser, nor I can ask to India to change their dates.
Note You need to log in before you can comment on or make changes to this bug.