freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@apache.org>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Tue, 15 May 2018 14:14:55 GMT
Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:

> Hi Daniel,
>
> I have closed INFRA-16498, we can do it locally, Puppet is not used.
>
> So I will use letsencrypt to create a certificate for the 2 domains
> try.freemarker.org and try.freemarker.apache.org
>
> At
> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>
> I read that the port 22 and 80 are accessible from Internet and that Java serves at port
8080.
>
> As I'm used to it, I want to use HTTPD + AJP with the port 443 and
> to replace the iptable redirection by AJP

There's no AJP or any such mess. It's just a Dropwizard (Java)
application (single runnable jar) with an embedded HTTP server, that
server everything directly. Well, except that we need the iptables
port redirection as we have no right to bind to ports < 1024... but
that's all.

> but
>
>  1. Why do we need the port 22?

For SSH.

>  2. I think we don't need to serve the port 8443 from Java and can
> redirect the port 443 to the port 8080, right? Not sure about that, maybe a change
>     in code is needed?

No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
https on 8443 (I assume), which should corresponds to 443 via
iptables.

>  3. I understand (did not check the whole code) that it does not
> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, right?

It uses embedded Jetty, but configure Dropwizard itself:
https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl

>  4. I read that Grizzly supports AJP[1] but I don't know yet how it
> does, same way than Tomcat, nothing to add?
>
> Because when I try to install a letsencrypt certificate with
> certbot as root I can't. Using www-data user (HTTPD default user for User and Group on
> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
>
> certbot --apache
>
> [... all correct so far]
>
> Performing the following challenges:
> http-01 challenge for try.freemarker.apache.org
> http-01 challenge for try.freemarker.org
> Waiting for verification...
> Cleaning up challenges
> Failed authorization procedure. try.freemarker.apache.org
> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization ::
> Invalid response from
> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
[54.71.67.193]: 404,
> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
> client lacks sufficient authorization :: Invalid response from 
> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
[54.71.67.193]: 404
>
> IMPORTANT NOTES:
>   - The following errors were reported by the server:
>
>     Domain: try.freemarker.apache.org
>     Type:   unauthorized
>     Detail: Invalid response from
> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>     [54.71.67.193]: 404
>
>     Domain: try.freemarker.org
>     Type:   unauthorized
>     Detail: Invalid response from
> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>     [54.71.67.193]: 404
>
>     To fix these errors, please make sure that your domain name was
>     entered correctly and the DNS A/AAAA record(s) for that domain
>     contain(s) the right IP address.
>
> [domains are correct and 54.71.67.193 is currently the right IP]
>
>   - Your account credentials have been saved in your Certbot
>     configuration directory at /etc/letsencrypt. You should make a
>     secure backup of this folder now. This configuration directory will
>     also contain certificates and private keys obtained by Certbot so
>     making regular backups of this folder is ideal.
>
> [I have removed /etc/letsencryptn it's of no use as long as long as
> the challenges are not successful[2]]
>
> Obviously certbot is not able to put the challenge file where it needs.
>
> So it seems a change in code is needed? Else what would you suggest?

I haven no experience with certbot and all that. But I guess it just
replaces a certificate file somewhere. That will have to be converted
to JKS format ("Java Key Store", which is what Jetty or any other Java
SSL stuff need). Hopefully there's a solution for that on the net...
if not, we will figure out...

> Jacques
>
> [1] https://javaee.github.io/grizzly/ajp.html
>
> [2]
> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key
>
>
> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
>> It's OK now with Chris Lambertus's help
>>
>> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue
>>
>> Jacques
>>
>>
>> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :
>>> Thanks
>>>
>>> Just tried, did not work, not sure why
>>>
>>>
>>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit :
>>>> I'm a sudoer, so I can add you. Try now!
>>>>
>>>>
>>>> Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:
>>>>
>>>>> Thanks Daniel,
>>>>>
>>>>> I did not, but actually as I'm not in the sudoers it does not help:
>>>>>
>>>>> otp-md5 499 fr516
>>>>> Password:
>>>>> jleroux is not in the sudoers file.  This incident will be reported.
>>>>> jleroux@freemarker-vm:~$
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>> Le 05/05/2018 à 12:38, Daniel Dekany a écrit :
>>>>>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:
>>>>>>
>>>>>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775
>>>>>> Have you done the OTP stuff? See on:
>>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>>
>>>>>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
>>>>>>>> Hi Daniel,
>>>>>>>>
>>>>>>>> Yes completely forgot about that. I just checked and I have
access to the VM.
>>>>>>>>
>>>>>>>> Since we need to do it ourselves, I'll have a look, hopefully
this week (very possible)
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>>
>>>>>>>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
>>>>>>>>> Seems this was forgotten. Do you plan to do it?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux
wrote:
>>>>>>>>>
>>>>>>>>>> Thanks Daniel,
>>>>>>>>>>
>>>>>>>>>> That's a good news. I did not want to get further
with
>>>>>>>>>> try.freemarker.org waiting for this to happen. Once
LetsEncrypt setting is done a redirection
>>>>>>>>>> should be enough
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>> Le 08/01/2018 à 09:47, Daniel Dekany a écrit :
>>>>>>>>>>> Greg commented on the request:
>>>>>>>>>>>
>>>>>>>>>>>       try.freemarker.apache.org now works,
and is propagated.
>>>>>>>>>>>
>>>>>>>>>>>       Since that hostname maps to your VM,
the certificate to be used for
>>>>>>>>>>>       try.freemarker.apache.org will need
to be hosted/operated by your VM.
>>>>>>>>>>>       Infra's current policy for project
VMs is to use LetsEncrypt for
>>>>>>>>>>>       certificates. [~pono] will get you
set up with that.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Wednesday, January 3, 2018, 11:34:32 PM, Jacques
Le Roux wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Good, Greg closed INFRA-15476
>>>>>>>>>>>>
>>>>>>>>>>>> Jacques
>>>>>>>>>>>>
>>>>>>>>>>>> Le 03/01/2018 à 21:23, Daniel Dekany a écrit :
>>>>>>>>>>>>> I'm "a bit" late with this, but I have
created the issue for it:
>>>>>>>>>>>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Friday, December 15, 2017, 1:57:04 PM,
Daniel Dekany wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> To summarize, the opininos were (whether
we should switch to try.freemarker.apache.org):
>>>>>>>>>>>>>> - Daniel Dekany: We better not risk
not doing this
>>>>>>>>>>>>>> - Jacopo Cappellato: Agrees with
me (above) in this
>>>>>>>>>>>>>> - Jacques Le Roux: No opinion was
expressed, but it's technically fine
>>>>>>>>>>>>>> - Ralph Goers: It's certainly not
necessary to do
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So, unless someone has more to add,
I will ask this from Infra in the
>>>>>>>>>>>>>> coming days... just to be on the
safe side.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Wednesday, November 29, 2017, 6:38:05
PM, Ralph Goers wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The difference is that try.freemarker.org
>>>>>>>>>>>>>>> <http://try.freemarker.org/>
is a companion site. So long as the
>>>>>>>>>>>>>>> main site is freemarker.apache.org
I don’t think anyone will complain about a companion site.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Nov 29, 2017, at 8:33
AM, Jacques Le Roux <jacques.le.roux@les7arts.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Ralph,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> IIRW openoffice.org is an
exception. There are others, when the domain was well established before entering the incubator,
subversion.org
>>>>>>>>>>>>>>>> comes to mind.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> IMO freemarker.org was well
established before entering the incubator but not try.freemarker.apache.org which is quite
recent. Hence 
>>>>>>>>>>>>>>>> maybe
>>>>>>>>>>>>>>>> some caution needed...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> My 2 cts
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Le 29/11/2017 à 14:55, Ralph
Goers a écrit :
>>>>>>>>>>>>>>>>> Personally, I don’t
see why there should be a problem as long as try.freemarker.org <http://try.freemarker.org/>
is an Apache controlled
>>>>>>>>>>>>>>>>> domain. You aren’t
the only project that has a vanity domain. See www.openoffice.org <http://www.openoffice.org/>
as an example.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Nov 29, 2017,
at 1:51 AM, Daniel Dekany <ddekany@apache.org> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Just as a reminder,
I'm planning to request try.freemarker.apache.org,
>>>>>>>>>>>>>>>>>> from Infra and then
redirect try.freemarker.org to it, because I'm
>>>>>>>>>>>>>>>>>> worried that the
IPMC will dislike that we use try.freemarker.org as
>>>>>>>>>>>>>>>>>> the canonical address
of the online template tester. It will also use
>>>>>>>>>>>>>>>>>> https and a LetsEncrypt
certificate (we can't use the *.apache.org
>>>>>>>>>>>>>>>>>> cert on a VM).
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> BTW, using a sub-sub
domains is a bit extreme. I'm not aware of any
>>>>>>>>>>>>>>>>>> gotchas in out case,
but if anyone is aware some, like LetsEncrypt
>>>>>>>>>>>>>>>>>> doesn't support them
or something, please stop me! (Also, as this way
>>>>>>>>>>>>>>>>>> we will receive the
cookies of freemarker.apache.org, but certainly we
>>>>>>>>>>>>>>>>>> will able to cope
with that, if it ever causes a problem.)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Any comments? And
do you (especially PPMC members) agree?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>>> Daniel Dekany
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>
>>>
>>>
>>
>>
>

-- 
Thanks,
 Daniel Dekany


Mime
View raw message