#11143 CName and SSL cert for component-registry.fedoraproject.org
Closed: Fixed with Explanation a year ago by kevin. Opened a year ago by jazinner.

NOTE

If your issue is for security or deals with sensitive info please
mark it as private using the checkbox below.

Describe what you would like us to do:


Add a CNAME for component-registry.fedoraproject.org pointing to:

'wildcard.apps.ext.spoke.prod.us-east-1.aws.paas.redhat.com'

Also send me instructions for getting a signed SSL certificate for my application at that address.

When do you need this to be done by? (YYYY/MM/DD)


2023/03/10


We typically do not point fedoraproject.org addresses to servers we don't control.

We usually terminate ssl on our proxies and use a vpn to the backend service.

Can you explain what you are trying to do here and what your needs are?

What is this for? Who runs it? Why do you want it in the fedoraproject.org domain?

Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Reporter (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

a year ago

This is service will provide a way to search Fedora, and Openstack RDO builds for software dependencies as well as generate a Software Bill of Materials for a project, or RPM, or container from those projects.

This project is funded by Red Hat, and is already deployed within the Red Hat firewall. However we also have an agreement with Matt Miller that we will be able to use the fedoraproject.org domain to host community data outside of the Red Hat firewall.

The application is not live at the indicated address, but it will be live within the next few weeks, as we are just setting up and deploying the existing code (https://github.com/RedHatProductSecurity/component-registry) to dedicated infrastructure for community. Perhaps if you use a VPN to connect to the backend service we could leave it inside the RH firewall? We did plan to put the service on the internet using the mentioned domain.

It is run by myself and the Product Security DevOps team and hosted on the Managed Platform+ environment.

Ah, I didn't connect your name with the SBOM thread on the infra list. Sorry.

Sure, if @mattdm and the council are ok with using fedoraproject.org for this we can do that.

As far as ssl, if you are hosting and we are just pointing to you, perhaps we could just delegate a 'acmechallenges' redirect or the like so you can get certs via ACME.
We could also just get some longer lived digicert certs and get them to you and just manually renew them from time to time.

That would probibly be easier than a internal service, but I guess we could go that route too, would likely need firewall changes between the isolated fedoraproject.org servers and wherever you are hosting it. That would also add in us as a point of failure. ;)

I think it would be easier for us if you setup a digicert certificate for us and renew them from time to time. Thanks.

From today's Council meeting: There are no objections to the cname request so long as Infra is okay with it

And I would like Infra to be okay with it, please. :)

I've setup the CNAME. On the cert, can you send me ( kfenzi@redhat.com or kevin@scrye.com ) your gpg public key and I can send you the cert and key privately?
Or happy to get them to you another secure way if you prefer.

Also, it would be really nice if there was some place or email address we could point people to for questions/issues with the service. I am sure since it's in our domain someone will ask us to update it to tell us when it's down, etc. If we have a place to point those folks to that would be great. :) If you don't have anything public, then it would at least be nice to have a private list of people we admins could ping for downtime/problems as users report things to us.

Hi Kevin,

Sorry for the delay. I sent you my gpg public key.

You can contact us with issues by emailing corgi-dev@redhat.com. We also reside in the "Component Registry" Red Hat corporate GChat space.

Regards,
Jason

I've sent the cert to you via gpg encrypted attachment. :)

I think that should be all you need? If you need anything else at all, feel free to open a new ticket or reopen this one.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog