* Nicolas Dandrimont <olasd@debian.org> [2017-11-22 12:57:31 +0100]:
> Having it controlled by humans through your git repo now (so we're sure we can
> have things set up for the miniconf without poking you too much), and scripting
> an external API during our sprint so we can have a turn-key setup for future
> events sounds like a fair compromise.
>
> I propose the following zones:
> - live.debconf.org controlled through git by {olasd@d.o, ivodd@d.o, stefanor@d.o}
> - live-test.debconf.org to be set up to be handled by an external API
>
> Once the external API has been tested we can switch that over.
>
Last night, we spent some time with Julien to set up the live.debconf.org zone
in DSA's domains.git repository. After some wondering at gitolite
configuration, this is now live. I think the last thing missing is adding up
the DNSSEC delegation for the new zone, which I trust will happen in due time
:).
> [...]
>
> > > 3/ TLS certificate distribution for the streaming network
> > >
> > > Our streams are now fully HTTPS. During DebConf17, we used certbot to generate
> > > certificates manually on one of the machines (with the http-01 challenge) and
> > > then used ansible to push the private and public keys to the rest of the mirror
> > > network.
> > >
> > > Would it be possible to integrate ourselves in your letsencrypt setup, having a
> > > way to provide the aforementioned videoteam role user with the tls key/cert
> > > pair for pushing to the streaming network through ansible?
> > >
> > I don't think that's a good way to go, our setup works for
> > puppet-managed hosts but sending out keys to the world seems a bit ick.
> >
> > What are the actual requirements here? If you have access to the DNS
> > zone per 1) above, would handling dns-01 challenge yourselves work just
> > as well?
>
> We need:
>
> - a TLS certificate pair for https on the streaming backend, with SAN
> backend.live.debconf.org
>
> - TLS certificate pairs for https on the streaming frontends, with SANs
> <vmname>.live.debconf.org and {an,as,eu,na,oc,sa}.live.debconf.org
> (geographic redirects).
>
> Plugging ourselves into your certificate machinery was less work for us (in
> concrete terms, it would just be a matter of making the certificate pair
> available to the video-ansible role user on vittoria), and allows you to
> tighten down certificate issuance for debconf.org as you see fit.
>
> If we're getting direct control of the DNS zone, we can certainly generate
> certificates ourselves, using the dns-01 or http-01 challenge on the end
> machines, if you're fine with it.
Julien and I have agreed that we (DebConf video team) would handle certificate
generation on the fly for the streaming network. I've been adapting our tls
certificate ansible role to do so.
Thanks!
--
Nicolas Dandrimont
How do I type "for i in *.dvi do xdvi i done" in a GUI?
(Discussion in comp.os.linux.misc on the intuitiveness of interfaces.)
Attachment:
signature.asc
Description: PGP signature