On Sat, Jun 4, 2016 at 8:48 AM, sebb <[email protected]> wrote: > On 3 June 2016 at 19:33, Sam Ruby <[email protected]> wrote: >> This weekend I plan to update the DNS records to make whimsy.apache.org >> point to whimsy-vm3 instead of resolving (through the proxy) to whimsy-vm2. >> Once those changes are live: >> >> 1) whimsy2.apache.org can be used to access whimsy-vm2. You will likely get >> a certificate error as the hostname will not match the certificate. >> >> 2) whimsy.apache.org can be used to access whimsy-vm3. Again there will >> likely be a certificate error initially until I go through and re-request a >> certificate from letsencrypt. Should I run into problems, I may need to >> back the DNS changes out until I resolve the problem. > > Is there a reason why the hosts use their own specific certificates > rather than reusing the generic *.apache.org one? > That would work for all the host names.
The infrastructure team tightly controls who has access to the wildcard certificate... if it got out, people could create man-in-the-middle attacks fairly easily. What this means is that the infrastructure team limits who can have sudo access to machines on which this certificate exists. While I could argue for to treat whimsy-vm* as an exceptional case, I would rather that these machines be considered as much as possible as vanilla project vms. There already is a second project VM that is looking into using letsencrypt this way: https://issues.apache.org/jira/browse/INFRA-11960 >> 3) whimsy3.apache.org will continue to be able to access whimsy-vm3. >> >> - Sam Ruby - Sam Ruby
