freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@freemail.hu>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Tue, 15 May 2018 18:43:06 GMT
OK, so now hopefully it's ready for Let's Encrypt.

In /opt/fmonlinetester/etc/freemarker-online.yml you can see:

- That now it also server with HTTPS, in additionally to HTTP.
  For now it uses /etc/letsencrypt/live/example.p12; it's just an example
  (I'm not even sure if the directory will be that.)

- Dropwizard will need a standard p12 file. (No need for JKS, though that works
  as well.)

- /opt/fmonlinetester/var/letsencrypt-verify is served as static
  content. Try this: http://try.freemarker.org/letsencrypt-verify
  So that's what certbot will have to overwrite for the verification.

- http://try.apache.freemarker.org/ redirect to https://try.apache.freemarker.org/
  Now that I think about it, I'm not sure if Let's Encrypt will like
  that during the vertification... with our example cert... well,
  let's hope it does.

When cerbot is run by cron (I guess it does), then two extra steps
will be needed:

1. Converting to p12 format.
2. Trigger SSL certificate reloading with curl (POST to localhost:8081/tasks/reload-ssl)

Examples:
https://nbsoftsolutions.com/blog/dropwizard-1-1-and-lets-encrypt-with-no-downtime
https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html

(Again, we don't need to convert the p12 further to jks... the p12 is
already good.)


Tuesday, May 15, 2018, 7:49:44 PM, Daniel Dekany wrote:

> Ugh. OK, I have Googled into how certbot works, and it requres a few
> things from HTTP service itself... I will upload a new version of the
> Dropwizard app that can do those things soon.
>
>
> Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote:
>
>> Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:
>>
>>> Hi Daniel,
>>>
>>> I have closed INFRA-16498, we can do it locally, Puppet is not used.
>>>
>>> So I will use letsencrypt to create a certificate for the 2 domains
>>> try.freemarker.org and try.freemarker.apache.org
>>>
>>> At
>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>
>>> I read that the port 22 and 80 are accessible from Internet and that Java serves
at port 8080.
>>>
>>> As I'm used to it, I want to use HTTPD + AJP with the port 443 and
>>> to replace the iptable redirection by AJP
>>
>> There's no AJP or any such mess. It's just a Dropwizard (Java)
>> application (single runnable jar) with an embedded HTTP server, that
>> server everything directly. Well, except that we need the iptables
>> port redirection as we have no right to bind to ports < 1024... but
>> that's all.
>>
>>> but
>>>
>>>  1. Why do we need the port 22?
>>
>> For SSH.
>>
>>>  2. I think we don't need to serve the port 8443 from Java and can
>>> redirect the port 443 to the port 8080, right? Not sure about that, maybe a change
>>>     in code is needed?
>>
>> No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
>> https on 8443 (I assume), which should corresponds to 443 via
>> iptables.
>>
>>>  3. I understand (did not check the whole code) that it does not
>>> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, right?
>>
>> It uses embedded Jetty, but configure Dropwizard itself:
>> https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl
>>
>>>  4. I read that Grizzly supports AJP[1] but I don't know yet how it
>>> does, same way than Tomcat, nothing to add?
>>>
>>> Because when I try to install a letsencrypt certificate with
>>> certbot as root I can't. Using www-data user (HTTPD default user for User and
Group on
>>> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
>>>
>>> certbot --apache
>>>
>>> [... all correct so far]
>>>
>>> Performing the following challenges:
>>> http-01 challenge for try.freemarker.apache.org
>>> http-01 challenge for try.freemarker.org
>>> Waiting for verification...
>>> Cleaning up challenges
>>> Failed authorization procedure. try.freemarker.apache.org
>>> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization
::
>>> Invalid response from
>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
[54.71.67.193]: 404,
>>> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
>>> client lacks sufficient authorization :: Invalid response from 
>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
[54.71.67.193]: 404
>>>
>>> IMPORTANT NOTES:
>>>   - The following errors were reported by the server:
>>>
>>>     Domain: try.freemarker.apache.org
>>>     Type:   unauthorized
>>>     Detail: Invalid response from
>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>>>     [54.71.67.193]: 404
>>>
>>>     Domain: try.freemarker.org
>>>     Type:   unauthorized
>>>     Detail: Invalid response from
>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>>>     [54.71.67.193]: 404
>>>
>>>     To fix these errors, please make sure that your domain name was
>>>     entered correctly and the DNS A/AAAA record(s) for that domain
>>>     contain(s) the right IP address.
>>>
>>> [domains are correct and 54.71.67.193 is currently the right IP]
>>>
>>>   - Your account credentials have been saved in your Certbot
>>>     configuration directory at /etc/letsencrypt. You should make a
>>>     secure backup of this folder now. This configuration directory will
>>>     also contain certificates and private keys obtained by Certbot so
>>>     making regular backups of this folder is ideal.
>>>
>>> [I have removed /etc/letsencryptn it's of no use as long as long as
>>> the challenges are not successful[2]]
>>>
>>> Obviously certbot is not able to put the challenge file where it needs.
>>>
>>> So it seems a change in code is needed? Else what would you suggest?
>>
>> I haven no experience with certbot and all that. But I guess it just
>> replaces a certificate file somewhere. That will have to be converted
>> to JKS format ("Java Key Store", which is what Jetty or any other Java
>> SSL stuff need). Hopefully there's a solution for that on the net...
>> if not, we will figure out...
>>
>>> Jacques
>>>
>>> [1] https://javaee.github.io/grizzly/ajp.html
>>>
>>> [2]
>>> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key
>>>
>>>
>>> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
>>>> It's OK now with Chris Lambertus's help
>>>>
>>>> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue
>>>>
>>>> Jacques
>>>>
>>>>
>>>> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :
>>>>> Thanks
>>>>>
>>>>> Just tried, did not work, not sure why
>>>>>
>>>>>
>>>>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit :
>>>>>> I'm a sudoer, so I can add you. Try now!
>>>>>>
>>>>>>
>>>>>> Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:
>>>>>>
>>>>>>> Thanks Daniel,
>>>>>>>
>>>>>>> I did not, but actually as I'm not in the sudoers it does not
help:
>>>>>>>
>>>>>>> otp-md5 499 fr516
>>>>>>> Password:
>>>>>>> jleroux is not in the sudoers file.  This incident will be reported.
>>>>>>> jleroux@freemarker-vm:~$
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>>
>>>>>>> Le 05/05/2018 à 12:38, Daniel Dekany a écrit :
>>>>>>>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:
>>>>>>>>
>>>>>>>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775
>>>>>>>> Have you done the OTP stuff? See on:
>>>>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
>>>>>>>>>> Hi Daniel,
>>>>>>>>>>
>>>>>>>>>> Yes completely forgot about that. I just checked
and I have access to the VM.
>>>>>>>>>>
>>>>>>>>>> Since we need to do it ourselves, I'll have a look,
hopefully this week (very possible)
>>>>>>>>>>
>>>>>>>>>> Cheers
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
>>>>>>>>>>> Seems this was forgotten. Do you plan to do it?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Monday, January 8, 2018, 11:04:31 AM, Jacques
Le Roux wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Thanks Daniel,
>>>>>>>>>>>>
>>>>>>>>>>>> That's a good news. I did not want to get
further with
>>>>>>>>>>>> try.freemarker.org waiting for this to happen.
Once LetsEncrypt setting is done a redirection
>>>>>>>>>>>> should be enough
>>>>>>>>>>>>
>>>>>>>>>>>> Jacques
>>>>>>>>>>>>
>>>>>>>>>>>> Le 08/01/2018 à 09:47, Daniel Dekany a écrit :
>>>>>>>>>>>>> Greg commented on the request:
>>>>>>>>>>>>>
>>>>>>>>>>>>>       try.freemarker.apache.org now
works, and is propagated.
>>>>>>>>>>>>>
>>>>>>>>>>>>>       Since that hostname maps to
your VM, the certificate to be used for
>>>>>>>>>>>>>       try.freemarker.apache.org will
need to be hosted/operated by your VM.
>>>>>>>>>>>>>       Infra's current policy for
project VMs is to use LetsEncrypt for
>>>>>>>>>>>>>       certificates. [~pono] will
get you set up with that.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Wednesday, January 3, 2018, 11:34:32
PM, Jacques Le Roux wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Good, Greg closed INFRA-15476
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le 03/01/2018 à 21:23, Daniel Dekany
a écrit :
>>>>>>>>>>>>>>> I'm "a bit" late with this, but
I have created the issue for it:
>>>>>>>>>>>>>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Friday, December 15, 2017, 1:57:04
PM, Daniel Dekany wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> To summarize, the opininos
were (whether we should switch to try.freemarker.apache.org):
>>>>>>>>>>>>>>>> - Daniel Dekany: We better
not risk not doing this
>>>>>>>>>>>>>>>> - Jacopo Cappellato: Agrees
with me (above) in this
>>>>>>>>>>>>>>>> - Jacques Le Roux: No opinion
was expressed, but it's technically fine
>>>>>>>>>>>>>>>> - Ralph Goers: It's certainly
not necessary to do
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> So, unless someone has more
to add, I will ask this from Infra in the
>>>>>>>>>>>>>>>> coming days... just to be
on the safe side.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Wednesday, November 29, 2017,
6:38:05 PM, Ralph Goers wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The difference is that
try.freemarker.org
>>>>>>>>>>>>>>>>> <http://try.freemarker.org/>
is a companion site. So long as the
>>>>>>>>>>>>>>>>> main site is freemarker.apache.org
I don’t think anyone will complain about a companion site.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Nov 29, 2017,
at 8:33 AM, Jacques Le Roux <jacques.le.roux@les7arts.com> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi Ralph,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> IIRW openoffice.org
is an exception. There are others, when the domain was well established before entering the
incubator, subversion.org
>>>>>>>>>>>>>>>>>> comes to mind.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> IMO freemarker.org
was well established before entering the incubator but not try.freemarker.apache.org which
is quite recent. Hence 
>>>>>>>>>>>>>>>>>> maybe
>>>>>>>>>>>>>>>>>> some caution needed...
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> My 2 cts
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Le 29/11/2017 à
14:55, Ralph Goers a écrit :
>>>>>>>>>>>>>>>>>>> Personally, I
don’t see why there should be a problem as long as try.freemarker.org <http://try.freemarker.org/>
is an Apache controlled
>>>>>>>>>>>>>>>>>>> domain. You aren’t
the only project that has a vanity domain. See www.openoffice.org <http://www.openoffice.org/>
as an example.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Nov 29,
2017, at 1:51 AM, Daniel Dekany <ddekany@apache.org> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Just as a
reminder, I'm planning to request try.freemarker.apache.org,
>>>>>>>>>>>>>>>>>>>> from Infra
and then redirect try.freemarker.org to it, because I'm
>>>>>>>>>>>>>>>>>>>> worried that
the IPMC will dislike that we use try.freemarker.org as
>>>>>>>>>>>>>>>>>>>> the canonical
address of the online template tester. It will also use
>>>>>>>>>>>>>>>>>>>> https and
a LetsEncrypt certificate (we can't use the *.apache.org
>>>>>>>>>>>>>>>>>>>> cert on a
VM).
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> BTW, using
a sub-sub domains is a bit extreme. I'm not aware of any
>>>>>>>>>>>>>>>>>>>> gotchas in
out case, but if anyone is aware some, like LetsEncrypt
>>>>>>>>>>>>>>>>>>>> doesn't support
them or something, please stop me! (Also, as this way
>>>>>>>>>>>>>>>>>>>> we will receive
the cookies of freemarker.apache.org, but certainly we
>>>>>>>>>>>>>>>>>>>> will able
to cope with that, if it ever causes a problem.)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Any comments?
And do you (especially PPMC members) agree?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>>>>> Daniel Dekany
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>

-- 
Thanks,
 Daniel Dekany


Mime
View raw message