[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MirageOS-devel] self-hosting the dns (Re: invalid certificates on mirage-related domains)

  • To: Markus Rudy <webmaster@xxxxxxxxxxxx>
  • From: Anil Madhavapeddy <anil@xxxxxxxxxx>
  • Date: Tue, 14 Aug 2018 15:19:04 +0100
  • Cc: mirageos-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 14 Aug 2018 14:19:23 +0000
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=recoil.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; q=dns; s=selector1; b=vHprPIFErQ8/dMfykzkKIuA 7k+22nqDmQC/aEWrA0AXZHiPlKfn06929ulrdF9tSo87c+rWZ4Ls6KtGQDpaW1uW 5a8Ij0C82bOn+Jc+4znuVp8kPUZrScOdKy/vjMQbPILxIsLBWvuKHJ3xRtDYjq88 VHD2tA1xmKlkgnZ2cy9s=
  • List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

Dear Markus,

Thanks for the headsup!  I delayed a little with the quick fix this time in order
to deploy the new udns stack which supports Letsencrypt renewal.  As a
warning, this means switching our root name servers out, so there may be
some downtime for DNS over the next few hours/days.  In return, we will
have a fully-selfhosted DNS/HTTPS mirage.io domain using itself!

The steps are:

- Switching root name server for mirage.io to udns. I have deployed a new
  host on packet.net running mirage-ns1.signpost.io (using the other domain
  to avoid needing a glue record for now).  It uses the "primary-git" example
  from udns, and is pointing at https://github.com/mirage/ns.mirage.io and
  uses Irmin to retrieve the zone file via Git.

- Once this has propagated, I need to setup the tsig keys on that nameserver
  in order to do automated LE updates.  Hannes, do you have any tips/guides
  on how to do this or an example in the repo?

- When we have a new LE key for the website, I'm going to redeploy that on
  a new host (since the current mirage.io is running on an ancient Debian).
  It will initially run on Solo5 as well, but I'll add another Xen host later since, as Mindy
  points out, it's an important litmus test to make sure that backend works.

- Once this settles down, I'll setup a Datakit-CI instance to autorebuild the
  unikernels and deploy them on the hosts, and give SSH access to any
  Mirage developer that wants access to debug the infrastructure.


On 11 Aug 2018, at 12:42, Markus Rudy <webmaster@xxxxxxxxxxxx> wrote:

Hi all,

sorry in advance if this hits the wrong audience.

The following certificates are currently invalid:

- mirage.io: expired Aug 1st
- tls.openmirage.org: issued for tls.nqsb.org (which is defunct)

Cheers, Markus

MirageOS-devel mailing list

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.