Re: When should we https our mirrors?
]] Dimitri John Ledkov
> I'm not a sysadmin. My naive approach would be to have cname specified
> on the certs that are subject to redirect. E.g. ftp.d.o should have
> cname's for all country codes, such that any country mirror can fall
> back to ftp.d.o.
This would restrict us to always point a ftp.XX.d.o name to ftp.d.o.
Sometimes, it'd be more appropriate to point it to a closer geographical
mirror. (Say ftp.nz were performing maintenance, it'd be a lot more
reasonable to send that traffic to Australia than to the Netherlands.)
Is this impossible to fix/work around? No. However, it requires more
thought and design than just slapping a few letsencrypt certs onto
some hosts.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: