Currently wikitech-static is hosted in IAD which is in Northern Virginia. Rackspace is unable to give me a physical location for that site, which worries me.
Best if we move it to their DC in Chicago, safely away from either of our primary DCs. Best I can tell the only US options are Dallas, Virginia, Chicago.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Andrew | T164271 Move wikitech-static to Chicago | |||
| Resolved | aborrero | T164290 Set up external DNS record for wikitech-static |
Docs for how to do this are at https://support.rackspace.com/how-to/transferring-images-between-regions-of-the-rackspace-open-cloud/
Change 356124 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/dns@master] Add records for wikitech-static-ord
Change 356124 merged by Andrew Bogott:
[operations/dns@master] Add records for wikitech-static-ord
Actually migrating the VM turned out to be a nightmare, so I built a new install (running stretch) on https://wikitech-static-ord.wikimedia.org/wiki/Main_Page
It has a messed up cert due to having a temporary name, so is mostly unvisitable externally but the content looks reasonable to me. Now I'm waiting to see if it syncs properly.
wikitech-static-ord is now updating properly! There's some fancy automatic cert stuff on wikitech-static, so I'm hoping to refer the next steps to whoever set that up... @Dzahn was that you?
@Andrew No, that wasn't me. That was Krenair. But i can take a look anyways once i get back.. (kind of off work for right now).
Great, thank you!
To clarify -- I want wikitech-static-ord to (eventually) be at https://wikitech-static.wikimedia.org so it should use the cert that the old wikitech-static is holding now. And then we can do a dns change where we rename wikitech-static-ord to wikitech-static and wikitech-static to wikitech-static-iad (and leave -iad with a broken cert since I want to delete it in a few days anyway.)
@Andrew How do i get on the machine? The root password in pwstore "wikitech-static" doesn't seem to work.
Change 356874 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/dns@master] Make the ORD wikitech-static the official wikitech-static.
Change 356930 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] wikitech-static: lower TTL to 5M
Change 356930 merged by Dzahn:
[operations/dns@master] wikitech-static: lower TTL to 5M
Change 356936 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/dns@master] status.wm.org: lower TTL to 5M
Change 356936 merged by Dzahn:
[operations/dns@master] status.wm.org: lower TTL to 5M
Change 356874 merged by Dzahn:
[operations/dns@master] Make the ORD wikitech-static the official wikitech-static.
23:14 mutante: maintenance on status.wikimedia.org and wikitech-static.wikimedia.org 23:18 mutante: wikitech-static-ord: installed package upgrades, installed vim, removing "ord" from Apache config after DNS change .. 23:19 mutante: wikitech-static (iad): adjust Apache config to use wikitech-static-iad 23:22 mutante: wikitech-static-ord copied Lets-Encrypt intermediate certs from /usr/local/share/ca-certificates on old server 23:45 mutante: wikitech-static-iad: create new cert for "iad" hostname, using acme-setup/acme-tiny: /usr/local/sbin# acme-setup -i "wikitech-static-iad" -s "wikitech-static-iad.wikimedia.org" ; python acme_tiny.py --account-key /etc/acme/acct/acct.key --csr /etc/acme/csr/wikitech-static-iad.pem --acme-dir /var/acme/challenge/ > /etc/acme/cert/wikitech-static-iad-signed.csr ; had to hack acme_tiny.py 23:46 mutante: wikitech-static-iad: edited acme_tiny.py to adjust URL to agreement PDF, to fix ""Provided agreement URL [1] does not match current agreement URL[2]" 00:04 mutante: wikitech-static-iad: mv /etc/acme/cert/wikitech-static-iad-signed.csr /etc/acme/cert/wikitech-static-iad.chained.crt ; wikitech-static-ord: copy wiki logo: /srv/mediawiki/images# wget https://wikitech-static-iad.wikimedia.org/w/images/labswiki.png
https://wikitech-static.wikimedia.org/wiki/Main_Page
https://wikitech-static-iad.wikimedia.org/wiki/Main_Page
^ switched, copied the LE intermediate certs, created new cert for "wikitech-static-iad", copied the logo .. done
https://status.wikimedia.org/ is also alright, all that was needed is copy the Apache config, the needed modules (mod_proxy, proxy_html, proxy_http) were already loaded.
re-enabled HSTS today, the setting was commented out in Apache config from migration i guess. Bblack noticed the regression when doing an audit and asked. I re-enabled it when i saw the commented line.
Thanks! Indeed, this was marked out so I could test (when the host had a different DNS name).