Re: Cert penning, Certs and related

[Kevin Fenzi]

On Mon, 28 Nov 2016 15:32:02 -0500
Colin Walters  wrote:

> On Mon, Nov 28, 2016, at 11:20 AM, Kevin Fenzi wrote:
> >
> > Yeah. I am not sure the process we will need to use to get some
> > other CA vendor. RH has a relationship with digicert, so we get our
> > certs via that. When using another vendor we may have to go through
> > some red-tape. So, I can't commit for a time when this would be
> > ready.   
> 
> OK, can you file the issue/request and link me to it?
>  
> > > We could probably move forward with Digicert + 1-2 other
> > > vendors as well.  Maybe to be conservative 2.  We can easily
> > > add a custom CA to the set as well at any point.  
> > 
> > We should make sure that the librepo/dnf folks are on board with
> > this plan before moving forward. :)   
> 
> Sure, I sent Honza and Igor a mail.

Hum. I was writing up an email on this, and something occurred to me. 

The various browsers already have our digicert cert hard coded. 
So, if we ever had problems with that cert and had to switch to the
secondary or tertiary certs, all browser access would be broken. ;( 

So, perhaps we should be more targeted here and only do this for some
particular endpoints? mirrors.fedoraproject.org and
dl.fedoraproject.org ? That way if we had to fall back to another cert
only those would be broken for browsers. 

Or should I just not worry too much about it because anything that
causes us to switch from the primary cert would likely be a massive
blowup anyhow?

kevin


pgp2uzNEyd09U.pgp
Description: OpenPGP digital signature
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

Re: koschei-backend reinstall as Fedora 25

[Mikolaj Izdebski]

On 11/28/2016 11:19 PM, Kevin Fenzi wrote:
> On Mon, 28 Nov 2016 09:59:18 +0100
> Mikolaj Izdebski  wrote:
> 
>> Hello,
>>
>> I would like to reinstall koschei-backend as Fedora 25 (currently it's
>> deployed on Fedora 24). This should hopefully fix Nagios warnings
>> about high swap usage.
>>
>> Could someone help me with the following two tasks?
>>
>>
>> 1. Create kickstart kvm-fedora-25-koschei as a copy of kvm-fedora-24,
>> with updated repos and doubled size of swap partition?
>>
>> For security reasons I'm not attaching updated kickstart,
>> but here's a "sed" patch instead:
>>
>>   sed -e s/24/25/g -e s/2048/4096/ kvm-fedora-24
>>> kvm-fedora-25-koschei
>>
>> Alternatively, like Kevin suggested, a generic kvm-fedora-25 could be
>> created with 4 GB of swap.
> 
> Yeah, that seems fine to me. I have done this now. ;) 

Thanks.

>>
>> 2. Terminate koschei-backend01.stg VM on virthost11 so that I can
>> recreate it with Ansible?
> 
> I can do this when you are around to redeploy? 

Patrick already did this for me. I'm trying to reinstall it right now.

Assuming staging reinstall is successful, I will attempt to follow up
with production reinstall during today's outage window.

-- 
Mikolaj Izdebski
Software Engineer, Red Hat
IRC: mizdebsk
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org