[Jenkins-infra] Renewing (issues|wiki).jenkins-ci.org certs

Kohsuke Kawaguchi kk at kohsuke.org
Tue Nov 1 22:00:05 UTC 2016

On Tue, Nov 1, 2016 at 10:51 AM R. Tyler Croy <tyler at monkeypox.org> wrote:

> (replies inline)
> On Tue, 01 Nov 2016, Kohsuke Kawaguchi wrote:
> > GoDaddy just sent me a reminder that the cert for those hosts need need
> to
> > be renewed in 2 months.
> >
> > Before I spend $150 to renew this, I want to make sure we will still use
> > this cert. Lots of things are moving around lately, and I expect some
> more
> > changes.
> >
> > Also, IUC, it's possible to switch these hosts to Let's encrypt, now that
> > they are not multi-tenanted.
> I believe it makes more sense to migrate these to Lets Encrypt and
> jenkins.io
> as soon as possible.
> I have this in tickets:
>  * https://issues.jenkins-ci.org/browse/INFRA-672
>  * https://issues.jenkins-ci.org/browse/INFRA-673

First, I've made a mistake. It's the auto-renewal that kicks in 2 months.
The certificate will not expire till Feb.

Anyway, if you want to tie this with the migration to jenkins.io, then my
question is the time frame. If this is the path we choose, naturally the
migration would have to be done before the certificate expires.

That said, I thought these services were using the same certificate as
> jenkins-ci.org just with additional names? If that's the case, then I
> believe
> it might be beneficial to just renew for one more year since we haven't
> fully
> shuttered the jenkins-ci.org domain.

That's a separate cert. To summarize, we have two multi-domain SSL certs,
and both will expire at about the same time:

Cert #1

   - issues.jenkins-ci.org
   - wiki.jenkins-ci.org

Cert #2

   - jenkins-ci.org
   - updates.jenkins-ci.org
   - ci.jenkins-ci.org
   - usage.jenkins-ci.org

Another option would be to start Lets Encrypt'ing jenkins-ci.org
> certificates
> as well, which I'm loathe to do just because I want that domain to go away
> already :P

I don't have a sense of how much work this would involve.

Based on this conversation, I think the best course of action is to spend
$300 and renew these two certs for one more year, so that you won't have to
spend time on a backward task and you won't have to take on the big
migration tasks in the busy year end. I think in this case the time is more
precious than money. I'll just let auto renewal kick in by the end of 2016.

And presumably the certs are still useful even after migration to redirect
old domain to the new one.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jenkins-ci.org/pipermail/jenkins-infra/attachments/20161101/593cea52/attachment.html>

More information about the Jenkins-infra mailing list