[19:41:26] <Urbanecm>	 Hi all, can anybody help me which project should I assign to T152622 ? I can't find any. 
[19:41:26] <stashbot>	 T152622: Wikipedia.cz and other domains owned by WMCZ have invalid certificate - https://phabricator.wikimedia.org/T152622
[19:42:36] <mutante>	 Urbanecm: try "domains"
[19:42:43] <mutante>	 oh wait
[19:42:49] <mutante>	 looks again
[19:43:08] <Urbanecm>	 mutante, should I revert myself?
[19:43:13] <Krenair>	 this will probably be a dupe
[19:43:27] <mutante>	 so here's the thing
[19:43:30] <Krenair>	 it's another domain that points to the WMF production cluster but isn't listed on the cert
[19:44:06] <mutante>	 if it points to prod and isnt on the cert, adding domains  (and Herald then adding 'Traffic') wasn't bad
[19:44:21] <Urbanecm>	 Krenair, yes, I know. Who and how can fix it? 
[19:44:47] <mutante>	 so there is an existing "epic" ticket about getting secure redirects.. at ...hold on
[19:44:54] <Krenair>	 theoretically WMCZ could point it to their own servers instead of WMF, then put a valid cert on it
[19:45:13] <mutante>	 https://phabricator.wikimedia.org/T133548
[19:45:19] <mutante>	 this ticket blocks it  kind of
[19:45:21] <Krenair>	 There's a better way that's...
[19:45:30] <Krenair>	 (annoying to find without gerrit)
[19:45:36] <Krenair>	 yep, T133548
[19:45:36] <Urbanecm>	 I asked for it, they told me I should fill a ticket at phab :D
[19:45:36] <stashbot>	 T133548: Create a secure redirect service for large count of non-canonical / junk domains - https://phabricator.wikimedia.org/T133548
[19:45:38] <mutante>	 either WMCZ could use Letsencrypt
[19:45:50] <mutante>	 or we could but it will be later in the future
[19:45:59] <mutante>	 or money
[19:46:03] <mutante>	 for either of the 2 orgs
[19:46:08] <Urbanecm>	 mutante, we use Let's encrypt at some domains (such as wikimedia.cz)
[19:46:35] <mutante>	 Urbanecm: your ticket is a subtask of T133548 pretty much
[19:47:00] <mutante>	 and the "Traffic" tag that is on it now via Herald will get it attention
[19:47:35] <Urbanecm>	 mutante, I added T133548 as parent one. 
[19:47:40] <mutante>	 and/or you could email WMCZ and WMF-legal if it's about transferring domains
[19:47:43] <mutante>	 in either direction
[19:49:19] <Urbanecm>	 No, it isn't about transferring. Wiki domains are sponsored by Active24 (as far as I know) and they don't cost WMCZ anything. 
[19:50:22] <Urbanecm>	 I only want to get rid of "Wikipedia.cz isn't secure" dialog. WMCZ points me to WMF, WMF to WMCZ and I don't know who should be asked :D
[19:51:19] <Krenair>	 WMCZ pointing you to WMF indicates that they likely don't want to point it back and handle it themselves
[19:51:23] <mutante>	 yea, so because "mixing" it between 2 organziations makes it more complicated, that is why i say _maybe_ it involves changing something in a way so that one of the orgs does it all , the domain and the ssl setup
[19:51:38] <mutante>	 this is all from a time before https-only
[19:51:41] <Krenair>	 Ultimately this should be solved with the secure redirect service running in WMF production
[19:51:43] <mutante>	 when things like this didnt matter that much
[19:52:49] <Urbanecm>	 Krenair, what does the secure redirect service in WMF prod require? Transfer? Anything else?
[19:53:06] <Krenair>	 for this domain, technically, nothing
[19:54:06] <Urbanecm>	 Krenair, if nothing else is needed why it does not work? Sorry for my silly question but I'm only trying to understand the problem (there generally is some kind of problem)
[19:54:07] <mutante>	 well, see the check boxes on that ticket. " Puppetize a service role built around modules/nginx + modules/letsencrypt that can redirect a configured large set of domainnames securely."
[19:54:16] <Krenair>	 policy-wise ops *could* (if they don't mind being a pain) choose to require that domains hosted by that service be registered by WMF
[19:54:19] <mutante>	 it will happen but not tomorrow
[19:54:36] <Krenair>	 Right now, it is registered by WMCZ but pointing to nameservers in WMF Prod
[19:54:49] <Urbanecm>	 Krenair, you're right. 
[19:55:15] <Krenair>	 Urbanecm, the thing needed is the secure redirect service itself :)
[19:55:42] <Krenair>	 Basically it'd be a system that knows all redirect-domains like this, how to handle requests for them, and how to generate certs for each using LE
[19:55:49] <mutante>	 or WMCZ would have to host it themselves
[19:55:59] <mutante>	 which they dont want to , afaict
[19:58:13] <Urbanecm>	 mutante, I wrote to WMCZ and I was told "There is two ways. 1) Fill a ticket or 2) move the domains to WMCZ server and setup it. I would recommend starting with the first one." (this is only translation as the e-mail was in Czech). 
[19:58:21] <mutante>	 before we switched to https-only this wasnt such a big deal, we just setup some Apache rewrites rules, but times have changed. everything needs a cert now
[19:58:33] <mutante>	 and we have hundreds and hundreds of domains
[19:58:44] <mutante>	 that are either just redirects or not used at all
[19:59:17] <mutante>	 this is always an ongoing discussion which of these domains should even be supported and where you draw the line
[19:59:45] <mutante>	 and if you want to spend donor money on it or not.. then came LE and the chance to get it for free
[20:00:21] <mutante>	 and while that works for a few misc services it cant just scale easily to hundreds of domains 
[20:00:49] <Urbanecm>	 I understand there is much domains. I don't want it right now preferably yesterday. I only want to know who should be asked for fixing (I suppose the Foundation) and know when I should ask again for updates :). 
[20:01:10] <mutante>	 Urbanecm: If WMCZ says they want the domains back i think that would be just fine with WMF, but you should then contact Charles at legal
[20:02:08] <Urbanecm>	 mutante, want the domains back? The domains are owned by WMCZ. I'm confused. 
[20:02:09] <mutante>	 if the domain, the DNS and the cert are all at WMCZ that would be another way to fix it i think
[20:02:39] <Urbanecm>	 mutante, okay. So all of this things must be owned by one org? Am I right?
[20:02:53] <mutante>	 Urbanecm: owned but not hosted, they point to WMF infra, that's what i meant by "mixing makes it more complicated"
[20:03:00] <mutante>	 no, not "must be owned"
[20:03:15] <Urbanecm>	 mutante, that's right. 
[20:03:20] <Urbanecm>	 mutante, so what exactly? :)
[20:03:21] <mutante>	 just saying it adds to the confusion
[20:03:29] <Krenair>	 Urbanecm, your question is not clear.
[20:03:41] <Urbanecm>	 Krenair, how can I make it more clear?
[20:03:48] <Krenair>	 Try stating it again
[20:04:52] <Urbanecm>	 <mutante> no, not "must be owned"
[20:04:52] <Urbanecm>	 <Urbanecm> mutante, so what exactly? :)
[20:04:52] <Urbanecm>	 I meant "What should be changed if not the ownership?"
[20:05:08] <mutante>	 i think the summary is.  either "wait for WMF to fix it at some point in the future" or "WMCZ hosts the domain without using WMF"
[20:05:09] <Krenair>	 Okay
[20:05:15] <Krenair>	 There are two ways to do this
[20:05:31] <Krenair>	 I will address the technical aspects, there may be policy reasons why not to do one or both of these
[20:05:57] <Krenair>	 1) Transfer back to WMCZ
[20:06:03] <Krenair>	 1a) WMCZ moves domain back to their own nameservers
[20:06:10] <Krenair>	 1b) WMCZ changes the domain to be handled by their web server.
[20:06:35] <Krenair>	 1c) WMCZ adds a cert for the domain, using either a paid provider or LE
[20:06:46] <Krenair>	 2) WMF-hosted secure redirect service
[20:07:45] <Krenair>	 2a) WMF sets up a new IP to handle this domain, with apache/nginx knowing the correct redirect rules and having all the correct certs
[20:08:23] <Krenair>	 2b) WMF changes the domain to be handled by this new server
[20:08:42] <Krenair>	 Urbanecm, now, it sounds like from what you said they're not going to do #1
[20:08:59] <Krenair>	 mutante, does that all sound accurate to you?
[20:10:15] <Urbanecm>	 Krenair, as I understood the mail we (I'm a member) prefer #2 (but #1 is possible if needed). 
[20:11:54] <mutante>	 Krenair: that sound accurate, yea
[20:12:58] <Krenair>	 This also assumes we're not going to end up in a situation where WMCZ owns the domain and points it to WMF NSes, then WMF points the domain to WMCZ web servers
[20:13:09] <mutante>	 are there are any WMCZ ops people that happen to be on Phabricator and can be added to that ticket
[20:13:09] <mutante>	 or maybe can be asked to start using it when we point out they can use existing wiki users to login
[20:13:44] <Urbanecm>	 Thanks for the summary. Should I ask for something?
[20:13:51] <Urbanecm>	 che
[20:13:54] <Krenair>	 I think when it comes to 'ops' people in chapters we're probably talking about OIT-equivalent IT support, right?
[20:13:55] <Urbanecm>	 but he is already added. 
[20:14:08] <Urbanecm>	 OIT is what?
[20:14:13] <Krenair>	 Office IT
[20:14:31] <Krenair>	 some chapters don't even have staff
[20:14:52] <Urbanecm>	 And how staff is related to the domain problem? 
[20:14:59] <mutante>	 and "WMF owns the domain but points it to WMCZ NS server" is technically possible but policy-wise a problem
[20:15:15] <mutante>	 as an addition to the summary
[20:15:19] <Krenair>	 Urbanecm, mutante wanted to CC someone doing ops work at WMCZ on the ticket
[20:15:29] <Krenair>	 yes
[20:15:42] <mutante>	 i was just saying more people on the ticket will help
[20:15:42] <Krenair>	 a theoretical problem, I might add
[20:15:53] <mutante>	 people who do the technical setup 
[20:16:19] <Urbanecm>	 Krenair, I understood. Che is WMCZ's op (and he is already added). 
[20:16:25] <Krenair>	 okay great
[20:16:32] <mutante>	 cool
[20:16:56] <mutante>	 maybe just paste the chat logs.. 
[20:17:03] <Krenair>	 I'll copy my little list above (along with the notes about silly things we're probably not going to do) to the ticket
[20:17:09] <mutante>	 great
[20:17:14] <Urbanecm>	 Thanks Krenair. 
[20:27:04] <Krenair>	 mutante, Urbanecm: does this comment address everything?
[20:35:38] <mutante>	 Krenair: seems like a good summary, thanks for writing it up
[20:36:01] <Krenair>	 Urbanecm, got any more questions?
[20:36:20] <mutante>	 i added CRoslof
[20:36:31] <mutante>	 he handles domains in legal now
[21:06:59] <Urbanecm>	 Krenair, no, thanks for your help