]] Dimitri John Ledkov > I'm not a sysadmin. My naive approach would be to have cname specified > on the certs that are subject to redirect. E.g. ftp.d.o should have > cname's for all country codes, such that any country mirror can fall > back to ftp.d.o.
This would restrict us to always point a ftp.XX.d.o name to ftp.d.o. Sometimes, it'd be more appropriate to point it to a closer geographical mirror. (Say ftp.nz were performing maintenance, it'd be a lot more reasonable to send that traffic to Australia than to the Netherlands.) Is this impossible to fix/work around? No. However, it requires more thought and design than just slapping a few letsencrypt certs onto some hosts. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
