Using /etc/ansible/ansible.cfg as config file Operations to perform: Apply all migrations: admin, api, auth, contenttypes, db, sessions Running migrations: No migrations to apply. [WARNING]: Could not match supplied host pattern, ignoring: disabled PLAY [certcheck:!disabled] ***************************************************** TASK [install-certcheck : Ensure dependencies] ********************************* changed: [bridge99.opendev.org] => { "cache_update_time": 1742856068, "cache_updated": false, "changed": true } STDOUT: Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: liblockfile-bin liblockfile1 The following NEW packages will be installed: bsd-mailx liblockfile-bin liblockfile1 0 upgraded, 3 newly installed, 0 to remove and 2 not upgraded. Need to get 88.4 kB of archives. After this operation, 270 kB of additional disk space will be used. Get:1 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 liblockfile-bin amd64 1.17-1build2 [11.7 kB] Get:2 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 liblockfile1 amd64 1.17-1build2 [7058 B] Get:3 http://us.archive.ubuntu.com/ubuntu jammy/main amd64 bsd-mailx amd64 8.1.2-0.20180807cvs-2build2 [69.6 kB] Fetched 88.4 kB in 0s (1024 kB/s) Selecting previously unselected package liblockfile-bin. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 43302 files and directories currently installed.) Preparing to unpack .../liblockfile-bin_1.17-1build2_amd64.deb ... Unpacking liblockfile-bin (1.17-1build2) ... Selecting previously unselected package liblockfile1:amd64. Preparing to unpack .../liblockfile1_1.17-1build2_amd64.deb ... Unpacking liblockfile1:amd64 (1.17-1build2) ... Selecting previously unselected package bsd-mailx. Preparing to unpack .../bsd-mailx_8.1.2-0.20180807cvs-2build2_amd64.deb ... Unpacking bsd-mailx (8.1.2-0.20180807cvs-2build2) ... Setting up liblockfile-bin (1.17-1build2) ... Setting up liblockfile1:amd64 (1.17-1build2) ... Setting up bsd-mailx (8.1.2-0.20180807cvs-2build2) ... update-alternatives: using /usr/bin/bsd-mailx to provide /usr/bin/mailx (mailx) in auto mode Processing triggers for libc-bin (2.35-0ubuntu3.9) ... STDERR: debconf: delaying package configuration, since apt-utils is not installed TASK [install-certcheck : Ensure certcheck user] ******************************* changed: [bridge99.opendev.org] => { "changed": true, "comment": "User for SSL validation", "create_home": true, "group": 3000, "home": "/home/certcheck", "name": "certcheck", "shell": "/bin/sh", "state": "present", "system": false, "uid": 3000 } TASK [install-certcheck : Ensure certcheck config directory] ******************* changed: [bridge99.opendev.org] => { "changed": true, "gid": 3000, "group": "certcheck", "mode": "0755", "owner": "certcheck", "path": "/var/lib/certcheck", "size": 4096, "state": "directory", "uid": 3000 } TASK [install-certcheck : Pull latest ssl-cert-check from git] ***************** changed: [bridge99.opendev.org] => { "after": "967b93707f53cfdfefd61e074f18348f1f82bab9", "before": null, "changed": true } TASK [install-certcheck : Install cron job] ************************************ changed: [bridge99.opendev.org] => { "changed": true, "envs": [], "jobs": [ "Run certcheck" ] } PLAY [Deploy and renew certificates] ******************************************* TASK [letsencrypt-acme-sh-install : Check status of acme.sh script] ************ ok: [gitea99.opendev.org] => { "changed": false, "stat": { "exists": false } } TASK [letsencrypt-acme-sh-install : Install acme.sh client] ******************** changed: [gitea99.opendev.org] => { "after": "16dc21afff11c1f4de7ebe627ed60d41496d1565", "attempts": 1, "before": null, "changed": true } TASK [letsencrypt-acme-sh-install : Patch for issue 4659] ********************** changed: [gitea99.opendev.org] => { "changed": true, "cmd": "git -C /opt/acme.sh cherry-pick 4c30250\ngit -C /opt/acme.sh cherry-pick 327e2fb\n", "delta": "0:00:00.081703", "end": "2025-03-24 22:43:51.195366", "rc": 0, "start": "2025-03-24 22:43:51.113663" } STDOUT: Auto-merging acme.sh [detached HEAD 56367e83] fix https://github.com/acmesh-official/acme.sh/issues/4659 Author: neil Date: Fri Jun 9 19:59:29 2023 +0800 Committer: root Your name and email address were configured automatically based on your username and hostname. Please check that they are accurate. You can suppress this message by setting them explicitly. Run the following command and follow the instructions in your editor to edit your configuration file: git config --global --edit After doing this, you may fix the identity used for this commit with: git commit --amend --reset-author 1 file changed, 1 insertion(+), 12 deletions(-) Auto-merging acme.sh [detached HEAD 7ea0ac20] remove all exec. https://github.com/acmesh-official/acme.sh/issues/4659 Author: neil Date: Fri Jun 9 20:18:38 2023 +0800 Committer: root Your name and email address were configured automatically based on your username and hostname. Please check that they are accurate. You can suppress this message by setting them explicitly. Run the following command and follow the instructions in your editor to edit your configuration file: git config --global --edit After doing this, you may fix the identity used for this commit with: git commit --amend --reset-author 1 file changed, 8 insertions(+), 32 deletions(-) TASK [letsencrypt-acme-sh-install : Install letsencrypt group] ***************** changed: [gitea99.opendev.org] => { "changed": true, "gid": 3000, "name": "letsencrypt", "state": "present", "system": false } TASK [letsencrypt-acme-sh-install : Install driver script] ********************* changed: [gitea99.opendev.org] => { "changed": true, "checksum": "f857339ca704e5235fce2f10fe30b53dee3ad9c7", "dest": "/opt/acme.sh/driver.sh", "gid": 0, "group": "root", "md5sum": "b2f770f165b621d20afd409c74b8ec23", "mode": "0755", "owner": "root", "size": 7964, "src": "/root/.ansible/tmp/ansible-tmp-1742856232.1364532-20526-46294356556070/source", "state": "file", "uid": 0 } TASK [letsencrypt-acme-sh-install : Setup log directory] *********************** changed: [gitea99.opendev.org] => { "changed": true, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/var/log/acme.sh", "size": 4096, "state": "directory", "uid": 0 } TASK [Setup log rotation] ****************************************************** TASK [logrotate : Check for filename] ****************************************** skipping: [gitea99.opendev.org] => { "changed": false, "false_condition": "logrotate_file_name is not defined", "skip_reason": "Conditional result was False" } TASK [logrotate : assert] ****************************************************** ok: [gitea99.opendev.org] => { "changed": false } MSG: All assertions passed TASK [logrotate : assert] ****************************************************** skipping: [gitea99.opendev.org] => { "changed": false, "false_condition": "logrotate_frequency == 'size'", "skip_reason": "Conditional result was False" } TASK [logrotate : Create a unique config name] ********************************* ok: [gitea99.opendev.org] => { "ansible_facts": { "_old_logrotate_generated_config_file_name": "acme.sh.log.f443f.conf", "logrotate_generated_config_file_name": "f443f4.conf" }, "changed": false } TASK [logrotate : Clear out potentially confusing config files] **************** ok: [gitea99.opendev.org] => { "changed": false, "path": "/etc/logrotate.d/acme.sh.log.f443f.conf", "state": "absent" } TASK [logrotate : Install /var/log/acme.sh/acme.sh.log rotatation config file] *** changed: [gitea99.opendev.org] => { "changed": true, "checksum": "6a59cc576e407636b3517ce2ed4b9f6cee148812", "dest": "/etc/logrotate.d/f443f4.conf", "gid": 0, "group": "root", "md5sum": "233ebd440935ff803ca10def5027ec11", "mode": "0644", "owner": "root", "size": 112, "src": "/root/.ansible/tmp/ansible-tmp-1742856235.1528165-20552-54234807655651/source", "state": "file", "uid": 0 } TASK [letsencrypt-acme-sh-install : Setup top level cert directory] ************ changed: [gitea99.opendev.org] => { "changed": true, "gid": 3000, "group": "letsencrypt", "mode": "02750", "owner": "root", "path": "/etc/letsencrypt-certs", "size": 4096, "state": "directory", "uid": 0 } TASK [letsencrypt-acme-sh-install : Create acme.sh config directory] *********** changed: [gitea99.opendev.org] => { "changed": true, "gid": 0, "group": "root", "mode": "0750", "owner": "root", "path": "/root/.acme.sh", "size": 4096, "state": "directory", "uid": 0 } TASK [letsencrypt-acme-sh-install : Check for account email] ******************* ok: [gitea99.opendev.org] => { "changed": false } MSG: All assertions passed TASK [letsencrypt-acme-sh-install : Configure account email] ******************* changed: [gitea99.opendev.org] => { "backup": "", "changed": true } MSG: line added TASK [letsencrypt-acme-sh-install : Check for existing account setup] ********** ok: [gitea99.opendev.org] => (item=/root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.json) => { "ansible_loop_var": "item", "changed": false, "item": "/root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.json", "stat": { "exists": false } } ok: [gitea99.opendev.org] => (item=/root/.acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.json) => { "ansible_loop_var": "item", "changed": false, "item": "/root/.acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.json", "stat": { "exists": false } } TASK [letsencrypt-acme-sh-install : Run account update] ************************ skipping: [gitea99.opendev.org] => { "changed": false, "false_condition": "account_email.changed and (existing_accounts.results | selectattr('stat.exists') | map(attribute='item') | list | length > 0)", "skip_reason": "Conditional result was False" } TASK [letsencrypt-request-certs : set_fact] ************************************ ok: [gitea99.opendev.org] => { "ansible_facts": { "acme_txt_required": [] }, "changed": false } TASK [letsencrypt-request-certs : Generate certificate creation/renewal requests] *** included: /home/zuul/src/opendev.org/opendev/system-config/playbooks/roles/letsencrypt-request-certs/tasks/acme.yaml for gitea99.opendev.org => (item={'key': 'gitea99-main', 'value': ['gitea99.opendev.org', 'opendev.org']}) TASK [letsencrypt-request-certs : Build arguments for letsencrypt acme.sh driver for: gitea99-main] *** ok: [gitea99.opendev.org] => { "ansible_facts": { "acme_args": "\"-d gitea99.opendev.org -d opendev.org \"" }, "changed": false } TASK [letsencrypt-request-certs : Run acme.sh driver for certificate issue] **** changed: [gitea99.opendev.org] => { "changed": true, "cmd": "/opt/acme.sh/driver.sh issue-selfsign \"-d gitea99.opendev.org -d opendev.org \"\n", "delta": "0:00:00.025503", "end": "2025-03-24 22:43:59.210377", "rc": 0, "start": "2025-03-24 22:43:59.184874" } STDOUT: gitea99.opendev.org:mEFTbjQMehZfu1YjbBBliWI3I30NbhSHl7KXncA2Ix4 opendev.org:-4WBUEVP3YylqA6-vaFvd0dMiqSq7ldd6B-BU4CdfAA TASK [letsencrypt-request-certs : set_fact] ************************************ ok: [gitea99.opendev.org] => (item=gitea99.opendev.org:mEFTbjQMehZfu1YjbBBliWI3I30NbhSHl7KXncA2Ix4) => { "ansible_facts": { "acme_txt_required": [ [ "gitea99-main", "mEFTbjQMehZfu1YjbBBliWI3I30NbhSHl7KXncA2Ix4" ] ] }, "ansible_loop_var": "item", "changed": false, "item": "gitea99.opendev.org:mEFTbjQMehZfu1YjbBBliWI3I30NbhSHl7KXncA2Ix4" } ok: [gitea99.opendev.org] => (item=opendev.org:-4WBUEVP3YylqA6-vaFvd0dMiqSq7ldd6B-BU4CdfAA) => { "ansible_facts": { "acme_txt_required": [ [ "gitea99-main", "mEFTbjQMehZfu1YjbBBliWI3I30NbhSHl7KXncA2Ix4" ], [ "gitea99-main", "-4WBUEVP3YylqA6-vaFvd0dMiqSq7ldd6B-BU4CdfAA" ] ] }, "ansible_loop_var": "item", "changed": false, "item": "opendev.org:-4WBUEVP3YylqA6-vaFvd0dMiqSq7ldd6B-BU4CdfAA" } TASK [letsencrypt-request-certs : Create ssl check domain list] **************** [WARNING]: Could not match supplied host pattern, ignoring: adns-primary ok: [gitea99.opendev.org] => (item={'key': 'gitea99-main', 'value': ['gitea99.opendev.org', 'opendev.org']}) => { "ansible_facts": { "letsencrypt_certcheck_domains": [ "gitea99.opendev.org 443" ] }, "ansible_loop_var": "item", "changed": false, "item": { "key": "gitea99-main", "value": [ "gitea99.opendev.org", "opendev.org" ] } } PLAY [Install txt records] ***************************************************** skipping: no hosts matched PLAY [Create certs] ************************************************************ TASK [letsencrypt-create-certs : Check for prerun state] *********************** skipping: [gitea99.opendev.org] => { "changed": false, "false_condition": "acme_txt_required is not defined", "skip_reason": "Conditional result was False" } TASK [letsencrypt-create-certs : Generate list of changed certificates] ******** ok: [gitea99.opendev.org] => { "ansible_facts": { "acme_txt_changed": [ "gitea99-main" ] }, "changed": false } TASK [letsencrypt-create-certs : Include ACME renewal] ************************* included: /home/zuul/src/opendev.org/opendev/system-config/playbooks/roles/letsencrypt-create-certs/tasks/acme.yaml for gitea99.opendev.org => (item={'key': 'gitea99-main', 'value': ['gitea99.opendev.org', 'opendev.org']}) TASK [letsencrypt-create-certs : Build arguments for letsencrypt acme.sh driver for: gitea99-main] *** ok: [gitea99.opendev.org] => { "ansible_facts": { "acme_args": "\"-d gitea99.opendev.org -d opendev.org \"" }, "changed": false } TASK [letsencrypt-create-certs : Run acme.sh driver for gitea99-main certificate issue] *** changed: [gitea99.opendev.org] => { "changed": true, "cmd": "/opt/acme.sh/driver.sh selfsign \"-d gitea99.opendev.org -d opendev.org \"\n", "delta": "0:00:00.345032", "end": "2025-03-24 22:44:01.765665", "rc": 0, "start": "2025-03-24 22:44:01.420633" } STDOUT: Creating certs in /etc/letsencrypt-certs/gitea99.opendev.org Adding SAN : opendev.org Certificate request self-signature ok subject=C = US, ST = CA, O = OpenDev Infra, CN = gitea99.opendev.org chown: invalid group: ‘root:letsencyrpt’ RUNNING HANDLER [letsencrypt-create-certs : letsencrypt updated gitea99-main] *** included: /home/zuul/src/opendev.org/opendev/system-config/playbooks/roles/letsencrypt-create-certs/handlers/restart_gitea.yaml for gitea99.opendev.org RUNNING HANDLER [letsencrypt-create-certs : Ensure gitea cert directy exists] *** changed: [gitea99.opendev.org] => { "changed": true, "gid": 1000, "group": "zuul", "mode": "0755", "owner": "zuul", "path": "/var/gitea/certs", "size": 4096, "state": "directory", "uid": 1000 } RUNNING HANDLER [letsencrypt-create-certs : Put key in place] ****************** changed: [gitea99.opendev.org] => { "changed": true, "checksum": "21c476a2e9e87a5fe84ba443ce155a3a7e5e9ec0", "dest": "/var/gitea/certs/key.pem", "gid": 0, "group": "root", "md5sum": "ca0cd092e34e716940b6c4c2b18dbfa3", "mode": "0644", "owner": "root", "size": 1704, "src": "/etc/letsencrypt-certs/gitea99.opendev.org/gitea99.opendev.org.key", "state": "file", "uid": 0 } RUNNING HANDLER [letsencrypt-create-certs : Put cert in place] ***************** changed: [gitea99.opendev.org] => { "changed": true, "checksum": "217fb01bc38a7d6c8c280608ffc1929ca5c3fa0a", "dest": "/var/gitea/certs/cert.pem", "gid": 0, "group": "root", "md5sum": "686e2a1dad8dfb0dbf5cbf21c1aece8a", "mode": "0644", "owner": "root", "size": 2469, "src": "/etc/letsencrypt-certs/gitea99.opendev.org/fullchain.cer", "state": "file", "uid": 0 } RUNNING HANDLER [letsencrypt-create-certs : Check for running gitea] *********** fatal: [gitea99.opendev.org]: FAILED! => { "changed": true, "cmd": [ "pgrep", "-f", "gitea" ], "delta": "0:00:00.015912", "end": "2025-03-24 22:44:03.901600", "rc": 1, "start": "2025-03-24 22:44:03.885688" } MSG: non-zero return code ...ignoring RUNNING HANDLER [letsencrypt-create-certs : Restart gitea web] ***************** skipping: [gitea99.opendev.org] => { "changed": false, "false_condition": "gitea_pids.rc == 0", "skip_reason": "Conditional result was False" } RUNNING HANDLER [letsencrypt-create-certs : Wait for service to start and have valid users] *** skipping: [gitea99.opendev.org] => { "changed": false, "false_condition": "gitea_pids.rc == 0", "skip_reason": "Conditional result was False" } PLAY [certcheck:!disabled] ***************************************************** TASK [letsencrypt-config-certcheck : Make domain list] ************************* ok: [bridge99.opendev.org] => { "ansible_facts": { "letsencrypt_certcheck_domains": [] }, "changed": false } TASK [letsencrypt-config-certcheck : Debug build SSL domain list] ************** included: /home/zuul/src/opendev.org/opendev/system-config/playbooks/roles/letsencrypt-config-certcheck/tasks/build_le_domain_list.yaml for bridge99.opendev.org => (item=gitea99.opendev.org) TASK [letsencrypt-config-certcheck : Record host being looked up for le certcheck domains] *** ok: [bridge99.opendev.org] => {} MSG: Checking domains for gitea99.opendev.org TASK [letsencrypt-config-certcheck : Build SSL domain list] ******************** ok: [bridge99.opendev.org] => { "ansible_facts": { "letsencrypt_certcheck_domains": [ "gitea99.opendev.org 443" ] }, "changed": false } TASK [letsencrypt-config-certcheck : Write configuration file] ***************** changed: [bridge99.opendev.org] => { "changed": true, "checksum": "a1a45366940a8ab03edebcd07651e5777c59a8a1", "dest": "/var/lib/certcheck/ssldomains", "gid": 3000, "group": "certcheck", "md5sum": "7b035b0ab6e2961062148dd1ea148ee8", "mode": "0644", "owner": "certcheck", "size": 173, "src": "/root/.ansible/tmp/ansible-tmp-1742856245.682302-20637-10851603277045/source", "state": "file", "uid": 3000 } PLAY RECAP ********************************************************************* bridge99.opendev.org : ok=10 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 gitea99.opendev.org : ok=30 changed=15 unreachable=0 failed=0 skipped=6 rescued=0 ignored=1