Closed Bug 1186526 Opened 9 years ago Closed 9 years ago

Hostname and SSL certificate for Mercurial CDN

Categories

(Infrastructure & Operations :: SSL Certificates, task)

Product:
Infrastructure & Operations
Component:
SSL Certificates
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gps, Assigned: rwatson)

References

(Blocks 1 open bug)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1453] )

Attachments

(1 file)

hg_cdn_mozilla_net.pem.zip
2.82 KB, application/zip
Details
Over in bug 1185261 we are standing up a Amazon CloudFront CDN to serve Mercurial data so hundreds of gigabytes/day of transfers from hg.mozilla.org/SCL3 are offloaded to servers that can better handle the load. More info at http://gregoryszorc.com/blog/2015/07/08/cloning-from-s3/. I'm requesting a hostname, DNS CNAME record, and SSL certificate for this. The destination for the CNAME should be d3hk7f2pw2ppzm.cloudfront.net. I have no strong opinions on the TTL. The CloudFront "distribution" is owned by the moz-devservices AWS account. We would need to upload the SSL certificate into its IAM certificate store so we can install it on CloudFront. As for the hostname, I'm flexible. My only real requirement is it have "moz" or "mozilla" somewhere, as the URLs will be printed to users when they do `hg clone` and we don't want to scare people with an opaque URL. I was tentatively thinking "hg-cdn"[.mozilla.org]. But as I said, I'm flexible. And I don't really know what domains are available/appropriate.
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/1453]
There has been no activity on this bug since I filed it. Do I need to ping someone to get this moving?
gps, I'm waiting on confirmation, but I think we'll go with hg.cdn.mozilla.net That will be pointed to d3hk7f2pw2ppzm.cloudfront.net with a TTL of 300 seconds Would you like us to install the SSL certificate? If you'd like to do it yourself, make sure you GPG pubkey is on gpg.mozilla.org and we can send you the private key encrypted and attach the certificate and intermediates to this bug.
Assignee: server-ops-webops → rwatson
The CDN is managed by the moz-devservices AWS account. So I'll need to install the cert. My GPG pubkey is on gpg.mozilla.org: gszorc@mozilla.com. Fingerprint is in LDAP / phonebook.
@gps: I'm a little hazy on how this is used... will users be typing in this name? I'm wondering why bother with a custom name at all instead of the .cloudfront.net name? I don't have a dog in the fight, just curious as to what we're trying to solve with a custom name. Skipping it saves a bit of cost and headache all around. :)
Users will see these URLs when doing Mercurial operations and I'd rather not use a generic, non-Mozilla URL. What are the costs and headaches involved? I'm pretty sure my team will pick up the cost if that is a barrier.
w0ts0n will knock this out tomorrow. Thanks guys.
attached is the .pem(zipped) file which includes all files (except for root). I've sent the .key file directly (encrypted) to :gps.
Flags: needinfo?(gps)
I've confirmed receipt of the private key and am able to decrypt it. However, hg.cdn.mozilla.net is not yet resolving. Could someone please configure the DNS?
Flags: needinfo?(gps) → needinfo?(smani)
I've uploaded the cert to Amazon and configured the CloudFront distribution to use it. Just waiting on DNS.
hg.cdn.mozilla.net started resolving sometime in the past ~24 hours. Not sure what changed. But I'll take it! I don't think there is any more work here. Closing.
Flags: needinfo?(smani)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
That was me, sorry I must not have hit "save changes" on the bug
Blocks: 1512305
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: