Re: HTTPS metadata in Mirrors.masterlist?

[Mattias Wadenstein <maswan@acc.umu.se>]

On Sun, 9 Apr 2017, Bastian Blank wrote:

> [ Dropped debian-boot from recipients ]
>
> On Sun, Apr 09, 2017 at 12:07:33PM +0200, Axel Beckert wrote:
> > Peter Palfrader wrote:
> > > Adding https just makes this a whole extra mess.
> > As outlined in my recent mail I don't think that it's that much of an
> > extra-effort once we track HTTPS in Mirrors.masterlist. And I
> > especially think the gain outweighs the additional effort.
>
> Please describe a workflow that allows us to re-point ftp.*.debian.org at
> will without intervention of the admin of the real system.  No, Let's
> Encrypt does not help, as this only allows to add live hostnames to
> certificates.

Well, if you accept a few minutes of downtime (i.e. horrible error 
messages from apt), you can repoint and then ssh-trigger a certbot run 
with adding another SAN. A bit on the hairy side to setup, and you'd still 
get failures until the httpd has picked up the new cert. Also, you might 
run into LE quota rules..

/Mattias Wadenstein