freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@apache.org>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Sat, 19 May 2018 10:02:51 GMT
Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:

> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:
>
> cerbot renew
> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
> pass:"theKnownPassword" (not copied here)

Though you have posted that password to this mailing list anyway... ;)

> I think it should not change the rights to read in
> /etc/letsencrypt/live (now with fmonlinetester in group)

It would be surprising if it changes it.

> but we should try it manually once and check.
>
> If it does change then we will need to re-add fmonlinetester
> in the group at end of cert-renew.sh. I crossed this read issue before as jleroux
> user, initially the dir was readeable w/o sudo and then not. Not
> sure if it's certbot or openssl which did that in my case.
>
> Also I don't think we need to care about change in
> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
> change certificate.p12 will be the 
> same, no worries.

Of course. It will need to issue that SSL cert reloading curl command
though.

> I think we should not show the "theKnownPassword" in the wiki page...

Yeah, I guess it's better star it out on cwiki. (Though to get the p12
or private key one has to pawn the server anyway... and then he finds
the password too.)

Are there any Let's Encrypt related credentials we should be aware of
(in case you become unavailable)?

I think "Enter email address (used for urgent renewal and security
notices)" should be private@freemarker.apache.org.

> What do you think?
>
> Jacques
>
>
> Le 19/05/2018 à 10:32, Daniel Dekany a écrit :
>> Now https works, and only the cron job and documenting things on the
>> cwiki is missing (the copy-paste cron script mostly, I guess).
>>
>>
>> Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote:
>>
>>> Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote:
>>>
>>>> Le 17/05/2018 à 09:04, Jacques Le Roux a écrit :
>>>>> Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :
>>>>>> When I read the content in my local Git repo it's commented out.
I guess I should manually change it on the VM and restart the app with Gradle?
>>>>>>
>>>>>> As it's a bit late already, I let you handle this last part ;)
>>>>> OK I remember now that you documented the app restart at
>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>> I'll do so now and will have a look at the code change for the renew
>>>>>
>>>>> Jacques
>>>>>
>>>> I have just changed the file according to my previous message, ie modified
to
>>>>           keyStorePath: /etc/letsencrypt/live/certificate.p12
>>>>           keyStorePassword: HTTPDisUnnecessary
>>>> and also while at it (not sure we want that)
>>>>           validateCerts: true
>>>>
>>>> But after setting the iptables for 443-8443 (v4 and v6), saving the
>>>> change and restarting the app it did not work:
>>>>
>>>> May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester.
>>>> May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester.
>>>> May 17 11:52:10 freemarker-vm java[14009]:
>>>> MultiException[java.lang.IllegalStateException: no valid keystore,
>>>> java.lang.IllegalStateException: no
>>> That was because the service had no right to read the parent directory
>>> of the p12 file. (Yeah, that error message is not very helpful...) I
>>> have fixed that. So now the only problem we have what I said in the
>>> other mail. And we will need the cron script... or maybe a systemd
>>> timer unit instead.
>>>
>>>> valid keystore, java.util.concurrent.RejectedExecutionException: org.eclipse.jetty.io.Manag
>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>> org.eclipse.jetty.server.Server.doStart(Server.java:382)
>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>> io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)
>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>> io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>> io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>> io.dropwizard.cli.Cli.run(Cli.java:78)
>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>> io.dropwizard.Application.run(Application.java:93)
>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>> org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43)
>>>>
>>>> So I commented out the HTTPS part
>>>>       #      # FOR PRODUCTION:
>>>>       #      - type: https
>>>>       #        port: 8443
>>>>       #        keyStorePath: /etc/letsencrypt/live/certificate.p12
>>>>       #        keyStoreType: PKCS12
>>>>       #        keyStorePassword: HTTPDisUnnecessary
>>>>       #        validateCerts: true
>>>> and restarted the app
>>>>
>>>> Now http://try.freemarker.org/ works again, but no longer
>>>> http://try.freemarker.apache.org/ which is redirected to
>>>> https://try.freemarker.apache.org/
>>>> I don't understand the redirect. Does have this changed before my change?
I don't know.
>>>> I have double-checked, thought I have not reverted the config yet, HTTPD
is no longer working.
>>>> Maybe it's due to the certificate (created for a.o) but I can't see
>>>> how DropWizard would now relate to it, since
>>>>       keyStorePath: /etc/letsencrypt/live/certificate.p12
>>>> and the whole HTTPS block, is commented out :/
>>>>
>>>> I'll get back to that later...
>>>>
>>>> Jacques
>>>>
>>>>
>
>

-- 
Thanks,
 Daniel Dekany


Mime
View raw message