Move domain to point to Github Pages version of site




a year ago
8 months ago


(Reporter: gerv, Assigned: justdave)


Dependency tree / graph


The code behind uses Template Toolkit, which
means that we have to host it ourselves. The build system for including
the docs in the website also requires various older Perls and so on
which has proved historically troublesome.

We've been meaning to move to something newer for a while, and Wordpress
was mooted, but in recent Bugzilla meetings we proposed moving to Github
Pages and Jekyll. I've now done that conversion, and the results can be
seen here:

After a bit of testing, we need to switch over to using this as the master copy. This bug tracks that work.

If we didn't need HTTPS support, we could simply use Github Pages' built-in support for CNAME:

However, that doesn't support SSL, which we need for Fortunately, Cloudflare can be used to front the site to provide SSL:

But that means letting Cloudflare run our DNS, which may have other ramifications because we have other servers as well.

justdave: can you comment on how difficult or easy it would be to switch our DNS to Cloudflare so we can use this solution?

Flags: needinfo?(justdave)
DNS can be delegated on a hostname by hostname basis.  The parent zone just needs an NS record for the hostname in question which points at cloudflare's servers.  This would easily be doable.
Flags: needinfo?(justdave)
justdave: is that true even if we want to work?

Flags: needinfo?(justdave)
No. However, redirects to, and we could certainly leave where it is with the redirect intact, and just give cloudflare
Flags: needinfo?(justdave)
If I'm right, doesn't that mean we'd need to keep maintaining a webserver and our own certificate, just to do the simple thing of serving a single redirect :-( That seems sad. Is there a way we can get cloudflare to do the DNS for the entire domain, and so avoid this? Or does that cause other problems?

The redirect is on Mozilla's webserver and not ours, and they've never given any kind of indication that they want to stop hosting that, so that should be fine to leave there.
OK, great! That's good news.

I've added a CNAME file to the repo, set up a Cloudflare account (username: and added (It didn't seem possible in their interface to only add so I added the whole domain, and it copied all the other DNS records). I only turned Cloudflare on for 

The nameservers Cloudflare want us to use are:

So if we switch to using those, that should do the switchover!

The instructions say:

"It may take up to 24 hours after successfully changing name servers for a new SSL certificate pack to be issued for your site. If you need valid SSL certificates in place before sending traffic through Cloudflare, pause Cloudflare for your site by clicking on Advanced to the right and resume when your certificate pack has been issued."

So we need to switch the nameservers, but then pause Cloudflare. So that involves a coordination between me and the person switching. Unless we are happy with a little bit of SSL downtime (they say 24 hours, but I bet they are a lot faster than that normally).

OK, I've got access to make that change on our end, find me on IRC or Slack when you're ready to do it.
I'm assuming there's going to be a confirmation to hostmaster sent to confirm creation of the SSL certificate.  I also still get that email address, so we're set on that end, too.
Probably they'll use DNS-based validation for the SSL cert, so there won't be an email to hostmaster@.

DNS has been updated to point at cloudflare's nameservers. continues to point at Mozilla (which will do a redirect).
FYI I get a "Secure Connection Failed" error in Firefox trying to load

An error occurred during a connection to Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
I've backed out the DNS change until Gerv is ready to try the rescan again in Cloudflare.
mcote: yeah, I got something like that when setting Cloudflare's nameservers directly as my nameserver on my machine. Not sure why that is, and Firefox is a little unhelpful in saying what cyphers were offered. 

I'll try and coordinate with Dave again.

I've emailed justdave all he needs to make this change solo.

Depends on: 1413677
Depends on: 1438282
This is now live!!!

Assignee: website → justdave
Last Resolved: 8 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.