Following the positive experience with ImportDump and given very limited experience with webservices, we've decided that for the time being it would be better to follow that model for SSL. These are the steps that are being/were taken
- Step 1: Automatically copy and commit private keys
- Step 2: Automatically push certificates to GitHub
- Step 3: Create RequestSSL and automatically add ManageWiki $wgServer entry
- Step 4: Create an API endpoint on puppet141 and configure it to listen to requests from the RequestSSL extension and execute '/root/ssl-certificate' when requests are marked as completed
- Step 5: Automatically add DNS zone for wikis that have pointed their NS to Miraheze (check whether CNAME, if not add zone)
- Step 6: Decommission the SSL admin group
<Original plan; kept as an archive; might not follow exactly>
- Update check_reverse_dns to check records present too.
- Move SSL generation from mwtask141 to puppet141
- Automate copying private keys
- Automate pushing certificates from puppet141 to GitHub
- Update certbot cli to check rDNS is correct and either CNAME or NS record is present. Add argument to skip this.
- Create a web form to automate creating SSL tasks + checking validity - refuse to create if invalid.
- create a new wrapper for generating new ssl certs, include updating ManageWiki (puppet-user will be pointless at this point).
- Move all SSL requests to the new ssl self serve site and allow one click to do everything.