search

numfocus / infrastructure

Policies, Configurations, and Documentation of NumFOCUS Managed Infrastructure
https://numfocus.github.io/infrastructure/
MIT License
13 stars 6 forks source link

scverse certiicates #40

Open aterrel opened 1 month ago

aterrel commented 1 month ago

Project

scverse

Observations

See comments from ivirshup at: https://github.com/numfocus/infrastructure/issues/34#issuecomment-2146306762

Looks like the github certificate expired and switching to ssl termination broke muon.scverse.com. Need to debug options.

aterrel commented 1 month ago

@ivirshup please me the email list of folks who should access your cloudflare instance and I'll try to set it up for you to see yourself.

aterrel commented 1 month ago

It appears switching to full mode rather than strict works for both muon.scverse.org and scverse.org

Screenshot 2024-06-04 at 9 06 03 AM
martey commented 1 month ago

This is my fault. When I set up the scverse.org DNS records in CloudFlare, I set up the Github Pages records (scverse.org, www.scverse.org, and muon.scverse.org) to be proxied through CloudFlare. Because Github Pages had previously generated a SSL certificate through Let's Encrypt, everything seemed to be working when I changed the encryption mode to "Full (Strict)". This mode does not allow Github Pages to renew the certificate, though, so this issue started when the Github Pages certificate expired.

Andy's change of the encryption mode to "Full" does fix the problem, but at some point in the future we should disable proxying on the records that point to Github Pages and tell Github to try and renew the certificates again. This would allow switching back to "Full (strict)", which is more secure.

aterrel commented 1 month ago

@martey so you think Github is not renewing the certificate correctly? Perhaps we could set up a test for this on another repository.

ivirshup commented 1 month ago

@aterrel could you add ivirshup and bredikhin.daniel at gmail to this? Thanks!

martey commented 1 month ago

so you think Github is not renewing the certificate correctly? Perhaps we could set up a test for this on another repository.

Yes. https://community.cloudflare.com/t/github-pages-keep-saying-it-cant-enforce-https/397570/2 and a few other support threads I found suggest that Github won't provision/renew certificates if the domain's DNS records do not resolve to Github IP addresses (which is the case when DNS records are being proxied through Cloudflare).

We switched scverse.org to Cloudflare in the middle of last month (around May 19th) and LetsEncrypt certificates are generally able to renewed a month before expiration, so the certificate's expiration suggests that Github might be waiting until just before expiration to try and renew. I'm also not sure why Github doesn't warn you when there are issues renewing a certificate.