So, we had a few problems with Fedora Magazine and a proxy (cf https://pagure.io/fedora-infrastructure/issue/8109#comment-591507 ) which requires us to do some potentially disrupting change (aka stop using the proxy setup). Since commblog is also affected (even if no one reported anything), I will need to do the same change.
However, this would requires a transfer of the SSL certificate, and that is causing some issues. While fedoramagazine use a separate domain and certificate, commblog don’t and reuse the wildcard certificate of Fedora. I suspect that while I can get the private key for the first one, I will not get it for the 2nd one for security reasons (I mean, with it, I can pretty much MITM the main mirror and a ton of stuff ).
So there is 2 way out of that:
- we lower the TTL of the domain to 5 minutes
- we wait until that propagated
- we switch DNS
from here, people will see https error due to certificate mismatch.
- after 5 to 10 minutes, we turn TLS certificate using lets encrypt on WPengine
this will result in a new certificate to be issued and installed.
This might cause 5 to 1h of TLS error, and while that’s not critical, I prefer to warn in advance.
To explain why we need to do that is because we have a catch-22. We can’t get automatically a TLS certificate from letsencrypt on wpengine before having DNS pointing to the website. But if we change the DNS, the certificate wouldn’t be valid.
However, we also have 2nd manual option, using DNS and getting a certificate in advance. See the fedora infra ticket for the detail. This is something that would be safe in the sense that there is no disruption until that is ready, but that I never did before.
So that’s still experimental, and I have too much experience to think it will go as smoothly as I explained.
In both case, i do not plan to change anything until next week for the commblog. Since the beta freeze is on the 29, I guess I should avoid that date and do it before if I can ?