On 2020-08-03 20:48:22 +0000 (+0000), Jeremy Stanley wrote:
On 2020-08-01 14:09:53 +0000 (+0000), Jeremy Stanley wrote: [...] Clark just reminded me in the #opendev IRC channel that we already serve separate _acme-challenge.review and _acme-challenge.review01 CNAMEs to our acme zone, so nothing actually needs to change with SSL cert renewal verification. We can just replace the review CNAME with A/AAAA, copy the two CAA RRs from review01 to review, and generate the six new SSHFP RRs for the Gerrit API associated with the review hostname.
In fact, as a stop gap, we can omit the SSHFP records for review.o.o initially, which will restore the prior situation for folks connecting to the API port. I'll push that now: https://review.opendev.org/744557 -- Jeremy Stanley