freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Le Roux <jacques.le.r...@les7arts.com>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Sat, 19 May 2018 11:42:57 GMT
Inline...

Le 19/05/2018 à 12:02, Daniel Dekany a écrit :
> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:
>
>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:
>>
>> cerbot renew
>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
>> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
>> pass:"theKnownPassword" (not copied here)
> Though you have posted that password to this mailing list anyway... ;)
Yes indeed, just once, but you'r right I should have used private :/
Anyway we should change it and keep the new one in a specific file at https://svn.apache.org/repos/private/pmc/freemarker

>> I think it should not change the rights to read in
>> /etc/letsencrypt/live (now with fmonlinetester in group)
> It would be surprising if it changes it.
Yep, just got surprisingly bitten once, so...

>
>> but we should try it manually once and check.
>>
>> If it does change then we will need to re-add fmonlinetester
>> in the group at end of cert-renew.sh. I crossed this read issue before as jleroux
>> user, initially the dir was readeable w/o sudo and then not. Not
>> sure if it's certbot or openssl which did that in my case.
>>
>> Also I don't think we need to care about change in
>> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
>> change certificate.p12 will be the
>> same, no worries.
> Of course. It will need to issue that SSL cert reloading curl command
> though.
Ah indeed

localhost:8081/tasks/reload-ssl


>> I think we should not show the "theKnownPassword" in the wiki page...
> Yeah, I guess it's better star it out on cwiki. (Though to get the p12
> or private key one has to pawn the server anyway... and then he finds
> the password too.)
I think https://svn.apache.org/repos/private/pmc/freemarker better fits for all private things
For instance the cron job copy and all the rest. And simply refer to private things from the
wiki

> Are there any Let's Encrypt related credentials we should be aware of
> (in case you become unavailable)?
Nope, I used only the temporary secret password everywhere and IIRW it was only when creating
the cert from .pem files.

> I think "Enter email address (used for urgent renewal and security
> notices)" should be private@freemarker.apache.org.
I agree! I used mine so far. To be changed like the cert password
Will you handle the job creation and the doc?

Have a good weekend

Jacques

Mime
View raw message