* Nicolas Dandrimont <olasd@debian.org> [2017-11-22 12:57:31 +0100]: > Having it controlled by humans through your git repo now (so we're sure we can > have things set up for the miniconf without poking you too much), and scripting > an external API during our sprint so we can have a turn-key setup for future > events sounds like a fair compromise. > > I propose the following zones: > - live.debconf.org controlled through git by {olasd@d.o, ivodd@d.o, stefanor@d.o} > - live-test.debconf.org to be set up to be handled by an external API > > Once the external API has been tested we can switch that over. > Last night, we spent some time with Julien to set up the live.debconf.org zone in DSA's domains.git repository. After some wondering at gitolite configuration, this is now live. I think the last thing missing is adding up the DNSSEC delegation for the new zone, which I trust will happen in due time :). > [...] > > > > 3/ TLS certificate distribution for the streaming network > > > > > > Our streams are now fully HTTPS. During DebConf17, we used certbot to generate > > > certificates manually on one of the machines (with the http-01 challenge) and > > > then used ansible to push the private and public keys to the rest of the mirror > > > network. > > > > > > Would it be possible to integrate ourselves in your letsencrypt setup, having a > > > way to provide the aforementioned videoteam role user with the tls key/cert > > > pair for pushing to the streaming network through ansible? > > > > > I don't think that's a good way to go, our setup works for > > puppet-managed hosts but sending out keys to the world seems a bit ick. > > > > What are the actual requirements here? If you have access to the DNS > > zone per 1) above, would handling dns-01 challenge yourselves work just > > as well? > > We need: > > - a TLS certificate pair for https on the streaming backend, with SAN > backend.live.debconf.org > > - TLS certificate pairs for https on the streaming frontends, with SANs > <vmname>.live.debconf.org and {an,as,eu,na,oc,sa}.live.debconf.org > (geographic redirects). > > Plugging ourselves into your certificate machinery was less work for us (in > concrete terms, it would just be a matter of making the certificate pair > available to the video-ansible role user on vittoria), and allows you to > tighten down certificate issuance for debconf.org as you see fit. > > If we're getting direct control of the DNS zone, we can certainly generate > certificates ourselves, using the dns-01 or http-01 challenge on the end > machines, if you're fine with it. Julien and I have agreed that we (DebConf video team) would handle certificate generation on the fly for the streaming network. I've been adapting our tls certificate ansible role to do so. Thanks! -- Nicolas Dandrimont How do I type "for i in *.dvi do xdvi i done" in a GUI? (Discussion in comp.os.linux.misc on the intuitiveness of interfaces.)
Attachment:
signature.asc
Description: PGP signature