On Wed, 15 Apr 2020 at 13:34, Sam Ruby <ru...@intertwingly.net> wrote: > > On Wed, Apr 15, 2020 at 7:59 AM sebb <seb...@gmail.com> wrote: > > > > On Wed, 15 Apr 2020 at 12:29, Sam Ruby <ru...@intertwingly.net> wrote: > > > > > > On Wed, Apr 15, 2020 at 7:21 AM sebb <seb...@gmail.com> wrote: > > > > > > > > I'm wondering what the process is to generate an SSL certificate for a > > > > new Whimsy host? > > > > > > letsencrypt-auto > > > > > > > AFAICT, the current instructions assume that the website responds to > > > > the hostname 'whimsy.apache.org', however that won't be the case until > > > > the website is switched over. > > > > > > letsencrypt requires the host to be able to respond to the list of > > > hostnames passed to us. > > > > Exactly. > > However only the current Whimsy master responds to whimsy.apache.org. > > > > > > The SSL cert needs to be in place before switch-over occurs. > > > > > > > > Is there a way to generate the new SSL certificate in advance, without > > > > affecting the current Whimsy master? > > > > > > I'm not certain I understand the question. What needs to be done is > > > to have every time letsencrypt is run on a machine that that machine > > > owns the list hostnames that are passed on the command. > > > > > > When DNS changes affect a machine (for example, when whimsy.apache.org > > > is moved to point to the new machine), letsencrypt will need to be run > > > again (likely manually) at that time. > > > > > > Did I answer your question? > > > > Not really. > > > > Currently whimsy-vm4 is the Whimsy master. > > The certificate applies to whimsy.apache.org as well as > > whimsy-vm4.apache.org (and whimsy4.apache.org). > > > > If we wish to switch over to whimsy-vm5, we will need to generate an > > SSL certificate that applies to the host > > whimsy.apache.org as well as whimsy-vm5.apache.org (and whimsy5.apache.org). > > > > AFAICT to do this using letsencrypt-auto requires the following process: > > > > - ask infra to change the DNS so whimsy.apache.org points to whimsy-vm5 > > - wait an indeterminate time until the DNS change has occurred > > - run the letsencrypt script > > Yes. FWIW, the DNS definition can be found here: > https://svn.apache.org/repos/infra/infrastructure/trunk/dns/zones > > From memory, the process is to update the apache.org file, run > generate.py locally, check in both the apache.org and generated file, > and ask infra to kick the servers. > > > Whilst this will eventually result in the new host taking over, there > > may be several hours during which the SSL certificate is not valid for > > whimsy-vm5 > > > > If the cert could be obtained in advance, this would be avoided. > > I don't believe that is possible. lets-encrypt will only validate > machines that it can verify respond to a given dns name.
I think I may have discovered a possible way to do a manual certificate request: https://certbot.eff.org/docs/using.html#manual In theory one should be able to run this on whimsy-vm5. So long as one can copy the challenge file into the correct directories on whimsy-vm4 and whimsy-vm5, AFAICT it would be sufficient to prove ownership of the relevant web servers. > While what I am about to describe will require more work, it can > minimize downtime. > > Change the DNS so that both -vm4 and -vm5 (and perhaps other names) > point to the current whimsy host. Get a certificate for all. Copy > that certificate to -vm5 and rejigger DNS. That will last until the > certificate expires. Neat. > > Note: the Secretary workbench will need to be paused during switchover > > as some of its mutable data is stored locally rather than in SVN, Git > > or LDAP. > > That data needs to be copied across to avoid duplication. > > We can reach out to Matt and Craig and coordinate. That function > could be moved today, with Matt and Chris using the full hostname > until the full switchover is complete. Alternately, the workbench can > be set up to proxypass to the live host. Good point. > > > > Sebb > > > > > > - Sam Ruby. > > - Sam Ruby
