Skip to content

Update fastly TLS subscriptions #886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mweinelt merged 2 commits into from
Nov 14, 2025
Merged

Update fastly TLS subscriptions #886

mweinelt merged 2 commits into from
Nov 14, 2025

Conversation

@mweinelt
Copy link
Member

@mweinelt mweinelt commented Nov 4, 2025

This adds TLS1.2/1.3+0RTT and HTTP1.1/2/3 support on all Fastly hosts, migrates them all to Let's Encrypt and configures an appropriate CAA record.

Per https://crt.sh/?q=nixos.org the only host that remains with an incompatible certificate is 20th.nixos.org. (via 48c9b1c, cc @zimbatm).

@mweinelt mweinelt requested a review from a team as a code owner November 4, 2025 19:16
@zimbatm
Copy link
Member

zimbatm commented Nov 6, 2025

20th.nixos.org isn't used anymore. The historical value is fairly limited too. If there is no objection I would suggest removing it.

zowoq
zowoq reviewed Nov 7, 2025
View reviewed changes
@mweinelt mweinelt force-pushed the fastly-tls-update branch 2 times, most recently from ac50d29 to a75977a Compare November 7, 2025 01:47
@mweinelt mweinelt force-pushed the fastly-tls-update branch 2 times, most recently from 5484123 to aeada3c Compare November 14, 2025 02:45
@mweinelt
dns: configure CAA records for all domains
00b801b 
Going forward the only valid certificate authority tht can issue new
certificates is Let's encrypt.

No wildcard certificates are allowed.

Fixes: #877
@mweinelt
dns: retire 20th.nixos.org
e2b1b3b
@mweinelt mweinelt enabled auto-merge November 14, 2025 04:06
@mweinelt mweinelt disabled auto-merge November 14, 2025 04:06
@mweinelt mweinelt merged commit 2a13e5d into main Nov 14, 2025
15 checks passed
@mweinelt mweinelt deleted the fastly-tls-update branch November 14, 2025 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 approved these changes

+1 more reviewer

@zowoq zowoq zowoq left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mweinelt @zimbatm @Mic92 @zowoq