freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@apache.org>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Tue, 15 May 2018 19:58:54 GMT
Actually, the I have just see that the challenge directory must be
/.well-known/acme-challenge/, so now it's that:
http://try.freemarker.org/.well-known/acme-challenge/test.txt
http://try.freemarker.apache.org/.well-known/acme-challenge/test.txt
Also, now it doesn't redirect to HTTPS.

And, don't install httpd now suddenly... that part of the problem is
solved, we don't need it. It's going to be something like

  certbot certonly --webroot -w /opt/fmonlinetester/var/letsencrypt-acme-challenge


Tuesday, May 15, 2018, 8:43:06 PM, Daniel Dekany wrote:

> OK, so now hopefully it's ready for Let's Encrypt.
>
> In /opt/fmonlinetester/etc/freemarker-online.yml you can see:
>
> - That now it also server with HTTPS, in additionally to HTTP.
>   For now it uses /etc/letsencrypt/live/example.p12; it's just an example
>   (I'm not even sure if the directory will be that.)
>
> - Dropwizard will need a standard p12 file. (No need for JKS, though that works
>   as well.)
>
> - /opt/fmonlinetester/var/letsencrypt-verify is served as static
>   content. Try this: http://try.freemarker.org/letsencrypt-verify
>   So that's what certbot will have to overwrite for the verification.
>
> - http://try.apache.freemarker.org/ redirect to
> https://try.apache.freemarker.org/
>   Now that I think about it, I'm not sure if Let's Encrypt will like
>   that during the vertification... with our example cert... well,
>   let's hope it does.
>
> When cerbot is run by cron (I guess it does), then two extra steps
> will be needed:
>
> 1. Converting to p12 format.
> 2. Trigger SSL certificate reloading with curl (POST to localhost:8081/tasks/reload-ssl)
>
> Examples:
> https://nbsoftsolutions.com/blog/dropwizard-1-1-and-lets-encrypt-with-no-downtime
> https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html
>
> (Again, we don't need to convert the p12 further to jks... the p12 is
> already good.)
>
>
> Tuesday, May 15, 2018, 7:49:44 PM, Daniel Dekany wrote:
>
>> Ugh. OK, I have Googled into how certbot works, and it requres a few
>> things from HTTP service itself... I will upload a new version of the
>> Dropwizard app that can do those things soon.
>>
>>
>> Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote:
>>
>>> Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:
>>>
>>>> Hi Daniel,
>>>>
>>>> I have closed INFRA-16498, we can do it locally, Puppet is not used.
>>>>
>>>> So I will use letsencrypt to create a certificate for the 2 domains
>>>> try.freemarker.org and try.freemarker.apache.org
>>>>
>>>> At
>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>
>>>> I read that the port 22 and 80 are accessible from Internet and that Java
serves at port 8080.
>>>>
>>>> As I'm used to it, I want to use HTTPD + AJP with the port 443 and
>>>> to replace the iptable redirection by AJP
>>>
>>> There's no AJP or any such mess. It's just a Dropwizard (Java)
>>> application (single runnable jar) with an embedded HTTP server, that
>>> server everything directly. Well, except that we need the iptables
>>> port redirection as we have no right to bind to ports < 1024... but
>>> that's all.
>>>
>>>> but
>>>>
>>>>  1. Why do we need the port 22?
>>>
>>> For SSH.
>>>
>>>>  2. I think we don't need to serve the port 8443 from Java and can
>>>> redirect the port 443 to the port 8080, right? Not sure about that, maybe
a change
>>>>     in code is needed?
>>>
>>> No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
>>> https on 8443 (I assume), which should corresponds to 443 via
>>> iptables.
>>>
>>>>  3. I understand (did not check the whole code) that it does not
>>>> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly,
right?
>>>
>>> It uses embedded Jetty, but configure Dropwizard itself:
>>> https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl
>>>
>>>>  4. I read that Grizzly supports AJP[1] but I don't know yet how it
>>>> does, same way than Tomcat, nothing to add?
>>>>
>>>> Because when I try to install a letsencrypt certificate with
>>>> certbot as root I can't. Using www-data user (HTTPD default user for User
and Group on
>>>> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
>>>>
>>>> certbot --apache
>>>>
>>>> [... all correct so far]
>>>>
>>>> Performing the following challenges:
>>>> http-01 challenge for try.freemarker.apache.org
>>>> http-01 challenge for try.freemarker.org
>>>> Waiting for verification...
>>>> Cleaning up challenges
>>>> Failed authorization procedure. try.freemarker.apache.org
>>>> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization
::
>>>> Invalid response from
>>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
[54.71.67.193]: 404,
>>>> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
>>>> client lacks sufficient authorization :: Invalid response from 
>>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
[54.71.67.193]: 404
>>>>
>>>> IMPORTANT NOTES:
>>>>   - The following errors were reported by the server:
>>>>
>>>>     Domain: try.freemarker.apache.org
>>>>     Type:   unauthorized
>>>>     Detail: Invalid response from
>>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>>>>     [54.71.67.193]: 404
>>>>
>>>>     Domain: try.freemarker.org
>>>>     Type:   unauthorized
>>>>     Detail: Invalid response from
>>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>>>>     [54.71.67.193]: 404
>>>>
>>>>     To fix these errors, please make sure that your domain name was
>>>>     entered correctly and the DNS A/AAAA record(s) for that domain
>>>>     contain(s) the right IP address.
>>>>
>>>> [domains are correct and 54.71.67.193 is currently the right IP]
>>>>
>>>>   - Your account credentials have been saved in your Certbot
>>>>     configuration directory at /etc/letsencrypt. You should make a
>>>>     secure backup of this folder now. This configuration directory will
>>>>     also contain certificates and private keys obtained by Certbot so
>>>>     making regular backups of this folder is ideal.
>>>>
>>>> [I have removed /etc/letsencryptn it's of no use as long as long as
>>>> the challenges are not successful[2]]
>>>>
>>>> Obviously certbot is not able to put the challenge file where it needs.
>>>>
>>>> So it seems a change in code is needed? Else what would you suggest?
>>>
>>> I haven no experience with certbot and all that. But I guess it just
>>> replaces a certificate file somewhere. That will have to be converted
>>> to JKS format ("Java Key Store", which is what Jetty or any other Java
>>> SSL stuff need). Hopefully there's a solution for that on the net...
>>> if not, we will figure out...
>>>
>>>> Jacques
>>>>
>>>> [1] https://javaee.github.io/grizzly/ajp.html
>>>>
>>>> [2]
>>>> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key
>>>>
>>>>
>>>> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
>>>>> It's OK now with Chris Lambertus's help
>>>>>
>>>>> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :
>>>>>> Thanks
>>>>>>
>>>>>> Just tried, did not work, not sure why
>>>>>>
>>>>>>
>>>>>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit :
>>>>>>> I'm a sudoer, so I can add you. Try now!
>>>>>>>
>>>>>>>
>>>>>>> Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:
>>>>>>>
>>>>>>>> Thanks Daniel,
>>>>>>>>
>>>>>>>> I did not, but actually as I'm not in the sudoers it does
not help:
>>>>>>>>
>>>>>>>> otp-md5 499 fr516
>>>>>>>> Password:
>>>>>>>> jleroux is not in the sudoers file.  This incident will
be reported.
>>>>>>>> jleroux@freemarker-vm:~$
>>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>>
>>>>>>>> Le 05/05/2018 à 12:38, Daniel Dekany a écrit :
>>>>>>>>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:
>>>>>>>>>
>>>>>>>>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775
>>>>>>>>> Have you done the OTP stuff? See on:
>>>>>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
>>>>>>>>>>> Hi Daniel,
>>>>>>>>>>>
>>>>>>>>>>> Yes completely forgot about that. I just checked
and I have access to the VM.
>>>>>>>>>>>
>>>>>>>>>>> Since we need to do it ourselves, I'll have a
look, hopefully this week (very possible)
>>>>>>>>>>>
>>>>>>>>>>> Cheers
>>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
>>>>>>>>>>>> Seems this was forgotten. Do you plan to
do it?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Monday, January 8, 2018, 11:04:31 AM, Jacques
Le Roux wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks Daniel,
>>>>>>>>>>>>>
>>>>>>>>>>>>> That's a good news. I did not want to
get further with
>>>>>>>>>>>>> try.freemarker.org waiting for this to
happen. Once LetsEncrypt setting is done a redirection
>>>>>>>>>>>>> should be enough
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>
>>>>>>>>>>>>> Le 08/01/2018 à 09:47, Daniel Dekany
a écrit :
>>>>>>>>>>>>>> Greg commented on the request:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>       try.freemarker.apache.org
now works, and is propagated.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>       Since that hostname maps
to your VM, the certificate to be used for
>>>>>>>>>>>>>>       try.freemarker.apache.org
will need to be hosted/operated by your VM.
>>>>>>>>>>>>>>       Infra's current policy
for project VMs is to use LetsEncrypt for
>>>>>>>>>>>>>>       certificates. [~pono] will
get you set up with that.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Wednesday, January 3, 2018, 11:34:32
PM, Jacques Le Roux wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Good, Greg closed INFRA-15476
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Le 03/01/2018 à 21:23, Daniel
Dekany a écrit :
>>>>>>>>>>>>>>>> I'm "a bit" late with this,
but I have created the issue for it:
>>>>>>>>>>>>>>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Friday, December 15, 2017,
1:57:04 PM, Daniel Dekany wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> To summarize, the opininos
were (whether we should switch to try.freemarker.apache.org):
>>>>>>>>>>>>>>>>> - Daniel Dekany: We better
not risk not doing this
>>>>>>>>>>>>>>>>> - Jacopo Cappellato:
Agrees with me (above) in this
>>>>>>>>>>>>>>>>> - Jacques Le Roux: No
opinion was expressed, but it's technically fine
>>>>>>>>>>>>>>>>> - Ralph Goers: It's certainly
not necessary to do
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> So, unless someone has
more to add, I will ask this from Infra in the
>>>>>>>>>>>>>>>>> coming days... just to
be on the safe side.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Wednesday, November 29,
2017, 6:38:05 PM, Ralph Goers wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> The difference is
that try.freemarker.org
>>>>>>>>>>>>>>>>>> <http://try.freemarker.org/>
is a companion site. So long as the
>>>>>>>>>>>>>>>>>> main site is freemarker.apache.org
I don’t think anyone will complain about a companion site.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Nov 29, 2017,
at 8:33 AM, Jacques Le Roux <jacques.le.roux@les7arts.com> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi Ralph,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> IIRW openoffice.org
is an exception. There are others, when the domain was well established before entering the
incubator, subversion.org
>>>>>>>>>>>>>>>>>>> comes to mind.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> IMO freemarker.org
was well established before entering the incubator but not try.freemarker.apache.org which
is quite recent. Hence 
>>>>>>>>>>>>>>>>>>> maybe
>>>>>>>>>>>>>>>>>>> some caution
needed...
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> My 2 cts
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Le 29/11/2017
à 14:55, Ralph Goers a écrit :
>>>>>>>>>>>>>>>>>>>> Personally,
I don’t see why there should be a problem as long as try.freemarker.org <http://try.freemarker.org/>
is an Apache controlled
>>>>>>>>>>>>>>>>>>>> domain. You
aren’t the only project that has a vanity domain. See www.openoffice.org <http://www.openoffice.org/>
as an example.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Nov
29, 2017, at 1:51 AM, Daniel Dekany <ddekany@apache.org> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Just
as a reminder, I'm planning to request try.freemarker.apache.org,
>>>>>>>>>>>>>>>>>>>>> from
Infra and then redirect try.freemarker.org to it, because I'm
>>>>>>>>>>>>>>>>>>>>> worried
that the IPMC will dislike that we use try.freemarker.org as
>>>>>>>>>>>>>>>>>>>>> the canonical
address of the online template tester. It will also use
>>>>>>>>>>>>>>>>>>>>> https
and a LetsEncrypt certificate (we can't use the *.apache.org
>>>>>>>>>>>>>>>>>>>>> cert
on a VM).
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> BTW,
using a sub-sub domains is a bit extreme. I'm not aware of any
>>>>>>>>>>>>>>>>>>>>> gotchas
in out case, but if anyone is aware some, like LetsEncrypt
>>>>>>>>>>>>>>>>>>>>> doesn't
support them or something, please stop me! (Also, as this way
>>>>>>>>>>>>>>>>>>>>> we will
receive the cookies of freemarker.apache.org, but certainly we
>>>>>>>>>>>>>>>>>>>>> will
able to cope with that, if it ever causes a problem.)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Any comments?
And do you (especially PPMC members) agree?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>>>>>> Daniel
Dekany
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

-- 
Thanks,
 Daniel Dekany


Mime
View raw message