freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Le Roux <jacques.le.r...@les7arts.com>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Tue, 15 May 2018 12:26:14 GMT
Hi Daniel,

I have closed INFRA-16498, we can do it locally, Puppet is not used.

So I will use letsencrypt to create a certificate for the 2 domains try.freemarker.org and
try.freemarker.apache.org

At https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation

I read that the port 22 and 80 are accessible from Internet and that Java serves at port 8080.

As I'm used to it, I want to use HTTPD + AJP with the port 443 and to replace the iptable
redirection by AJP

but

 1. Why do we need the port 22?
 2. I think we don't need to serve the port 8443 from Java and can redirect the port 443 to
the port 8080, right? Not sure about that, maybe a change
    in code is needed?
 3. I understand (did not check the whole code) that it does not use a web server like Tomcat
or Jetty (to handle AJP) but Jersey+Grizzly, right?
 4. I read that Grizzly supports AJP[1] but I don't know yet how it does, same way than Tomcat,
nothing to add?

Because when I try to install a letsencrypt certificate with certbot as root I can't. Using
www-data user (HTTPD default user for User and Group on 
Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)

certbot --apache

[... all correct so far]

Performing the following challenges:
http-01 challenge for try.freemarker.apache.org
http-01 challenge for try.freemarker.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. try.freemarker.apache.org (http-01): urn:acme:error:unauthorized
:: The client lacks sufficient authorization :: 
Invalid response from http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
[54.71.67.193]: 404, 
try.freemarker.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization
:: Invalid response from 
http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
[54.71.67.193]: 404

IMPORTANT NOTES:
  - The following errors were reported by the server:

    Domain: try.freemarker.apache.org
    Type:   unauthorized
    Detail: Invalid response from
http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
    [54.71.67.193]: 404

    Domain: try.freemarker.org
    Type:   unauthorized
    Detail: Invalid response from
http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
    [54.71.67.193]: 404

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

[domains are correct and 54.71.67.193 is currently the right IP]

  - Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

[I have removed /etc/letsencryptn it's of no use as long as long as the challenges are not
successful[2]]

Obviously certbot is not able to put the challenge file where it needs.

So it seems a change in code is needed? Else what would you suggest?

Jacques

[1] https://javaee.github.io/grizzly/ajp.html

[2] https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key


Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
> It's OK now with Chris Lambertus's help
>
> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue
>
> Jacques
>
>
> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :
>> Thanks
>>
>> Just tried, did not work, not sure why
>>
>>
>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit :
>>> I'm a sudoer, so I can add you. Try now!
>>>
>>>
>>> Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:
>>>
>>>> Thanks Daniel,
>>>>
>>>> I did not, but actually as I'm not in the sudoers it does not help:
>>>>
>>>> otp-md5 499 fr516
>>>> Password:
>>>> jleroux is not in the sudoers file.  This incident will be reported.
>>>> jleroux@freemarker-vm:~$
>>>>
>>>> Jacques
>>>>
>>>>
>>>> Le 05/05/2018 à 12:38, Daniel Dekany a écrit :
>>>>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:
>>>>>
>>>>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775
>>>>> Have you done the OTP stuff? See on:
>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>>
>>>>>> Jacques
>>>>>>
>>>>>>
>>>>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
>>>>>>> Hi Daniel,
>>>>>>>
>>>>>>> Yes completely forgot about that. I just checked and I have access
to the VM.
>>>>>>>
>>>>>>> Since we need to do it ourselves, I'll have a look, hopefully
this week (very possible)
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>>
>>>>>>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
>>>>>>>> Seems this was forgotten. Do you plan to do it?
>>>>>>>>
>>>>>>>>
>>>>>>>> Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote:
>>>>>>>>
>>>>>>>>> Thanks Daniel,
>>>>>>>>>
>>>>>>>>> That's a good news. I did not want to get further with
>>>>>>>>> try.freemarker.org waiting for this to happen. Once LetsEncrypt
setting is done a redirection
>>>>>>>>> should be enough
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> Le 08/01/2018 à 09:47, Daniel Dekany a écrit :
>>>>>>>>>> Greg commented on the request:
>>>>>>>>>>
>>>>>>>>>>       try.freemarker.apache.org now works, and
is propagated.
>>>>>>>>>>
>>>>>>>>>>       Since that hostname maps to your VM, the
certificate to be used for
>>>>>>>>>>       try.freemarker.apache.org will need to
be hosted/operated by your VM.
>>>>>>>>>>       Infra's current policy for project VMs
is to use LetsEncrypt for
>>>>>>>>>>       certificates. [~pono] will get you set
up with that.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Wednesday, January 3, 2018, 11:34:32 PM, Jacques
Le Roux wrote:
>>>>>>>>>>
>>>>>>>>>>> Good, Greg closed INFRA-15476
>>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>> Le 03/01/2018 à 21:23, Daniel Dekany a écrit :
>>>>>>>>>>>> I'm "a bit" late with this, but I have created
the issue for it:
>>>>>>>>>>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Friday, December 15, 2017, 1:57:04 PM, Daniel
Dekany wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> To summarize, the opininos were (whether
we should switch to try.freemarker.apache.org):
>>>>>>>>>>>>> - Daniel Dekany: We better not risk not
doing this
>>>>>>>>>>>>> - Jacopo Cappellato: Agrees with me (above)
in this
>>>>>>>>>>>>> - Jacques Le Roux: No opinion was expressed,
but it's technically fine
>>>>>>>>>>>>> - Ralph Goers: It's certainly not necessary
to do
>>>>>>>>>>>>>
>>>>>>>>>>>>> So, unless someone has more to add, I
will ask this from Infra in the
>>>>>>>>>>>>> coming days... just to be on the safe
side.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Wednesday, November 29, 2017, 6:38:05
PM, Ralph Goers wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> The difference is that try.freemarker.org
>>>>>>>>>>>>>> <http://try.freemarker.org/>
is a companion site. So long as the
>>>>>>>>>>>>>> main site is freemarker.apache.org
I don’t think anyone will complain about a companion site.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Nov 29, 2017, at 8:33 AM,
Jacques Le Roux <jacques.le.roux@les7arts.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Ralph,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> IIRW openoffice.org is an exception.
There are others, when the domain was well established before entering the incubator, subversion.org
>>>>>>>>>>>>>>> comes to mind.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> IMO freemarker.org was well established
before entering the incubator but not try.freemarker.apache.org which is quite recent. Hence

>>>>>>>>>>>>>>> maybe
>>>>>>>>>>>>>>> some caution needed...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> My 2 cts
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Le 29/11/2017 à 14:55, Ralph
Goers a écrit :
>>>>>>>>>>>>>>>> Personally, I don’t see
why there should be a problem as long as try.freemarker.org <http://try.freemarker.org/>
is an Apache controlled
>>>>>>>>>>>>>>>> domain. You aren’t the
only project that has a vanity domain. See www.openoffice.org <http://www.openoffice.org/>
as an example.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Nov 29, 2017, at 1:51
AM, Daniel Dekany <ddekany@apache.org> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Just as a reminder, I'm
planning to request try.freemarker.apache.org,
>>>>>>>>>>>>>>>>> from Infra and then redirect
try.freemarker.org to it, because I'm
>>>>>>>>>>>>>>>>> worried that the IPMC
will dislike that we use try.freemarker.org as
>>>>>>>>>>>>>>>>> the canonical address
of the online template tester. It will also use
>>>>>>>>>>>>>>>>> https and a LetsEncrypt
certificate (we can't use the *.apache.org
>>>>>>>>>>>>>>>>> cert on a VM).
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> BTW, using a sub-sub
domains is a bit extreme. I'm not aware of any
>>>>>>>>>>>>>>>>> gotchas in out case,
but if anyone is aware some, like LetsEncrypt
>>>>>>>>>>>>>>>>> doesn't support them
or something, please stop me! (Also, as this way
>>>>>>>>>>>>>>>>> we will receive the cookies
of freemarker.apache.org, but certainly we
>>>>>>>>>>>>>>>>> will able to cope with
that, if it ever causes a problem.)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Any comments? And do
you (especially PPMC members) agree?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>> Daniel Dekany
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>
>>
>>
>
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message