Renew star.jquery.com cert (expires 14 July 2023)

[Krinkle]

Previous renewal at https://github.com/jquery/infrastructure/issues/551, with previous testing methodology and results at https://github.com/jquery/infrastructure/issues/551.

Timeline:

• Thu 6 July 2023: File ticket with LF IT support as per https://github.com/jquery/infrastructure/blob/1f8c332e728b9d150b42cf27de84c122c2631142/modules/jquery/files/cert/README.md.
• Fri 7 July 2023: Acknowledged and assigned by LF IT.
• …
• Tue 11 July 2023: Received two emails from Christopher Hoy Poy.
  • One with a ZIP file containing the .crt and .ca-bundle file.
  • One with a .key file, encrypted with GPG against my personal public key.

For future reference, please note that the turnaround time was quick in part due to escalation by Benjamin Sternthal and in part because Christopher was already familiar with me and my public key from the year before. I would recommend if someone else requests these in the future, to pair the original request with your GPG public key, and make sure to confirm that you want to receive it on an email address matching your GPG key.

• Tue 11 July 2023: Decrypted the .key file, and generated the .pem file as per the README instructions in /modules/jquery/files/cert/. And subsequently verify the file using the verify_certs.sh script before uploading anywhere else.
• Tue 11 July 2023: Changed Cloudflare settings for one lower-traffic domain (https://learn.jquery.com) to disable proxying, so that we can expose the wp-01.ops.jquery.net droplet directly for that site, thus testing the new certificate. Confirm in a web browser that the used certificate is indeed the new one ("Valid not before" some recent date, "Valid not after" Next year).
• Tue 11 July 2023: Invite people in #jquery_dev:gitter.im on Matrix to test against https://learn.jquery.com from their various devices and command-line clients.
• Tue 11 July 2023: Upload the crt/key/ca-bundle files to Highwinds StrikeTracker without making it the default. Confirmed that Highwinds' own internal checks are all green.

• Wed 12 July 2023: Wait at least 24h (preferably 48h) after the certificate's start date, to account for clients with broken clocks (as per README and referenced research paper by Google). The cert became valid July 11 00:00:00 UTC, so preferably live on or after July 13 00:00:00. On the other hand, in this case we're also very close to the expiry of 14 July 2023, which creates the inverse problem, so we're forced to make a compromise.
• Wed 12 July 2023 16:00: After about 36 hours of the cert being valid, and still more than 24 hours before the old cert expires, I've toggled the new cert as the default in Highwinds configuration.

[Krinkle]

Previous renewal at jquery/infrastructure#551, with previous testing methodology and results at #532 (comment).

Like last year, IE8/WinXP can only connect over HTTP. The cut off remains the same, starting at IE9/Win7.

[timmywil]

New docs for certs https://github.com/jquery/infrastructure-puppet/blob/staging/doc/cdn-cert.md