Obtain HTTPS cert for labs.torproject.org

We need an HTTPS certificate to host labs.torproject.org. Right now, we could point the labs.torproject.org domain at the load balancer at live-tor-labs.pantheon.io via CNAME, but that will need to change to an A record as soon as we deploy HTTPS.

Since we know we want HTTPS, we might as well get the cert first, and then create the A record after that.

added component::internal services/tor sysadmin team owner::mikeperry priority::medium resolution::wontfix severity::normal status::closed type::task labels

On IRC, weasel pointed out that HTTPS certs is phobos's responsibility.

Trac:
Status: new to assigned
Owner: N/A to phobos

Mike, if you walk me through what exactly you think I should do, I can get a cert on the company cc.

Alternatively, you can get one and expense it if you would prefer, but please coordinate with me to ensure that we keep a copy of the necessary administrative material and keys in (encrypted) storage.

Either is fine by me.

Since we've deleted phobos' password (#15896 (moved)), I'm reassigning all his open tickets.

As our (interim) Executive Directors, I think this task would fall to either Roger or Nick, but since Nick suggested it was possible, and this ticket was created by Mike…

mikeperry: I'm assigning to you. Reassign to arma or nickm if you think they're better suited to getting this done.

Trac:
Owner: phobos to mikeperry

(FWIW, Roger is interim ED; I am interim deputy ED.)

Mike, I'm cool with either of the options above.

I suspect that I will not be able to get an HTTPS cert without control of either DNS (to point labs.torproject.org somewhere and prove that I can create documents there) or the torproject.org TLD admin contact info (to recieve email/phone call for domain verification).

Therefore, I think it would be best if you could handle this, Nick. If you are concerned about opsec issues wrt the cert, I can still handle it, but we'll probably need to point labs.torproject.org somewhere I control first.

Is there anything to be done here, still?

Trac:
Severity: N/A to Normal
Sponsor: N/A to N/A
Status: assigned to needs_information

Seems like that's a no.

Trac:
Status: needs_information to closed
Resolution: N/A to user disappeared

Nope, issue is still not fixed. Upon visit I get the "This Connection is Untrusted" page.

Trac:
Resolution: user disappeared to N/A
Status: closed to reopened

Then this is something the owner of the service needs to deal with, not tpa.

Trac:
Status: reopened to closed
Resolution: N/A to wontfix

closed

mentioned in issue #16237 (moved)

mentioned in issue #16278 (closed)