On Wed, Apr 15, 2020 at 7:59 AM sebb <seb...@gmail.com> wrote: > > On Wed, 15 Apr 2020 at 12:29, Sam Ruby <ru...@intertwingly.net> wrote: > > > > On Wed, Apr 15, 2020 at 7:21 AM sebb <seb...@gmail.com> wrote: > > > > > > I'm wondering what the process is to generate an SSL certificate for a > > > new Whimsy host? > > > > letsencrypt-auto > > > > > AFAICT, the current instructions assume that the website responds to > > > the hostname 'whimsy.apache.org', however that won't be the case until > > > the website is switched over. > > > > letsencrypt requires the host to be able to respond to the list of > > hostnames passed to us. > > Exactly. > However only the current Whimsy master responds to whimsy.apache.org. > > > > The SSL cert needs to be in place before switch-over occurs. > > > > > > Is there a way to generate the new SSL certificate in advance, without > > > affecting the current Whimsy master? > > > > I'm not certain I understand the question. What needs to be done is > > to have every time letsencrypt is run on a machine that that machine > > owns the list hostnames that are passed on the command. > > > > When DNS changes affect a machine (for example, when whimsy.apache.org > > is moved to point to the new machine), letsencrypt will need to be run > > again (likely manually) at that time. > > > > Did I answer your question? > > Not really. > > Currently whimsy-vm4 is the Whimsy master. > The certificate applies to whimsy.apache.org as well as > whimsy-vm4.apache.org (and whimsy4.apache.org). > > If we wish to switch over to whimsy-vm5, we will need to generate an > SSL certificate that applies to the host > whimsy.apache.org as well as whimsy-vm5.apache.org (and whimsy5.apache.org). > > AFAICT to do this using letsencrypt-auto requires the following process: > > - ask infra to change the DNS so whimsy.apache.org points to whimsy-vm5 > - wait an indeterminate time until the DNS change has occurred > - run the letsencrypt script
Yes. FWIW, the DNS definition can be found here: https://svn.apache.org/repos/infra/infrastructure/trunk/dns/zones >From memory, the process is to update the apache.org file, run generate.py locally, check in both the apache.org and generated file, and ask infra to kick the servers. > Whilst this will eventually result in the new host taking over, there > may be several hours during which the SSL certificate is not valid for > whimsy-vm5 > > If the cert could be obtained in advance, this would be avoided. I don't believe that is possible. lets-encrypt will only validate machines that it can verify respond to a given dns name. While what I am about to describe will require more work, it can minimize downtime. Change the DNS so that both -vm4 and -vm5 (and perhaps other names) point to the current whimsy host. Get a certificate for all. Copy that certificate to -vm5 and rejigger DNS. That will last until the certificate expires. > Note: the Secretary workbench will need to be paused during switchover > as some of its mutable data is stored locally rather than in SVN, Git > or LDAP. > That data needs to be copied across to avoid duplication. We can reach out to Matt and Craig and coordinate. That function could be moved today, with Matt and Chris using the full hostname until the full switchover is complete. Alternately, the workbench can be set up to proxypass to the live host. > > > Sebb > > > > - Sam Ruby. - Sam Ruby
