search: remove canonical cert given CDN with origin TLS to FQDN

Krinkle · Krinkle · commit 10db3ee5b8e2 · 2026-06-02T05:33:28.000+01:00
Make the temporary change indefinite for now.
diff --git a/hieradata/nodes/search-03.ops.jquery.net.yaml b/hieradata/nodes/search-03.ops.jquery.net.yaml
@@ -1,9 +1,2 @@
-profile::certbot::certificates:
-  search:
-    domains:
-      # Skip canonical host while setting up
-      # - typesense.jquery.com
-      - "%{::facts.networking.fqdn}"
-
 # https://github.com/jquery/infrastructure-puppet/issues/36
 # profile::typesense::api_key: "0.25.2"
diff --git a/hieradata/roles/search.yaml b/hieradata/roles/search.yaml
@@ -7,7 +7,15 @@
 profile::certbot::certificates:
   search:
     domains:
-      - typesense.jquery.com
       - "%{::facts.networking.fqdn}"
+      # Keep canonical name commented out, because we serve it via CDN
+      # which has its own cert (and connects to origin via TLS using the FQDN).
+      # By not redundantly generating the canonical cert here as well,
+      # we ease provisioning new instances which otherwise requires removing it
+      # temporary during setup and then re-adding after switching traffic as
+      # otherwise certbot can't reach itself.
+      #
+      # Comment this out if we need to serve directly without CDN
+      # - typesense.jquery.com
 
 profile::typesense::tls_key_name: search
