freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@apache.org>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Sat, 19 May 2018 12:16:56 GMT
Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote:

> Inline...
>
> Le 19/05/2018 à 12:02, Daniel Dekany a écrit :
>> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:
>>
>>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:
>>>
>>> cerbot renew
>>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
>>> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
>>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
>>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
>>> pass:"theKnownPassword" (not copied here)
>> Though you have posted that password to this mailing list anyway... ;)
> Yes indeed, just once, but you'r right I should have used private :/
> Anyway we should change it and keep the new one in a specific file
> at https://svn.apache.org/repos/private/pmc/freemarker
>
>>> I think it should not change the rights to read in
>>> /etc/letsencrypt/live (now with fmonlinetester in group)
>> It would be surprising if it changes it.
> Yep, just got surprisingly bitten once, so...
>
>>
>>> but we should try it manually once and check.
>>>
>>> If it does change then we will need to re-add fmonlinetester
>>> in the group at end of cert-renew.sh. I crossed this read issue before as jleroux
>>> user, initially the dir was readeable w/o sudo and then not. Not
>>> sure if it's certbot or openssl which did that in my case.
>>>
>>> Also I don't think we need to care about change in
>>> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
>>> change certificate.p12 will be the
>>> same, no worries.
>> Of course. It will need to issue that SSL cert reloading curl command
>> though.
> Ah indeed
>
> localhost:8081/tasks/reload-ssl
>
>
>>> I think we should not show the "theKnownPassword" in the wiki page...
>> Yeah, I guess it's better star it out on cwiki. (Though to get the p12
>> or private key one has to pawn the server anyway... and then he finds
>> the password too.)
> I think https://svn.apache.org/repos/private/pmc/freemarker better fits for all private
things
> For instance the cron job copy and all the rest. And simply refer to private things from
the wiki

For try.freemarker these security things doesn't mater much, but in
general, such a repo is not a good place to store security related
sensitive files. People just check it out, and it will be on the
HDD/SDD unencrypted for ever... then the notebook gets stolen or such.

>> Are there any Let's Encrypt related credentials we should be aware of
>> (in case you become unavailable)?
> Nope, I used only the temporary secret password everywhere and IIRW
> it was only when creating the cert from .pem files.
>
>> I think "Enter email address (used for urgent renewal and security
>> notices)" should be private@freemarker.apache.org.
> I agree! I used mine so far. To be changed like the cert password
> Will you handle the job creation and the doc?

OK, I will then.

> Have a good weekend
>
> Jacques
>

-- 
Thanks,
 Daniel Dekany


Mime
View raw message