On 4 June 2016 at 17:33, Sam Ruby <[email protected]> wrote: > On Sat, Jun 4, 2016 at 8:48 AM, sebb <[email protected]> wrote: >> On 3 June 2016 at 19:33, Sam Ruby <[email protected]> wrote: >>> This weekend I plan to update the DNS records to make whimsy.apache.org >>> point to whimsy-vm3 instead of resolving (through the proxy) to whimsy-vm2. >>> Once those changes are live: >>> >>> 1) whimsy2.apache.org can be used to access whimsy-vm2. You will likely get >>> a certificate error as the hostname will not match the certificate. >>> >>> 2) whimsy.apache.org can be used to access whimsy-vm3. Again there will >>> likely be a certificate error initially until I go through and re-request a >>> certificate from letsencrypt. Should I run into problems, I may need to >>> back the DNS changes out until I resolve the problem. >> >> Is there a reason why the hosts use their own specific certificates >> rather than reusing the generic *.apache.org one? >> That would work for all the host names. > > The infrastructure team tightly controls who has access to the > wildcard certificate... if it got out, people could create > man-in-the-middle attacks fairly easily. What this means is that the > infrastructure team limits who can have sudo access to machines on > which this certificate exists. While I could argue for to treat > whimsy-vm* as an exceptional case, I would rather that these machines > be considered as much as possible as vanilla project vms.
OK understood. I guess that is why some machines use proxies; the proxy hosts can be carefully controlled whilst still allowing the cert to be used for less restricted hosts. But as we found out, the performance of the proxy is inadequate for use with Whimsy. > There already is a second project VM that is looking into using > letsencrypt this way: > > https://issues.apache.org/jira/browse/INFRA-11960 > >>> 3) whimsy3.apache.org will continue to be able to access whimsy-vm3. >>> >>> - Sam Ruby > > - Sam Ruby
