<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 1, 2016 at 10:51 AM R. Tyler Croy <<a href="mailto:tyler@monkeypox.org">tyler@monkeypox.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">(replies inline)<br class="gmail_msg">
<br class="gmail_msg">
On Tue, 01 Nov 2016, Kohsuke Kawaguchi wrote:<br class="gmail_msg">
<br class="gmail_msg">
> GoDaddy just sent me a reminder that the cert for those hosts need need to<br class="gmail_msg">
> be renewed in 2 months.<br class="gmail_msg">
><br class="gmail_msg">
> Before I spend $150 to renew this, I want to make sure we will still use<br class="gmail_msg">
> this cert. Lots of things are moving around lately, and I expect some more<br class="gmail_msg">
> changes.<br class="gmail_msg">
><br class="gmail_msg">
> Also, IUC, it's possible to switch these hosts to Let's encrypt, now that<br class="gmail_msg">
> they are not multi-tenanted.<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
I believe it makes more sense to migrate these to Lets Encrypt and <a href="http://jenkins.io" rel="noreferrer" class="gmail_msg" target="_blank">jenkins.io</a><br class="gmail_msg">
as soon as possible.<br class="gmail_msg">
<br class="gmail_msg">
I have this in tickets:<br class="gmail_msg">
* <a href="https://issues.jenkins-ci.org/browse/INFRA-672" rel="noreferrer" class="gmail_msg" target="_blank">https://issues.jenkins-ci.org/browse/INFRA-672</a><br class="gmail_msg">
* <a href="https://issues.jenkins-ci.org/browse/INFRA-673" rel="noreferrer" class="gmail_msg" target="_blank">https://issues.jenkins-ci.org/browse/INFRA-673</a></blockquote><div><br></div><div>First, I've made a mistake. It's the auto-renewal that kicks in 2 months. The certificate will not expire till Feb.</div><div><br></div><div>Anyway, if you want to tie this with the migration to <a href="http://jenkins.io">jenkins.io</a>, then my question is the time frame. If this is the path we choose, naturally the migration would have to be done before the certificate expires.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
That said, I thought these services were using the same certificate as<br class="gmail_msg">
<a href="http://jenkins-ci.org" rel="noreferrer" class="gmail_msg" target="_blank">jenkins-ci.org</a> just with additional names? If that's the case, then I believe<br class="gmail_msg">
it might be beneficial to just renew for one more year since we haven't fully<br class="gmail_msg">
shuttered the <a href="http://jenkins-ci.org" rel="noreferrer" class="gmail_msg" target="_blank">jenkins-ci.org</a> domain.<br class="gmail_msg"></blockquote><div><br></div><div>That's a separate cert. To summarize, we have two multi-domain SSL certs, and both will expire at about the same time:</div><div><br></div><div>Cert #1</div><div><ul><li><a href="http://issues.jenkins-ci.org">issues.jenkins-ci.org</a></li><li><a href="http://wiki.jenkins-ci.org">wiki.jenkins-ci.org</a></li></ul></div><div>Cert #2</div><div><ul><li><a href="http://jenkins-ci.org">jenkins-ci.org</a></li><li><a href="http://updates.jenkins-ci.org">updates.jenkins-ci.org</a></li><li><a href="http://ci.jenkins-ci.org">ci.jenkins-ci.org</a></li><li><a href="http://usage.jenkins-ci.org">usage.jenkins-ci.org</a></li></ul></div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Another option would be to start Lets Encrypt'ing <a href="http://jenkins-ci.org" rel="noreferrer" class="gmail_msg" target="_blank">jenkins-ci.org</a> certificates<br class="gmail_msg">
as well, which I'm loathe to do just because I want that domain to go away<br class="gmail_msg">
already :P</blockquote><div><br></div><div>I don't have a sense of how much work this would involve.</div><div><br></div><div>Based on this conversation, I think the best course of action is to spend $300 and renew these two certs for one more year, so that you won't have to spend time on a backward task and you won't have to take on the big migration tasks in the busy year end. I think in this case the time is more precious than money. I'll just let auto renewal kick in by the end of 2016.</div><div><br></div><div>And presumably the certs are still useful even after migration to redirect old domain to the new one.</div></div></div>