Loading policy.md +1 −0 Original line number Original line Diff line number Diff line Loading @@ -60,6 +60,7 @@ and add it to the above list. * [TPA-RFC-61: 2024 roadmap](policy/tpa-rfc-61-roadmap-2024) * [TPA-RFC-61: 2024 roadmap](policy/tpa-rfc-61-roadmap-2024) * [TPA-RFC-62: TPA password manager](policy/tpa-rfc-62-tpa-password-manager) * [TPA-RFC-62: TPA password manager](policy/tpa-rfc-62-tpa-password-manager) * [TPA-RFC-63: Storage server budget](policy/tpa-rfc-63-storage-server-budget) * [TPA-RFC-63: Storage server budget](policy/tpa-rfc-63-storage-server-budget) * [TPA-RFC-64: Puppet TLS certificates](policy/tpa-rfc-64-puppet-tls-certificates) ## Rejected ## Rejected Loading policy/tpa-rfc-64-puppet-tls-certificates.md 0 → 100644 +35 −0 Original line number Original line Diff line number Diff line Migration Plan: Phase I: add a new boolean param to ssl::service named "dehydrated". If set to true, it will cause ssl::service to create a key and request a cert via puppet dehydrated. It will not install the key or cert in any place we previously used, but the new key will be added to the TLSA set in DNS. This will enable us to test cert issuance somewhat. Phase II: For instances where ssl::service dehydrated param is true and we have a cert, we will use the new key and cert and install it in the place that previously got the data from puppet/LE. Phase III: Keep setting dehydrated to true for more things. Once all are true, retire all letsencrypted-domains certs. Phase IV: profit Phase XCIX: Long term, we may retire ssl::service and just use dehydrated::certificate directly. Or not, as ssl::service also does TLSA and onion stuff. Loading
policy.md +1 −0 Original line number Original line Diff line number Diff line Loading @@ -60,6 +60,7 @@ and add it to the above list. * [TPA-RFC-61: 2024 roadmap](policy/tpa-rfc-61-roadmap-2024) * [TPA-RFC-61: 2024 roadmap](policy/tpa-rfc-61-roadmap-2024) * [TPA-RFC-62: TPA password manager](policy/tpa-rfc-62-tpa-password-manager) * [TPA-RFC-62: TPA password manager](policy/tpa-rfc-62-tpa-password-manager) * [TPA-RFC-63: Storage server budget](policy/tpa-rfc-63-storage-server-budget) * [TPA-RFC-63: Storage server budget](policy/tpa-rfc-63-storage-server-budget) * [TPA-RFC-64: Puppet TLS certificates](policy/tpa-rfc-64-puppet-tls-certificates) ## Rejected ## Rejected Loading
policy/tpa-rfc-64-puppet-tls-certificates.md 0 → 100644 +35 −0 Original line number Original line Diff line number Diff line Migration Plan: Phase I: add a new boolean param to ssl::service named "dehydrated". If set to true, it will cause ssl::service to create a key and request a cert via puppet dehydrated. It will not install the key or cert in any place we previously used, but the new key will be added to the TLSA set in DNS. This will enable us to test cert issuance somewhat. Phase II: For instances where ssl::service dehydrated param is true and we have a cert, we will use the new key and cert and install it in the place that previously got the data from puppet/LE. Phase III: Keep setting dehydrated to true for more things. Once all are true, retire all letsencrypted-domains certs. Phase IV: profit Phase XCIX: Long term, we may retire ssl::service and just use dehydrated::certificate directly. Or not, as ssl::service also does TLSA and onion stuff.
