Fwd: Heads up about TLS certificates

-------- Forwarded Message --------
Subject: Heads up about TLS certificates
Date: Tue, 23 Jul 2024 16:49:52 +0200
From: Magnus Hagander <magnus(at)hagander(dot)net>
To: buildfarm-admins(at)lists(dot)postgresql(dot)org
CC: sysadmins <sysadmins(at)postgresql(dot)org>

Hello!

Here's a heads-up that LetsEncrypt are discontinuing the "alternative
chain" they put in place back in 2021 for backwards compatibility with
older clients. That means that at the next refresh of the TLS
certificates for the buildfarm server, it will be automatically updated
to their new issuer certificates (and in fact to an updated intermediate
cert as well).

As they have discontinued the old compatibility ones, there is not much
we can do about it. Hopefully all buildfarm clients are enough up to
date to work out of the box with the new chain, in which case nothing
needs to be done.

The same certificate shift will happen on git.postgresql.org
<http://git.postgresql.org> that also has the compatibility chain today
specifically for really old buildfarm animals.

LE article: https://letsencrypt.org/2024/04/12/changes-to-issuance-chains

We expect this shift to happen in the next couple of days or week
(there's some dynamicness to it, so we don't know exactly when)

So, please keep an eye out. And if your animal does fail to communicate
after this date, please reach out to us at sysadmins(at)postgresql(dot)org and
we'll see if we can help you figure out how to get things back up!

//Magnus

--
Andrew Dunstan
EDB:https://www.enterprisedb.com