On Tue, Mar 24, 2020 at 3:33 AM Paul Wise wrote: > I've forwarded this to the Debian sysadmins IRC channel. I think it is > related to the fact that the cdimage.d.o server is not managed by the > Debian sysadmins, so the UMU ACC admins probably used Lets Encrypt to > get certs, and then of course the TLSA records got outdated after the > renewal. For other debian.org domains that are not managed by the > Debian sysadmins, we centrally create the certs and propagate them to > external services (like the CDNs for deb.d.o). The cdimage.d.o server > isn't a CDN and probably doesn't have cert APIs but we can probably > use the same approach to fix this.
The result was that the mismatch was caused by a bug in the Debian sysadmin puppet. The fix was to remove the TLSA records for this domain due to the aforementioned management disconnect. If the cert management for cdimage.d.o changes to the deb.d.o setup then the TLSA records will return and be correct. -- bye, pabs https://wiki.debian.org/PaulWise