The Fedora CoreOS website will be moving to GitHub Pages which means the OpenShift instance for it can be deleted and we will need to point the DNS to the GitHub IPs. Steps involved:
The OpenShift instance that is currently there for Fedora CoreOS should be deleted.
Please point coreos.fedoraproject.org to GitHub Pages right after: https://help.github.com/articles/setting-up-a-custom-subdomain/
Whenever is possible for you. I will turn on GitHub Pages the moment this ticket is updated from infra side. Ideally no later than 2018/10/12.
Sure. What is the github domain here?
Metadata Update from @kevin: - Issue assigned to kevin - Issue priority set to: Waiting on Assignee (was: Needs Review)
https://coreos.github.io/coreos.fedoraproject.org
Done. Should I just remove the coreos.stg.fedoraproject.org site from DNS?
:white_flower:
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Yes, please remove, it's not needed anymore.
Thanks, Kevin!
So, there's a slight issue here with ssl certs... it's properly hitting the github pages, but the github ssl certs are not valid for fedoraproject.org.
We could setup a redirect to coreos.github.io instead of just dns?
I tried to setup the redirect, but https://coreos.github.io/coreos.fedoraproject.org redirects back to us at https://coreos.fedoraproject.org, so that won't work until that redirect is removed.
Hm, do we mean the same thing? We're trying to get https://coreos.github.io/coreos.fedoraproject.org redirect to coreos.fedoraproject.org - not the other way around. GitHub does the certificate stuff themselves if the DNS is set correctly. At least it did for buildah and podman but those were TLDs not subdomains.
Well, perhaps I'm not understanding you. Sorry if so.
My understanding is:
Is that correct?
Right now:
~ wget -S https://coreos.github.io/coreos.fedoraproject.org --2018-10-02 13:27:01-- https://coreos.github.io/coreos.fedoraproject.org Resolving coreos.github.io (coreos.github.io)... 185.199.109.153, 185.199.111.153, 185.199.108.153, ... Connecting to coreos.github.io (coreos.github.io)|185.199.109.153|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Server: GitHub.com Content-Type: text/html Location: http://coreos.fedoraproject.org X-GitHub-Request-Id: 17F6:0F3B:4911F91:636B58F:5BB3D459 Content-Length: 178 Accept-Ranges: bytes Date: Tue, 02 Oct 2018 20:27:01 GMT Via: 1.1 varnish Age: 58 Connection: keep-alive X-Served-By: cache-sea1039-SEA X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1538512022.529289,VS0,VE0 Vary: Accept-Encoding X-Fastly-Request-ID: 19d74cbc7391d952b140cb2554b668d226ac703e Location: http://coreos.fedoraproject.org [following] URL transformed to HTTPS due to an HSTS policy --2018-10-02 13:27:01-- https://coreos.fedoraproject.org/ Resolving coreos.fedoraproject.org (coreos.fedoraproject.org)... 209.132.181.15, 209.132.181.16, 67.219.144.68, ... Connecting to coreos.fedoraproject.org (coreos.fedoraproject.org)|209.132.181.15|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Tue, 02 Oct 2018 20:27:01 GMT Server: Apache/2.4.34 (Fedora) Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Referrer-Policy: same-origin Content-Type: text/html; charset=utf-8 Cache-control: private Set-Cookie: 9e8e97d38b3f5f61f48a9918d2552466=25d6c0bf5223a1dc97ad6e41b7462f58; path=/; HttpOnly; Secure AppTime: D=11283 AppServer: proxy10.phx2.fedoraproject.org Keep-Alive: timeout=15, max=500 Connection: Keep-Alive Transfer-Encoding: chunked Length: unspecified [text/html]
ie, https://coreos.github.io/coreos.fedoraproject.org redirects to https://coreos.fedoraproject.org. If I change https://coreos.fedoraproject.org/ to redirect to the github pages, it loops. If I change coreos.fedoraproject.org to resolve in DNS to coreos.github.io, it breaks because the *.github.io ssl cert does not match coreos.fedoraproject.org.
No, the other way around, sorry if I didn't phrase it correctly. No certificates or anything should be needed as GitHub makes those.
Please check out the link in the description of the ticket for what IP to point to. The rest I do in the GitHub repository settings. That should work then.
So, to work, it need to have the coreos.fedoraproject.org DNS entry point to the CNAME. coreos.github.io, as it was done before. I disable the CNAME stuff for now.
At the start, HTTPS will not work, as this is using letsencrypt, and there is no way to make the migration be smooth (cause we do not control neither the server nor letsencrypt).
Once that is working, then we will be able to do https on and then github will get letsencrypt negociation done afaik.
But for now, let's focus on making the http work. I will deal with it on irc with Nirik
So, the github interface say: "Not yet available for your site because the certificate has not finished being issued. Please allow 24 hours for this process to complete"
So it should be fixed in 24h (I assume faster). In the mean time, people depending on their DNS and stuff might see errors, from "wrong certificate" to "certificate revoked", etc.
Yes, it did the same for buildah.io and podman.io - takes a few hours and then it's done. If everything is done on Fedora side, the rest is my doing then onwards. Cheers and thank you both!
So that's done. (guess Fedora dns is tuned for faster change when compared to RH one that I used). And https work from my laptop.
And https work from my laptop. :D
Yes, all works - thanks!
Login to comment on this ticket.