freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Dekany <ddek...@apache.org>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Sat, 19 May 2018 10:04:05 GMT
Saturday, May 19, 2018, 11:53:04 AM, Jacques Le Roux wrote:

> Ah, not a big deal, but should we not restrict read (640) on
> /opt/fmonlinetester/etc/freemarker-online.yml ?
>
> It contains the cert secret key...

Sure, go ahead.

> Le 19/05/2018 à 11:08, Jacques Le Roux a écrit :
>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:
>>
>> cerbot renew
>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem
-in 
>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem
-pass 
>> pass:"theKnownPassword" (not copied here)
>>
>> I think it should not change the rights to read in /etc/letsencrypt/live (now with
fmonlinetester in group) but we should try it manually once and 
>> check. If it does change then we will need to re-add fmonlinetester in the group
at end of cert-renew.sh. I crossed this read issue before as 
>> jleroux user, initially the dir was readeable w/o sudo and then not. Not sure if
it's certbot or openssl which did that in my case.
>>
>> Also I don't think we need to care about change in /etc/letsencrypt/live/try.freemarker.apache.org/
If they are no change certificate.p12 will be 
>> the same, no worries.
>>
>> I think we should not show the "theKnownPassword" in the wiki page...
>>
>> What do you think?
>>
>> Jacques
>>
>>
>> Le 19/05/2018 à 10:32, Daniel Dekany a écrit :
>>> Now https works, and only the cron job and documenting things on the
>>> cwiki is missing (the copy-paste cron script mostly, I guess).
>>>
>>>
>>> Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote:
>>>
>>>> Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote:
>>>>
>>>>> Le 17/05/2018 à 09:04, Jacques Le Roux a écrit :
>>>>>> Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :
>>>>>>> When I read the content in my local Git repo it's commented out.
I guess I should manually change it on the VM and restart the app with Gradle?
>>>>>>>
>>>>>>> As it's a bit late already, I let you handle this last part ;)
>>>>>> OK I remember now that you documented the app restart at
>>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>>> I'll do so now and will have a look at the code change for the renew
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>> I have just changed the file according to my previous message, ie modified
to
>>>>>           keyStorePath: /etc/letsencrypt/live/certificate.p12
>>>>>           keyStorePassword: HTTPDisUnnecessary
>>>>> and also while at it (not sure we want that)
>>>>>           validateCerts: true
>>>>>
>>>>> But after setting the iptables for 443-8443 (v4 and v6), saving the
>>>>> change and restarting the app it did not work:
>>>>>
>>>>> May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester.
>>>>> May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester.
>>>>> May 17 11:52:10 freemarker-vm java[14009]:
>>>>> MultiException[java.lang.IllegalStateException: no valid keystore,
>>>>> java.lang.IllegalStateException: no
>>>> That was because the service had no right to read the parent directory
>>>> of the p12 file. (Yeah, that error message is not very helpful...) I
>>>> have fixed that. So now the only problem we have what I said in the
>>>> other mail. And we will need the cron script... or maybe a systemd
>>>> timer unit instead.
>>>>
>>>>> valid keystore, java.util.concurrent.RejectedExecutionException: org.eclipse.jetty.io.Manag
>>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>>> org.eclipse.jetty.server.Server.doStart(Server.java:382)
>>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>>> io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)
>>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>>> io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
>>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>>> io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
>>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>>> io.dropwizard.cli.Cli.run(Cli.java:78)
>>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>>> io.dropwizard.Application.run(Application.java:93)
>>>>> May 17 11:52:10 freemarker-vm java[14009]:         at
>>>>> org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43)
>>>>>
>>>>> So I commented out the HTTPS part
>>>>>       #      # FOR PRODUCTION:
>>>>>       #      - type: https
>>>>>       #        port: 8443
>>>>>       #        keyStorePath: /etc/letsencrypt/live/certificate.p12
>>>>>       #        keyStoreType: PKCS12
>>>>>       #        keyStorePassword: HTTPDisUnnecessary
>>>>>       #        validateCerts: true
>>>>> and restarted the app
>>>>>
>>>>> Now http://try.freemarker.org/ works again, but no longer
>>>>> http://try.freemarker.apache.org/ which is redirected to
>>>>> https://try.freemarker.apache.org/
>>>>> I don't understand the redirect. Does have this changed before my change?
I don't know.
>>>>> I have double-checked, thought I have not reverted the config yet, HTTPD
is no longer working.
>>>>> Maybe it's due to the certificate (created for a.o) but I can't see
>>>>> how DropWizard would now relate to it, since
>>>>>       keyStorePath: /etc/letsencrypt/live/certificate.p12
>>>>> and the whole HTTPS block, is commented out :/
>>>>>
>>>>> I'll get back to that later...
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>
>>
>
>

-- 
Thanks,
 Daniel Dekany


Mime
View raw message