Closed
Bug 1186526
Opened 9 years ago
Closed 9 years ago
Hostname and SSL certificate for Mercurial CDN
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gps, Assigned: rwatson)
References
(Blocks 1 open bug)
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1453] )
Attachments
(1 file)
2.82 KB,
application/zip
|
Details |
Over in bug 1185261 we are standing up a Amazon CloudFront CDN to serve Mercurial data so hundreds of gigabytes/day of transfers from hg.mozilla.org/SCL3 are offloaded to servers that can better handle the load. More info at http://gregoryszorc.com/blog/2015/07/08/cloning-from-s3/.
I'm requesting a hostname, DNS CNAME record, and SSL certificate for this.
The destination for the CNAME should be d3hk7f2pw2ppzm.cloudfront.net. I have no strong opinions on the TTL.
The CloudFront "distribution" is owned by the moz-devservices AWS account. We would need to upload the SSL certificate into its IAM certificate store so we can install it on CloudFront.
As for the hostname, I'm flexible. My only real requirement is it have "moz" or "mozilla" somewhere, as the URLs will be printed to users when they do `hg clone` and we don't want to scare people with an opaque URL.
I was tentatively thinking "hg-cdn"[.mozilla.org]. But as I said, I'm flexible. And I don't really know what domains are available/appropriate.
Reporter | ||
Comment 1•9 years ago
|
||
There has been no activity on this bug since I filed it. Do I need to ping someone to get this moving?
Comment 2•9 years ago
|
||
gps,
I'm waiting on confirmation, but I think we'll go with hg.cdn.mozilla.net
That will be pointed to d3hk7f2pw2ppzm.cloudfront.net with a TTL of 300 seconds
Would you like us to install the SSL certificate? If you'd like to do it yourself, make sure you GPG pubkey is on gpg.mozilla.org and we can send you the private key encrypted and attach the certificate and intermediates to this bug.
Assignee: server-ops-webops → rwatson
Reporter | ||
Comment 3•9 years ago
|
||
The CDN is managed by the moz-devservices AWS account. So I'll need to install the cert. My GPG pubkey is on gpg.mozilla.org: gszorc@mozilla.com. Fingerprint is in LDAP / phonebook.
Comment 4•9 years ago
|
||
@gps: I'm a little hazy on how this is used... will users be typing in this name? I'm wondering why bother with a custom name at all instead of the .cloudfront.net name?
I don't have a dog in the fight, just curious as to what we're trying to solve with a custom name. Skipping it saves a bit of cost and headache all around. :)
Reporter | ||
Comment 5•9 years ago
|
||
Users will see these URLs when doing Mercurial operations and I'd rather not use a generic, non-Mozilla URL.
What are the costs and headaches involved? I'm pretty sure my team will pick up the cost if that is a barrier.
Comment 6•9 years ago
|
||
w0ts0n will knock this out tomorrow. Thanks guys.
Assignee | ||
Comment 7•9 years ago
|
||
attached is the .pem(zipped) file which includes all files (except for root). I've sent the .key file directly (encrypted) to :gps.
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(gps)
Reporter | ||
Comment 8•9 years ago
|
||
I've confirmed receipt of the private key and am able to decrypt it. However, hg.cdn.mozilla.net is not yet resolving. Could someone please configure the DNS?
Flags: needinfo?(gps) → needinfo?(smani)
Reporter | ||
Comment 9•9 years ago
|
||
I've uploaded the cert to Amazon and configured the CloudFront distribution to use it. Just waiting on DNS.
Reporter | ||
Comment 10•9 years ago
|
||
hg.cdn.mozilla.net started resolving sometime in the past ~24 hours. Not sure what changed. But I'll take it!
I don't think there is any more work here. Closing.
Flags: needinfo?(smani)
Reporter | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 11•9 years ago
|
||
That was me, sorry I must not have hit "save changes" on the bug
You need to log in
before you can comment on or make changes to this bug.
Description
•