freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@apache.org>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Tue, 15 May 2018 17:49:44 GMT
Ugh. OK, I have Googled into how certbot works, and it requres a few
things from HTTP service itself... I will upload a new version of the
Dropwizard app that can do those things soon.


Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote:

> Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:
>
>> Hi Daniel,
>>
>> I have closed INFRA-16498, we can do it locally, Puppet is not used.
>>
>> So I will use letsencrypt to create a certificate for the 2 domains
>> try.freemarker.org and try.freemarker.apache.org
>>
>> At
>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>
>> I read that the port 22 and 80 are accessible from Internet and that Java serves
at port 8080.
>>
>> As I'm used to it, I want to use HTTPD + AJP with the port 443 and
>> to replace the iptable redirection by AJP
>
> There's no AJP or any such mess. It's just a Dropwizard (Java)
> application (single runnable jar) with an embedded HTTP server, that
> server everything directly. Well, except that we need the iptables
> port redirection as we have no right to bind to ports < 1024... but
> that's all.
>
>> but
>>
>>  1. Why do we need the port 22?
>
> For SSH.
>
>>  2. I think we don't need to serve the port 8443 from Java and can
>> redirect the port 443 to the port 8080, right? Not sure about that, maybe a change
>>     in code is needed?
>
> No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
> https on 8443 (I assume), which should corresponds to 443 via
> iptables.
>
>>  3. I understand (did not check the whole code) that it does not
>> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, right?
>
> It uses embedded Jetty, but configure Dropwizard itself:
> https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl
>
>>  4. I read that Grizzly supports AJP[1] but I don't know yet how it
>> does, same way than Tomcat, nothing to add?
>>
>> Because when I try to install a letsencrypt certificate with
>> certbot as root I can't. Using www-data user (HTTPD default user for User and Group
on
>> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
>>
>> certbot --apache
>>
>> [... all correct so far]
>>
>> Performing the following challenges:
>> http-01 challenge for try.freemarker.apache.org
>> http-01 challenge for try.freemarker.org
>> Waiting for verification...
>> Cleaning up challenges
>> Failed authorization procedure. try.freemarker.apache.org
>> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization
::
>> Invalid response from
>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
[54.71.67.193]: 404,
>> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
>> client lacks sufficient authorization :: Invalid response from 
>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
[54.71.67.193]: 404
>>
>> IMPORTANT NOTES:
>>   - The following errors were reported by the server:
>>
>>     Domain: try.freemarker.apache.org
>>     Type:   unauthorized
>>     Detail: Invalid response from
>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>>     [54.71.67.193]: 404
>>
>>     Domain: try.freemarker.org
>>     Type:   unauthorized
>>     Detail: Invalid response from
>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>>     [54.71.67.193]: 404
>>
>>     To fix these errors, please make sure that your domain name was
>>     entered correctly and the DNS A/AAAA record(s) for that domain
>>     contain(s) the right IP address.
>>
>> [domains are correct and 54.71.67.193 is currently the right IP]
>>
>>   - Your account credentials have been saved in your Certbot
>>     configuration directory at /etc/letsencrypt. You should make a
>>     secure backup of this folder now. This configuration directory will
>>     also contain certificates and private keys obtained by Certbot so
>>     making regular backups of this folder is ideal.
>>
>> [I have removed /etc/letsencryptn it's of no use as long as long as
>> the challenges are not successful[2]]
>>
>> Obviously certbot is not able to put the challenge file where it needs.
>>
>> So it seems a change in code is needed? Else what would you suggest?
>
> I haven no experience with certbot and all that. But I guess it just
> replaces a certificate file somewhere. That will have to be converted
> to JKS format ("Java Key Store", which is what Jetty or any other Java
> SSL stuff need). Hopefully there's a solution for that on the net...
> if not, we will figure out...
>
>> Jacques
>>
>> [1] https://javaee.github.io/grizzly/ajp.html
>>
>> [2]
>> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key
>>
>>
>> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
>>> It's OK now with Chris Lambertus's help
>>>
>>> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue
>>>
>>> Jacques
>>>
>>>
>>> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :
>>>> Thanks
>>>>
>>>> Just tried, did not work, not sure why
>>>>
>>>>
>>>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit :
>>>>> I'm a sudoer, so I can add you. Try now!
>>>>>
>>>>>
>>>>> Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:
>>>>>
>>>>>> Thanks Daniel,
>>>>>>
>>>>>> I did not, but actually as I'm not in the sudoers it does not help:
>>>>>>
>>>>>> otp-md5 499 fr516
>>>>>> Password:
>>>>>> jleroux is not in the sudoers file.  This incident will be reported.
>>>>>> jleroux@freemarker-vm:~$
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>>
>>>>>> Le 05/05/2018 à 12:38, Daniel Dekany a écrit :
>>>>>>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:
>>>>>>>
>>>>>>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775
>>>>>>> Have you done the OTP stuff? See on:
>>>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>>
>>>>>>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
>>>>>>>>> Hi Daniel,
>>>>>>>>>
>>>>>>>>> Yes completely forgot about that. I just checked and
I have access to the VM.
>>>>>>>>>
>>>>>>>>> Since we need to do it ourselves, I'll have a look, hopefully
this week (very possible)
>>>>>>>>>
>>>>>>>>> Cheers
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
>>>>>>>>>> Seems this was forgotten. Do you plan to do it?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Monday, January 8, 2018, 11:04:31 AM, Jacques Le
Roux wrote:
>>>>>>>>>>
>>>>>>>>>>> Thanks Daniel,
>>>>>>>>>>>
>>>>>>>>>>> That's a good news. I did not want to get further
with
>>>>>>>>>>> try.freemarker.org waiting for this to happen.
Once LetsEncrypt setting is done a redirection
>>>>>>>>>>> should be enough
>>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>> Le 08/01/2018 à 09:47, Daniel Dekany a écrit :
>>>>>>>>>>>> Greg commented on the request:
>>>>>>>>>>>>
>>>>>>>>>>>>       try.freemarker.apache.org now works,
and is propagated.
>>>>>>>>>>>>
>>>>>>>>>>>>       Since that hostname maps to your
VM, the certificate to be used for
>>>>>>>>>>>>       try.freemarker.apache.org will
need to be hosted/operated by your VM.
>>>>>>>>>>>>       Infra's current policy for project
VMs is to use LetsEncrypt for
>>>>>>>>>>>>       certificates. [~pono] will get
you set up with that.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Wednesday, January 3, 2018, 11:34:32 PM,
Jacques Le Roux wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Good, Greg closed INFRA-15476
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>
>>>>>>>>>>>>> Le 03/01/2018 à 21:23, Daniel Dekany
a écrit :
>>>>>>>>>>>>>> I'm "a bit" late with this, but I
have created the issue for it:
>>>>>>>>>>>>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Friday, December 15, 2017, 1:57:04
PM, Daniel Dekany wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> To summarize, the opininos were
(whether we should switch to try.freemarker.apache.org):
>>>>>>>>>>>>>>> - Daniel Dekany: We better not
risk not doing this
>>>>>>>>>>>>>>> - Jacopo Cappellato: Agrees with
me (above) in this
>>>>>>>>>>>>>>> - Jacques Le Roux: No opinion
was expressed, but it's technically fine
>>>>>>>>>>>>>>> - Ralph Goers: It's certainly
not necessary to do
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So, unless someone has more to
add, I will ask this from Infra in the
>>>>>>>>>>>>>>> coming days... just to be on
the safe side.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Wednesday, November 29, 2017,
6:38:05 PM, Ralph Goers wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The difference is that try.freemarker.org
>>>>>>>>>>>>>>>> <http://try.freemarker.org/>
is a companion site. So long as the
>>>>>>>>>>>>>>>> main site is freemarker.apache.org
I don’t think anyone will complain about a companion site.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Nov 29, 2017, at 8:33
AM, Jacques Le Roux <jacques.le.roux@les7arts.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Ralph,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> IIRW openoffice.org is
an exception. There are others, when the domain was well established before entering the incubator,
subversion.org
>>>>>>>>>>>>>>>>> comes to mind.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> IMO freemarker.org was
well established before entering the incubator but not try.freemarker.apache.org which is
quite recent. Hence 
>>>>>>>>>>>>>>>>> maybe
>>>>>>>>>>>>>>>>> some caution needed...
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> My 2 cts
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Le 29/11/2017 à 14:55,
Ralph Goers a écrit :
>>>>>>>>>>>>>>>>>> Personally, I don’t
see why there should be a problem as long as try.freemarker.org <http://try.freemarker.org/>
is an Apache controlled
>>>>>>>>>>>>>>>>>> domain. You aren’t
the only project that has a vanity domain. See www.openoffice.org <http://www.openoffice.org/>
as an example.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Nov 29, 2017,
at 1:51 AM, Daniel Dekany <ddekany@apache.org> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Just as a reminder,
I'm planning to request try.freemarker.apache.org,
>>>>>>>>>>>>>>>>>>> from Infra and
then redirect try.freemarker.org to it, because I'm
>>>>>>>>>>>>>>>>>>> worried that
the IPMC will dislike that we use try.freemarker.org as
>>>>>>>>>>>>>>>>>>> the canonical
address of the online template tester. It will also use
>>>>>>>>>>>>>>>>>>> https and a LetsEncrypt
certificate (we can't use the *.apache.org
>>>>>>>>>>>>>>>>>>> cert on a VM).
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> BTW, using a
sub-sub domains is a bit extreme. I'm not aware of any
>>>>>>>>>>>>>>>>>>> gotchas in out
case, but if anyone is aware some, like LetsEncrypt
>>>>>>>>>>>>>>>>>>> doesn't support
them or something, please stop me! (Also, as this way
>>>>>>>>>>>>>>>>>>> we will receive
the cookies of freemarker.apache.org, but certainly we
>>>>>>>>>>>>>>>>>>> will able to
cope with that, if it ever causes a problem.)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Any comments?
And do you (especially PPMC members) agree?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>>>> Daniel Dekany
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
>>
>

-- 
Thanks,
 Daniel Dekany


Mime
View raw message