Page MenuHomePhabricator

Setup wikimediafoundation.org domain for July 30 launch of new site
Closed, ResolvedPublic

Description

On 30 July 2018, the new wikimediafoundation.org will launch. It is being hosted on Automattic's servers. This ticket is to help track the tasks related to setting up the domain.

Event Timeline

Varnent created this task.Jul 5 2018, 9:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 5 2018, 9:58 PM

Initial setup questions from Automattic:

  • "Would you like us to provision a free Let's Encrypt certificate for your sitewide SSL, or would you prefer to use your own certificate? (We recommend the former as being one less thing for you to manage, as detailed here.)"
  • "Will you want HSTS headers enabled on the site?"
BBlack added a subscriber: BBlack.Jul 16 2018, 6:18 PM

Certs: yes, they should use Letsencrypt, which we'll authorize via CAA records in our DNS.
HSTS: yes, with a 1-year lifetime and preloading enabled. This and other HTTPS policy details are covered (at least lightly to basic minimums) here, if you want to point Automattic at it: https://wikitech.wikimedia.org/wiki/HTTPS#For_all_public-facing_HTTP[S]_sites_and_services_under_Wikimedia_control

@BBlack - excellent - thank you!!

Change 446306 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/dns@master] wikimediafoundation.org: add CAA authorizing LE

https://gerrit.wikimedia.org/r/446306

The key thing we're missing here on our end, by the actual transition date, is an IP address from Automattic to put in our DNS for this domain.

herron triaged this task as Medium priority.Jul 17 2018, 3:21 PM

Change 446306 merged by BBlack:
[operations/dns@master] wikimediafoundation.org: add CAA authorizing LE

https://gerrit.wikimedia.org/r/446306

The IP address is 192.0.66.2

Thanks! Since that's also the IP they use for policy.wikimedia.org, we can at least have some confidence in the basics of the TLS config, from our auditing on that other hostname.

I know the deadline date is July 30. Do we have an idea about the other book-end date of when the Automattic side is ready and waiting for the IP to switch? As best I can tell probing that IP, I don't think the domain is yet configured there (as in, able to handle the domain's traffic if we suddenly switched it over right now), but I can't be 100% sure from my POV.

Unfortunately, due to unavoidable basic tech issues (which we wouldn't want to change!), we won't really be able to pre-flight-test this from our end much, because we won't be able to connect to the new site with the proper hostname and SNI until after we've moved the DNS resolution over to them and they've obtained the LE cert, at which point it's already live for real use.

In any case, we'll want to set a date and time (probably closer to the deadline, e.g. weds next week, given cache considerations?) where we can coordinate close timing with Automattic on the basic hand-off process to minimize downtime of the domainname. The process looks something like this:

  1. Ahead of the critical window: we reduce the relevant DNS TTLs below from 10-minute to 1-minute.
  2. We change our DNS, pointing www.wikimediafoundation.org and wikimediafoundation.org hostnames to 192.0.66.2.
  3. A minimum 1-minute dead/dysfunctional period happens here - DNS from client POV will be randomly one or the other, the new site won't be functional, and we have to wait out the minute.
  4. With the TTL expired, Automattic can reliability attempt to acquire the certificate for the site from LetsEncrypt. As soon as the cert is acquired and deployed by their automation, the site should be working and live.
  5. We can conduct some basic sanity checks (e.g. TLS details, various layers of redirect behavior, etc) after it's already live for users.

Probably a scheduled time and a direct line of communication is best, otherwise we could end up with a larger window of unavailability between the DNS change (2, by us) and the LE cert acquisition/deployment (4, by them).

Excellent! I pinged Automattic about this earlier today to setup a meeting with us, Reaktiv, and Automattic to finalize things. Who should be invited from Tech?

I guess me!

Change 449171 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/dns@master] wikimediafounation.org A TTLs: 60s for move today

https://gerrit.wikimedia.org/r/449171

Change 449171 merged by BBlack:
[operations/dns@master] wikimediafounation.org A TTLs: 60s for move today

https://gerrit.wikimedia.org/r/449171

Change 449341 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/dns@master] wikimediafoundation.org: switch IPs to Automattic

https://gerrit.wikimedia.org/r/449341

Change 449342 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/dns@master] wikimediafoundation.org: switch TTLs back to 10m

https://gerrit.wikimedia.org/r/449342

Change 449341 merged by BBlack:
[operations/dns@master] wikimediafoundation.org: switch IPs to Automattic

https://gerrit.wikimedia.org/r/449341

Varnent closed this task as Resolved.Jul 31 2018, 12:11 AM
Varnent claimed this task.

Thank you @BBlack for all your help today!

Change 449342 merged by BBlack:
[operations/dns@master] wikimediafoundation.org: switch TTLs back to 10m

https://gerrit.wikimedia.org/r/449342

Here is a ticket for the redirects in general on the new site: [T200754]