When do you need this to be done by?
(2021/01/05)

Considering we are a couple of days from the end of year break and many many people will take that time off, I would not hold my breath over this date which would be just as people come back.

IIRC we do not handle certificates ourselves, so we might be able to put it the request before the break. Otherwise we'll likely look at it in early january.

I will put in for a new cert but do not know when it will arrive. I do not expect it until mid/late January due to a wait on other certs.

FTR, we moved copr frontend to letsencrypt; the only thing which remains is copr-backend. It is not practical to move to letsencrypt there for us (too much hassle when doing major copr updates).

Btw., since we seem to have one certificate for multiple hostnames (altnames)

I'd like to note that it is not anymore needed and we perhaps can get
slightly cheaper certificate? Dunno how much.

The old certificate was issued for these hostnames (altnames):
copr.fedorainfracloud.org
copr-be.fedorainfracloud.org
copr-be.cloud.fedoraproject.org

But now the only one we need is:
copr-be.cloud.fedoraproject.org

@smooge ping, only 7 days left, do you manage to solve this issue in time?

Thanks @smooge for the ping, I installed the new certificate ... it seems to work
only the alt name www.copr-be.cloud.fedoraproject.org is useless. I'm not
sure if we pay for it or not? I'm not sure what we can do about it either, so just
saying.

Also what surprised me is that the validity of that certificate is only one year.
It used to be two years before, is this expected?

@praiskup

So www.copr-be.cloud was never in the certificate list for the certificates I could find. The alt names were
subjectAltName=DNS:copr.fedorainfracloud.org,DNS:copr-be.fedorainfracloud.org,DNS:copr-be.cloud.fedoraproject.org

The fedorainfracloud.org was not in DNS anymore so it was causing issues. I moved the altnames to the ones in DNS I could find. copr-be-dev.aws.fedoraproject.org. copr-be.cloud.fedoraproject.org.

I was surprised by the 1 year but that is the maximum the system allowed for :weary: For the amount of money this costs.. I would look at letsencrypt.

www.copr-be.cloud was never in the certificate list

So how do you expliain it is there? :) that's just artificial thing so we are charged more for the alt names?

The ones in DNS I could find. copr-be-dev.aws.fedoraproject.org. copr-be.cloud.fedoraproject.org.

The copr-be-dev.aws.fedoraproject.org is though not in alt names, despite
you requested that.... that one isn't very useful because we don't expose that
cname to anyone (except for batcave) but still better than the www. thing.

For the amount of money this costs.. I would look at letsencrypt.

Meh, yes. If we'll do this manual migration every year it will be basically the same
amount of energy as if we were on letsencrypt (it will require manual tweaks every
second fedora release when we respawn copr-be from scratch). Doh.

Honestly I don't know. I looked at the cert and what I see is it is for
[smooge@batcave01 httpd (master)]$ egrep '^subjectAltName=|^commonName_default' copr-be.cloud.fedoraproject.org-openssl.cnf
commonName_default = copr-be.cloud.fedoraproject.org
subjectAltName=DNS:copr-be.aws.fedoraproject.org

Aha, sorry for the misinterpretation then - those alt names is what I read from the Firefox's UI (info about certificate on https://copr-be.cloud.fedoraproject.org/ ). Ok, I think we can close this then.

Worth saying that https://copr-be.aws.fedoraproject.org/ doesn't work.

I put that in there because of this

smooge@linode01 ~]$ host copr-be.cloud.fedoraproject.org
copr-be.cloud.fedoraproject.org is an alias for copr-be.aws.fedoraproject.org.
copr-be.aws.fedoraproject.org has address 52.44.175.77
copr-be.aws.fedoraproject.org has IPv6 address 2600:1f18:8ee:ae00:4303:a354:dbd2:4d89

I figured that the aws may be needed also.