Closed slingamn closed 5 years ago
Let's do #6 as part of this. Bionic ships openssl 1.1.0g, which includes CHACHA20 cipher suites. We can probably just use the "modern" cipher list from here: https://wiki.mozilla.org/Security/Server_Side_TLS
@edmund-huber could you create these DNS records for testing purposes?
(1) an A record for bionic.darwin.network
pointing to 167.114.129.198
(2) an AAAA record for bionic.darwin.network
pointing to 2607:5300:201:3100:0:0:0:7427
(3) a TXT record for 201808._domainkey.darwin.network
with contents:
k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ0j5RVXr6jtMjvPx72JTL/3p2CwqgqUK34m8WKzH+XxXLbSvlnWlziv6yVpE5IcAB8u48OXUzMAZxaBmhlHMPg8K5vadKyi7/8LQDRyE/RZvU5LCI6ztdvGj8ZUwdg8a16C/XOG1v6zo4wAtg3Le/prsJmHES+e99q1/A3y7IzwIDAQAB
New server looks good. Steps for the cutover (maybe Monday afternoon):
/etc/certificates/irc.darwin.network
to contain symlinks to /etc/letsencrypt/live
Preliminary checks look good. Here are the DNS changes (these should be as nearly simultaneous as possible, to avoid any split-brain):
darwin.network
to point to 167.114.129.198
, keeping the TTL at 60 secondsdarwin.network
, pointing to 2607:5300:201:3100:0:0:0:7427
, TTL 60 secondsOld darwin.network
A record: 35.171.127.21
.
Old darwin.network
AAAA record: N/A.
Assigning to you to shut down the old server; if we have reliability problems with OVH, I think we'll spin up a new EC2 instance on Bionic rather than try to reuse the old one.
There are three entities involved:
bump
The point release 18.04.1 is out; let's rebuild the server on Bionic. Proposed strategy: