On Thu, 16 Apr 2020 at 12:49, sebb <seb...@gmail.com> wrote: > > On Wed, 15 Apr 2020 at 13:34, Sam Ruby <ru...@intertwingly.net> wrote: > > > > On Wed, Apr 15, 2020 at 7:59 AM sebb <seb...@gmail.com> wrote: > > > > > > On Wed, 15 Apr 2020 at 12:29, Sam Ruby <ru...@intertwingly.net> wrote: > > > > > > > > On Wed, Apr 15, 2020 at 7:21 AM sebb <seb...@gmail.com> wrote: > > > > > > > > > > I'm wondering what the process is to generate an SSL certificate for a > > > > > new Whimsy host? > > > > > > > > letsencrypt-auto > > > > > > > > > AFAICT, the current instructions assume that the website responds to > > > > > the hostname 'whimsy.apache.org', however that won't be the case until > > > > > the website is switched over. > > > > > > > > letsencrypt requires the host to be able to respond to the list of > > > > hostnames passed to us. > > > > > > Exactly. > > > However only the current Whimsy master responds to whimsy.apache.org. > > > > > > > > The SSL cert needs to be in place before switch-over occurs. > > > > > > > > > > Is there a way to generate the new SSL certificate in advance, without > > > > > affecting the current Whimsy master? > > > > > > > > I'm not certain I understand the question. What needs to be done is > > > > to have every time letsencrypt is run on a machine that that machine > > > > owns the list hostnames that are passed on the command. > > > > > > > > When DNS changes affect a machine (for example, when whimsy.apache.org > > > > is moved to point to the new machine), letsencrypt will need to be run > > > > again (likely manually) at that time. > > > > > > > > Did I answer your question? > > > > > > Not really. > > > > > > Currently whimsy-vm4 is the Whimsy master. > > > The certificate applies to whimsy.apache.org as well as > > > whimsy-vm4.apache.org (and whimsy4.apache.org). > > > > > > If we wish to switch over to whimsy-vm5, we will need to generate an > > > SSL certificate that applies to the host > > > whimsy.apache.org as well as whimsy-vm5.apache.org (and > > > whimsy5.apache.org). > > > > > > AFAICT to do this using letsencrypt-auto requires the following process: > > > > > > - ask infra to change the DNS so whimsy.apache.org points to whimsy-vm5 > > > - wait an indeterminate time until the DNS change has occurred > > > - run the letsencrypt script > > > > Yes. FWIW, the DNS definition can be found here: > > https://svn.apache.org/repos/infra/infrastructure/trunk/dns/zones > > > > From memory, the process is to update the apache.org file, run > > generate.py locally, check in both the apache.org and generated file, > > and ask infra to kick the servers. > > > > > Whilst this will eventually result in the new host taking over, there > > > may be several hours during which the SSL certificate is not valid for > > > whimsy-vm5 > > > > > > If the cert could be obtained in advance, this would be avoided. > > > > I don't believe that is possible. lets-encrypt will only validate > > machines that it can verify respond to a given dns name. > > I think I may have discovered a possible way to do a manual certificate > request: > > https://certbot.eff.org/docs/using.html#manual > > In theory one should be able to run this on whimsy-vm5. > So long as one can copy the challenge file into the correct > directories on whimsy-vm4 and whimsy-vm5, AFAICT it would be > sufficient to prove ownership of the relevant web servers.
That has worked; the new cert for whimsy-vm5 now includes whimsy.apache.org The scripts to do the work are in infra puppet and get copied to /root. Note that there are still some tweaks needed to the whimsy-vm5 yaml defines before changeover.
