review.opendev.org SSH key change?

Jeremy Stanley fungi at yuggoth.org
Mon Aug 3 20:48:22 UTC 2020


On 2020-08-01 14:09:53 +0000 (+0000), Jeremy Stanley wrote:
[...]
> The cleanest solution is probably going to be separating the
> review.opendev.org service name from the system's FQDN in DNS. This
> way we could avoid publishing SSHFP RRs for the service name (or
> better still, publish different SSHFP RRs), but that means we'll
> need to separate out the ACME glue for DNS based X.509 cert
> renewals. That would likely not be too hard if we can just stop
> putting review01.opendev.org as one of the subject altnames.
[...]

Clark just reminded me in the #opendev IRC channel that we already
serve separate _acme-challenge.review and _acme-challenge.review01
CNAMEs to our acme zone, so nothing actually needs to change with
SSL cert renewal verification. We can just replace the review CNAME
with A/AAAA, copy the two CAA RRs from review01 to review, and
generate the six new SSHFP RRs for the Gerrit API associated with
the review hostname.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.opendev.org/pipermail/service-discuss/attachments/20200803/9c18e51e/attachment.sig>


More information about the service-discuss mailing list