On Wed, 15 Apr 2020 at 12:29, Sam Ruby <ru...@intertwingly.net> wrote: > > On Wed, Apr 15, 2020 at 7:21 AM sebb <seb...@gmail.com> wrote: > > > > I'm wondering what the process is to generate an SSL certificate for a > > new Whimsy host? > > letsencrypt-auto > > > AFAICT, the current instructions assume that the website responds to > > the hostname 'whimsy.apache.org', however that won't be the case until > > the website is switched over. > > letsencrypt requires the host to be able to respond to the list of > hostnames passed to us.
Exactly. However only the current Whimsy master responds to whimsy.apache.org. > > The SSL cert needs to be in place before switch-over occurs. > > > > Is there a way to generate the new SSL certificate in advance, without > > affecting the current Whimsy master? > > I'm not certain I understand the question. What needs to be done is > to have every time letsencrypt is run on a machine that that machine > owns the list hostnames that are passed on the command. > > When DNS changes affect a machine (for example, when whimsy.apache.org > is moved to point to the new machine), letsencrypt will need to be run > again (likely manually) at that time. > > Did I answer your question? Not really. Currently whimsy-vm4 is the Whimsy master. The certificate applies to whimsy.apache.org as well as whimsy-vm4.apache.org (and whimsy4.apache.org). If we wish to switch over to whimsy-vm5, we will need to generate an SSL certificate that applies to the host whimsy.apache.org as well as whimsy-vm5.apache.org (and whimsy5.apache.org). AFAICT to do this using letsencrypt-auto requires the following process: - ask infra to change the DNS so whimsy.apache.org points to whimsy-vm5 - wait an indeterminate time until the DNS change has occurred - run the letsencrypt script Whilst this will eventually result in the new host taking over, there may be several hours during which the SSL certificate is not valid for whimsy-vm5 If the cert could be obtained in advance, this would be avoided. Note: the Secretary workbench will need to be paused during switchover as some of its mutable data is stored locally rather than in SVN, Git or LDAP. That data needs to be copied across to avoid duplication. > > Sebb > > - Sam Ruby.
