On 30 July 2018, the new wikimediafoundation.org will launch. It is being hosted on Automattic's servers. This ticket is to help track the tasks related to setting up the domain.
|Resolved||Varnent||T188774 Launch of new Wikimedia Foundation website (Tracking task)|
|Resolved||Varnent||T198922 Setup wikimediafoundation.org domain for July 30 launch of new site|
Initial setup questions from Automattic:
- "Would you like us to provision a free Let's Encrypt certificate for your sitewide SSL, or would you prefer to use your own certificate? (We recommend the former as being one less thing for you to manage, as detailed here.)"
- "Will you want HSTS headers enabled on the site?"
Certs: yes, they should use Letsencrypt, which we'll authorize via CAA records in our DNS.
HSTS: yes, with a 1-year lifetime and preloading enabled. This and other HTTPS policy details are covered (at least lightly to basic minimums) here, if you want to point Automattic at it: https://wikitech.wikimedia.org/wiki/HTTPS#For_all_public-facing_HTTP[S]_sites_and_services_under_Wikimedia_control
Thanks! Since that's also the IP they use for policy.wikimedia.org, we can at least have some confidence in the basics of the TLS config, from our auditing on that other hostname.
I know the deadline date is July 30. Do we have an idea about the other book-end date of when the Automattic side is ready and waiting for the IP to switch? As best I can tell probing that IP, I don't think the domain is yet configured there (as in, able to handle the domain's traffic if we suddenly switched it over right now), but I can't be 100% sure from my POV.
Unfortunately, due to unavoidable basic tech issues (which we wouldn't want to change!), we won't really be able to pre-flight-test this from our end much, because we won't be able to connect to the new site with the proper hostname and SNI until after we've moved the DNS resolution over to them and they've obtained the LE cert, at which point it's already live for real use.
In any case, we'll want to set a date and time (probably closer to the deadline, e.g. weds next week, given cache considerations?) where we can coordinate close timing with Automattic on the basic hand-off process to minimize downtime of the domainname. The process looks something like this:
- Ahead of the critical window: we reduce the relevant DNS TTLs below from 10-minute to 1-minute.
- We change our DNS, pointing www.wikimediafoundation.org and wikimediafoundation.org hostnames to 220.127.116.11.
- A minimum 1-minute dead/dysfunctional period happens here - DNS from client POV will be randomly one or the other, the new site won't be functional, and we have to wait out the minute.
- With the TTL expired, Automattic can reliability attempt to acquire the certificate for the site from LetsEncrypt. As soon as the cert is acquired and deployed by their automation, the site should be working and live.
- We can conduct some basic sanity checks (e.g. TLS details, various layers of redirect behavior, etc) after it's already live for users.
Probably a scheduled time and a direct line of communication is best, otherwise we could end up with a larger window of unavailability between the DNS change (2, by us) and the LE cert acquisition/deployment (4, by them).