[08:28:35] hello folks [08:29:41] I don't see anything ongoing, I am going to depool cp4037 to apply the changes to varnishkafka [08:29:47] hopefully this time it will work [08:29:50] (fingers crossed) [08:42:14] nope doesn't work [08:42:15] sigh [08:48:23] very interesting - if I comment [08:48:23] #kafka.ssl.sigalgs.list=ECDSA+SHA256 [08:48:24] it works [08:53:00] weird [08:54:18] jbond: o/ do you have a min for a brainbounce? [08:57:02] elukey: hi [08:58:23] jbond: morning :) I am seeing something weird in varnishkafka, namely that the ssl sigalgs setting causes the TLS handshake to fail (vk -> kafka broker) [08:58:51] do I need any extra setting for the vk's client cert? I am fairly ignorant in the TLS options for cfssl [08:59:46] eluke one sec let me check a few things [08:59:54] sure sure! [08:59:57] thanks :) [09:00:24] one thing that I had to fix manually is the cert's file, vk prefers the chained one afaics [09:00:37] (in puppet I've set the "cert" one not "chained") [09:02:24] elukey: i just checked and /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.pem has `Signature Algorithm: ecdsa-with-SHA512` could you try setting afka.ssl.sigalgs.list=ECDSA+SHA256 [09:02:28] afka.ssl.sigalgs.list=ECDSA+SHA256 [09:02:38] third time lucky: kafka.ssl.sigalgs.list=ECDSA+SHA512 [09:02:45] ahhhh [09:07:16] jbond: tried but I get again handshake failures sigh [09:08:16] elukey: im gussing when yuo leave it blank it falls back to some default list. is there some way to see in the logs what it ends up using? [09:09:13] jbond: no idea, the logs are not that verbose [09:09:29] * jbond just reading https://phabricator.wikimedia.org/T182993 [09:12:10] I am trying to see if the kafka jumbo brokers are set to avoid the 512 sigalgs [09:12:47] ah hpossible, vgutierrez may be able to help here as well [09:13:27] morning sir [09:13:35] aloha [09:14:06] so... sigalgs set to ECDSA+SHA256 is not longer working? [09:14:21] correct [09:14:37] the new cert has `Algorithm: ecdsa-with-SHA512` [09:14:49] setting `Algorithm: ecdsa-with-SHA512`` also seems to fail [09:14:54] lovely [09:15:04] setting kafka.ssl.sigalgs.list=ECDSA+SHA512 seems to fail [09:15:05] could you point me to the endpoint using that cert? [09:15:18] and I guess that's running TLSv1.3, right? [09:15:25] kafka-jumbo1001.eqiad.wmnet:9092 vgutierrez [09:15:30] err sorry 9093 [09:15:32] :) [09:15:35] thx [09:15:40] I see the following in the kafka broker's profile [09:15:56] # Note that this class configures java.security to set jdk.certpath.disabledAlgorithms [09:15:59] # to restrict the types of sigalgs used for authentication certificates via [09:16:02] # the profile::java hardened_tls parameter. [09:16:53] * vgutierrez double-checking [09:17:01] kafka-jumbo1001.eqiad.wmnet:9093 [09:17:03] right? [09:17:09] yep [09:17:29] https://www.irccloud.com/pastebin/ZjeZ58qJ/ [09:17:43] ECDSA+SHA256 seems to be ok according to OpenSSL [09:18:00] and BTW, it's using TLSv1.2, TLSv1.3 isn't available [09:18:18] yeah but I am not 100% sure if kafka supports it [09:18:32] elukey: WDYM? [09:18:58] vgutierrez: https://issues.apache.org/jira/browse/KAFKA-7251 [09:19:04] we still run java 8, not 11 [09:19:23] plus the support seems "fixed" for kafka 2.5, and we have 1.1 [09:19:25] oh you were talking about TLSv1.3, ok [09:19:36] yes yes [09:20:28] also, one thing to consider here: Kafka uses a security.java file with some stricter setting than the defaults [09:20:54] elukey: which varnishkafka config do I need to check? [09:21:01] elukey: /etc/varnishkakfa/webrequest.conf? [09:21:16] vgutierrez: correct yes [09:21:37] elukey: I'm on cp4037 so this seems "dirty" [09:21:53] vgutierrez: ? [09:22:02] #kafka.ssl.sigalgs.list=ECDSA+SHA512 [09:22:08] that comment I guess it's not on puppet [09:22:16] any other changes I should be aware of? :) [09:22:33] nono it is mine, I also switched to the "chained" certificate file [09:23:12] ack, give me one sec plz [09:23:59] moritzm: I tried to check /etc/java-8-openjdk/security/java.security but I don't see any explicit disable for some sigalgs afaics.. [09:27:31] elukey: the only change is the PKI migration, right? [09:27:38] correct [09:29:20] at this point it may be how I requested the cert? It contains CN:varnishkafka, that's the only special thing [09:29:49] yeah, IIRC we're setting legacyAlgorithms for DSA, SHA1 (plus some settings related to Kerberos) [09:30:15] elukey: vgutierrez: its worth notoing if missed that with the line commented out, i.e. letting thing negotiate then it works [09:30:25] err [09:30:41] elukey: thats correct right or did i miss interprit? [09:30:41] so with openssl s_client and mtls [09:30:47] Peer signing digest: SHA256 [09:30:47] Peer signature type: ECDSA [09:30:48] jbond: correct [09:30:58] so that's sudo openssl s_client -connect kafka-jumbo1001.eqiad.wmnet:9093 -tls1_2 -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -cert /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11.chained.pem -key /etc/varnishkafka/ssl/kafka__varnishkafka_kafka_11-key.pem -chainCAfile /etc/ssl/certs/wmf-ca-certificates.crt [09:32:25] appending -signalgs ECDSA+SHA256 also works [09:32:31] SHA512 doesn't [09:32:57] Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 [09:32:57] Shared Requested Signature Algorithms: ECDSA+SHA256 [09:33:05] ECDSA+SHA256 should be perfectly fine [09:33:31] vgutierrez: I tried your command but I see the same error that I find in the vk logs [09:33:34] verify return:1 [09:33:37] 140590443332928:error:141A10F4:SSL routines:ossl_statem_client_read_transition:unexpected message:../ssl/statem/statem_clnt.c:393: [09:33:43] elukey: errr [09:33:53] I'm running that from cp4037 right now [09:33:58] same [09:34:19] works here [09:34:30] https://www.irccloud.com/pastebin/wi5whc9i/ [09:35:06] vgutierrez: line 9 [09:35:56] elukey: hmmm [09:36:09] -state says that the server side is sending an unexpected message [09:36:23] after the handshake is almost done [09:36:28] https://www.irccloud.com/pastebin/o6cwlx9K/ [09:37:00] I see yes.. maybe it is on the broker side the issue [09:38:09] vgutierrez: im also a bit confused that the Shared Requested Signature Algorithms also includes ECDSA+SHA512 [09:38:18] elukey: client config seems to be OK as long as you use ECDSA+SHA256 [09:41:01] jbond: me too TBH [09:41:09] the cergen's cert has Signature Algorithm: sha256WithRSAEncryption, and it works fine.. [09:41:24] jbond: I think those are the ones offered by the server [09:41:35] and the new one Signature Algorithm: ecdsa-with-SHA512 [09:42:30] at this point it maybe be good to revert and repool cp4037, and possibly add a Varnishkafka canary that pushes to kafka-test somewhere [09:42:46] so if I break it no big deal, and in the future we'll be able to test changes inthere [09:43:24] SGTM [09:43:47] jbond: so the requested ones seems the one being sent as part of the ServerHello MSG [09:45:05] all right reverting [09:45:47] ack [09:46:01] thanks a lot to both for the help! [09:47:33] vgutierrez: thats what i though so i figured using ` -sigalgs ECDSA+SHA512` via the cli it would have worked. but actully as i l;ook at it you get a much stranger error message in that case [09:47:40] https://phabricator.wikimedia.org/P49399 [09:47:48] no peer certificate available [09:48:06] that's the handshake failing altogether [09:48:07] * jbond a bit out of their TLS depth [09:48:21] you get the same if you ask for tls 1.3 [09:48:35] ahh could it be that ECDSA+SHA512 implies TLS1.3 [09:49:24] * jbond found this https://groups.google.com/a/chromium.org/g/net-dev/c/A-LcSmj5TBE [09:50:37] seems to be similar bugs for chromium and mozila [09:51:15] so... the generated certs don't work with TLSv1.2? [09:52:00] id be suprised if thats the case and we didn;t discover untill now ... [09:52:16] it's weird that OpenSSL returns a verification OK and the error at the same time [09:52:21] SSL handshake has read 4428 bytes and written 1174 bytes [09:52:21] Verification: OK [09:52:27] yes [09:53:17] jbond: do you have in mind another endpoint using this kind of cert but a different SSL/TLS implementation? [09:53:21] aka not JVM [09:53:26] maybe the puppetmasters? [09:53:29] yes just checking debmonitor [09:55:04] vgutierrez: https://debmonitor.discovery.wmnet [09:55:12] with certs in /etc/debmonitor/ssl [09:58:14] vgutierrez: the following works [09:58:14] sudo openssl s_client -connect debmonitor.discovery.wmnet:443 -tls1_2 -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -cert /etc/debmonitor/ssl/debmonitor__sretest1001_eqiad_wmnet.pem -key /etc/debmonitor/ssl/debmonitor__sretest1001_eqiad_wmnet-key.pem -chainCAfile /etc/ssl/certs/wmf-ca-certificates.crt [09:58:33] anything < tls1.2 is disabled server side [09:59:07] adding -sigalgs ECDSA+SHA512 [09:59:09] also works [09:59:27] * jbond tempted to blame java [10:01:03] librdkafka could also play a role, not sure [10:01:36] elukey: librdkafka uses OpenSSL [10:01:45] not at fault here IMHO [10:01:58] sure sure [10:02:31] we could see if the issue repro also on kafka-test1006.eqiad.wmnet:9093, restart the kafka broker with max tls/ssl logs for the jvm and see why it complains [10:02:40] this is the only other thing that I can think of [10:02:59] sounds good [10:07:24] +1 [10:25:23] >>> ??? [length 0005] [10:25:24] 15 03 03 00 1a [10:25:24] >>> TLS 1.2, Alert [length 0002], fatal unexpected_message [10:25:24] 02 0a [10:25:30] that 15 03 03 00 1a is the unexpected message [10:25:59] per RFC 5246 that's a certificate_verify (0x15) message [10:26:45] same RFC.. [10:26:49] https://www.irccloud.com/pastebin/HY3EbPUd/ [10:28:39] hmm forget it [10:28:42] 15 != 0x15 :) [10:33:40] elukey: so it's definitely related to mTLS [10:35:06] elukey: are we sure that JVM 8 supports ecdsa-with-SHA512? [10:36:32] elukey: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#Signature [10:36:35] seems to be listed there [10:37:50] elukey: maybe our security config file disables it? [10:37:57] as moritzm mentioned before [11:09:27] 10netops, 10Cloud-VPS, 10Infrastructure-Foundations, 10cloud-services-team, 10User-aborrero: cloudservices2004-dev: reimage into new network setup - https://phabricator.wikimedia.org/T338778 (10aborrero) [11:12:08] 10netops, 10Cloud-VPS, 10Infrastructure-Foundations, 10cloud-services-team, 10User-aborrero: cloudservices2004-dev: reimage into new network setup - https://phabricator.wikimedia.org/T338778 (10aborrero) [11:13:12] 10netops, 10Cloud-VPS, 10Infrastructure-Foundations, 10cloud-services-team, 10User-aborrero: cloudservices2004-dev: reimage into new network setup - https://phabricator.wikimedia.org/T338778 (10aborrero) p:05Triage→03Medium [12:27:21] 10Traffic, 10Infrastructure-Foundations, 10SRE-tools: Write a cookbook to roll reboot cache hosts - https://phabricator.wikimedia.org/T338783 (10Volans) p:05Triage→03Medium [12:28:06] vgutierrez: possibly yes, I tried to check in the security config file for java, but didn't find anything that may lead to ecdsa-sha512 not usable [12:29:50] vgutierrez: https://phabricator.wikimedia.org/P49400 [12:46:17] elukey: could we run something like https://stackoverflow.com/a/9334357 :? [13:03:18] 10Traffic, 10DC-Ops, 10SRE, 10ops-eqiad: Q4:rack/setup/install dns100[456] - https://phabricator.wikimedia.org/T326685 (10Papaul) @ssingh any update on this? [13:04:36] vgutierrez: I can try but my java is a little rusty :D [13:05:01] I am going to do some tests with debug logging in kafka test, hopefully we'll get more info [13:07:24] 10Traffic, 10DC-Ops, 10SRE, 10ops-eqiad: Q4:rack/setup/install dns100[456] - https://phabricator.wikimedia.org/T326685 (10ssingh) Hi @papaul: We are all good from dc-ops side, this is on Traffic now. We wanted to get a few NTP changes out of the way before reimaging the next batch and therefore it's blocke... [13:17:56] 10Traffic, 10DC-Ops, 10SRE, 10ops-eqiad: Q4:rack/setup/install dns100[456] - https://phabricator.wikimedia.org/T326685 (10Papaul) @ssingh thanks [13:29:22] 10Traffic, 10SRE: Q4:rack/setup/install dns100[456] - https://phabricator.wikimedia.org/T326685 (10ssingh) [13:32:12] so in the debug logs I see [13:32:13] Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [13:37:57] and I also found this [13:37:57] # https://phabricator.wikimedia.org/T182993#4208208 [13:37:58] $ssl_java_opts = '-Djdk.tls.namedGroups=secp256r1 -XX:+UseAES -XX:+UseAESIntrinsics' [13:41:07] the cert should be good though [13:41:07] ASN1 OID: prime256v1 [13:41:07] NIST CURVE: P-256 [13:57:09] elukey: err so it looks like the server side needs to get updated the CA file for the client verification [13:57:41] * vgutierrez wondering... [13:59:11] yeah, not even chained works [13:59:21] vgutierrez: I was reading that the cryptic error msg could indicate a generic tls handshake error, in theory the broker has the root PKI ca in its bundle and we send the chained cert [14:04:25] -Djdk.tls.namedGroups=secp256r1 [14:04:37] so.. if that disables all the other eliptic curves [14:04:48] we got a problem [14:04:59] cause the intermediate CA pub key uses secp521r1 [14:05:17] https://www.irccloud.com/pastebin/J0MK4Ate/ [14:05:40] funny choice BTW :) [14:07:22] according to the documentation that's the case [14:07:46] from https://www.java.com/en/configure_crypto.html, it says that jdk.tls.namedGroups can be used to "Disable weak named curves by default in TLS, CertPath, and Signed JARs" [14:08:26] elukey: it looks like secp521r1 needs to be added there as well [14:08:35] I tried to remove the setting but didn't solve the issue, do you think that we should add secp521r1? [14:10:08] so secp521r1 needs to be theer [14:10:10] *there [14:10:22] it's used both on the intermediate CA and the root CA [14:10:58] elukey: what do we have on jdk.disabled.namedCurves :? [14:12:15] vgutierrez: nothing afaics, it is set only for jdk11 [14:12:58] ah no wait [14:13:35] https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html lists secp521r1 as one of the recommended curves [14:13:47] yeah I see it only for java 11 [14:13:53] along with secp256r1 and secp384r1 [14:13:57] the disabled etc.. [14:14:13] so as long as we aren't actually disabling it, we should be ok in that front [14:14:52] same with ecdsa-with-SHA512 to be able to validate the signature [14:17:53] BTW SHA512withECDSA support is provided by $JAVA_HOME/lib/libsunec.so according to https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html [14:18:28] we definitely need to be able to list the supported algorithms in runtime [14:18:35] it's gonna be way easier :) [14:30:53] https://www.irccloud.com/pastebin/EI8WD0qw/ [14:31:02] elukey: ^^ that's a naive test [14:31:15] elukey: do you have the list of all the runtime JVM options that we are using? [14:32:11] vgutierrez: ack so IIUC SHA512withECDSA is supported right? [14:32:24] vgutierrez: the best it to grep for kafka on the node [14:32:32] err on ps -aux on the node [14:32:42] because the options are added in multiple places IIRC [14:32:50] most of them are in /etc/default/kafka though [14:32:50] got it [14:35:47] nothging related to tls or java.security besides the one already appended [14:36:19] also a quick check with keytool -v -list -keystore /etc/ssl/localcerts/wmf-java-cacerts shows that the root CA is in there since March 21st and systemctl shows that kafka was started on March 29th [14:36:21] * vgutierrez running out of ideas [14:37:45] yeah me too, really weird [14:38:22] elukey: but wait.. mTLS CA store could be different to ssl.truststore.location [14:41:20] nah.. it's the only one configured in there [14:41:25] so it must be it [14:41:39] 10netops, 10Cloud-VPS, 10Infrastructure-Foundations, 10SRE, and 2 others: Move cloud vps ns-recursor IPs to host/row-independent addressing - https://phabricator.wikimedia.org/T307357 (10aborrero) [14:52:40] https://www.irccloud.com/pastebin/Nyw0vX6X/ [14:53:31] let's see if I can perform that using java [15:07:30] hmm interesting [15:07:40] it's failing to validate it with Java [15:15:21] fixed my code.. at least the chain gets validated as expected.. [15:15:24] sigh [15:18:24] 10netops, 10Infrastructure-Foundations, 10SRE, 10Epic: [tracking] Don't keep on the public vlans hosts that don't require it - https://phabricator.wikimedia.org/T317177 (10aborrero) [15:18:34] 10netops, 10Infrastructure-Foundations, 10SRE: Plan codfw row A/B top-of-rack switch refresh - https://phabricator.wikimedia.org/T327938 (10Papaul) [15:18:40] just to have some common ground - varnishkafka works if we don't set the sigalgs setting, so I am wondering what settings it uses [15:18:42] 10netops, 10Cloud-VPS, 10Infrastructure-Foundations, 10SRE, and 2 others: Move cloud vps ns-recursor IPs to host/row-independent addressing - https://phabricator.wikimedia.org/T307357 (10aborrero) 05Open→03Stalled This is done for codfw1dev DNS servers. I'll mark this task as stalled until we work on... [15:18:55] because so far we didn't manage to repro a good handshake with the new cert/key right? [15:20:13] elukey: with openssl? nope [15:20:42] elukey: wait? what? without sigalgs work? [15:21:18] vgutierrez: it didn't emit any error log, I haven't tested sending a request, but yes it worked fine [15:21:46] this was the original point that I made, but we investigate so many things [15:23:09] 10netops, 10Infrastructure-Foundations, 10SRE: Plan codfw row A/B top-of-rack switch refresh - https://phabricator.wikimedia.org/T327938 (10Papaul) [15:28:50] elukey: got it working now with OpenSSL [15:29:17] \o/ [15:29:21] what magic did you use? [15:29:28] elukey: -cert_chain :) [15:29:33] https://www.irccloud.com/pastebin/0a2OM0CN/ [15:30:05] you can see that ECDSA+SHA256 is in there [15:30:18] so.. for some reason varnishkakfa isn't feeding the intermediate CA as expected [15:30:23] *varnishkafka even [15:32:56] If I don't force any sigalg it still uses ECDSA+SHA256 [15:32:58] 10netops, 10Cloud-VPS, 10Infrastructure-Foundations, 10SRE, and 2 others: cloudservices2004-dev: reimage into new network setup - https://phabricator.wikimedia.org/T338778 (10aborrero) [15:33:28] so.. know we know that kafka-jumbo is able to validate the cert as expected using another SSL client [15:33:36] *now we know (damn brain) [15:33:42] I am checking the ssl. options in https://docs.confluent.io/platform/current/clients/librdkafka/html/md_CONFIGURATION.html but I don't find an equivalent for -cert_chain [15:34:04] elukey: do we have an easy way of capturing the TLS handshake? [15:35:08] elukey: that's because https://github.com/confluentinc/librdkafka/blob/master/src/rdkafka_ssl.c#L1177-L1178 [15:35:11] vgutierrez: if you check on kafka-test1006 with `sudo journalctl -u kafka -f` you should see the ssl handshake debug logging [15:35:22] * vgutierrez checking [15:36:01] that's some verbosity [15:36:09] you asked for it :D [15:37:00] not sure the TLS data is there anymore [15:37:56] ah yes lemme fix it [15:38:07] vgutierrez: now you have it [15:38:58] that's from a varnishkafka producer,.right? [15:39:05] the one starting at 15:37:57 [15:39:09] openssl [15:39:16] but that's working [15:39:16] did it manually [15:39:18] * vgutierrez cries [15:39:27] sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [15:39:31] nope it doesn't [15:39:42] elukey: did you use the proper CLI? [15:39:51] ah ok no if you see other ones those are the other brokers probably [15:40:03] they do communicate via TLS as well [15:40:33] try to send a request to it via openssl and you'll see the data [15:41:12] kafka-test1006:9093 right? [15:41:15] yeah [15:42:29] I also just noticed the .chain vs .chained in /etc/varnishkafka/ssl [15:42:43] elukey: yup.. works like a charm with openssl [15:42:45] no errors at all [15:42:57] vgutierrez: sure if you use the cert_chain right? [15:43:04] that's how it should be :) [15:43:48] elukey: I'm guessing that we the "old PKI" we didn't have an intermediate CA? [15:44:11] old pki namely puppet ca? yes :D [15:44:33] yes [15:44:41] * vgutierrez checking another thing.. [15:45:20] vgutierrez: could it be that maybe I used the .chained pem file (containing separated charts) vs the .chain one (containing only one)? [15:45:23] elukey: so.. it looks like .chained is wrong [15:45:29] exactly :D [15:45:43] per SSL_CTX_use_certificate_chain_file() documentation [15:45:54] The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable [15:46:57] but on the .chained.pem file the first certificate is the intermediate CA one [15:47:04] oooof [15:47:13] we should fix that one and see what happens [15:47:19] * vgutierrez wants a beer if that solves the issue [15:47:27] ok so the "chained" one is the right one, but not in the right format [15:47:39] at least not according to OpenSSL documentation [15:47:48] maybe behavior != documentation [15:47:59] but at the very least the file doesn't match docs behavior [15:51:10] vgutierrez: to avoid loosing all the context, do you mind to add a quick summary to https://phabricator.wikimedia.org/T337825 ? [15:54:06] 10Traffic: Create a cookbook to reboot CDN hosts - https://phabricator.wikimedia.org/T338813 (10BCornwall) [15:55:40] 10Traffic: Create a cookbook to reboot CDN hosts - https://phabricator.wikimedia.org/T338813 (10BCornwall) 05Open→03In progress p:05Triage→03Medium [15:56:57] elukey: https://phabricator.wikimedia.org/T337825#8923598 [15:57:04] 10Traffic, 10Data-Engineering, 10Data-Platform-SRE, 10SRE: Move varnishkafka to PKI - https://phabricator.wikimedia.org/T337825 (10Vgutierrez) I've replicated a successful mTLS handshake with openssl s_client using the following CMD: ` vgutierrez@cp4037:~$ sudo openssl s_client -connect kafka-jumbo1001.eqi... [16:03:02] vgutierrez: <3 [16:03:19] 6pm already?? [16:03:24] OMG, I got nerd snipped big time [16:03:31] I know I nerd sniped you badly today [16:05:06] elukey: let me know if fixing the .chained order fixes the issue [16:05:42] it should be "as easy" as disabling puppet on cp4037 and "re-ordering" the file [16:05:55] I can try to run a vk test instance on cp4037 that only emits to stdout [16:05:58] will try to do it [16:06:51] ah no of course I need to set kafka stuff sigh [16:12:35] 10Traffic, 10SRE, 10Puppet, 10User-jbond: In valid byte sequence: File[/etc/update-ocsp.d/hooks/trafficserver-tls-ocsp] - https://phabricator.wikimedia.org/T238198 (10jbond) [16:12:39] elukey: let's try tomorrow morning then :) [16:14:06] 10Traffic, 10SRE, 10Puppet, 10User-jbond: In valid byte sequence: File[/etc/update-ocsp.d/hooks/trafficserver-tls-ocsp] - https://phabricator.wikimedia.org/T238198 (10Vgutierrez) 05Open→03Resolved a:03Vgutierrez @jbond I think we can close this one [16:36:55] vgutierrez: something interesting - it works when I use kafka test as target :D [16:37:03] the regular chained file I mean [16:37:39] but the broker runs with [16:37:40] -Djdk.tls.namedGroups="secp256r1,secp521r1" [16:40:49] elukey: but I'm able to get a succesful tls handshake against jumbo1001 with openssl :| [16:40:57] with just secp256r1 [16:41:29] yes sorry same thing for test, I just fixed it [16:41:31] what the hell [16:41:41] now I am very confused [16:42:21] yeah nobody really needs or wants 521 [16:42:32] bblack: we do apparently :) [16:42:36] :P [16:43:07] elukey: are we sure that kakfa-jumbo is using the current contents of the truststore and not a deprecated version? [16:43:25] sure like 100% bet the beer comsumption of a whole year sure? [16:44:26] vgutierrez: I'd say so, otherwise I wouldn't have moved all brokers to PKI [16:44:43] vgutierrez: can you raise a ticket about not using secp521r1 (it will be hard to change buyt we can try) [16:45:14] also one on the ordering. AFAIk the order hasd not caused issue with openssl before. however i have noticed that golang is strict about this but hadn;t realised it was a spec thing [16:45:17] in the meantime I filed https://gerrit.wikimedia.org/r/c/operations/puppet/+/929384/ to fix the path [16:45:39] jbond: I tried with the different order but even openssl seems to complain [16:45:44] key mismatch it says [16:46:09] jbond: stuff like https://bugs.chromium.org/p/chromium/issues/detail?id=478225 :? [16:47:27] elukey: openssl s_client -cert doesn't expect the chain to be embedded there at all AFAIK [16:47:27] anyway, we can call it a day, I'll restart tomorrow [16:47:35] elukey: yes as said im not sure its the solution to this issue but it should still be fixed as we have seen an issue with go [16:47:37] have a good evening folks! [16:47:48] * vgutierrez follows elukey lead [16:59:11] 10Traffic, 10serviceops, 10Datacenter-Switchover, 10Patch-For-Review: Figure out what changes are needed in the traffic layer for having codfw be the r/w DC for half a year - https://phabricator.wikimedia.org/T337535 (10BBlack) The more I've thought about this issue, I think we should probably stick with t... [17:07:50] 10netops, 10Infrastructure-Foundations, 10SRE: Plan codfw row A/B top-of-rack switch refresh - https://phabricator.wikimedia.org/T327938 (10Papaul) [17:08:25] 10netops, 10Infrastructure-Foundations, 10SRE: Plan codfw row A/B top-of-rack switch refresh - https://phabricator.wikimedia.org/T327938 (10Papaul) [17:25:16] 10netops, 10Infrastructure-Foundations, 10SRE: Plan codfw row A/B top-of-rack switch refresh - https://phabricator.wikimedia.org/T327938 (10Papaul) [17:28:18] 10netops, 10Infrastructure-Foundations, 10SRE: Plan codfw row A/B top-of-rack switch refresh - https://phabricator.wikimedia.org/T327938 (10Papaul) [17:28:24] 10netops, 10Infrastructure-Foundations, 10Puppet-Core, 10SRE, 10User-jbond: Investigate improvements to how puppet manages network interfaces - https://phabricator.wikimedia.org/T234207 (10jbond) [20:04:54] 10netops, 10Infrastructure-Foundations, 10SRE, 10ops-codfw: Codfw:row A/B: rack/cable new switches - https://phabricator.wikimedia.org/T332180 (10Papaul)