freemarker-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Le Roux <jacques.le.r...@les7arts.com>
Subject Re: try.freemarker.apache.org instead of try.freemarker.org?
Date Tue, 15 May 2018 21:22:03 GMT
Thanks Daniel,

I'll have another look...

Cheers

Jacques


Le 15/05/2018 à 21:58, Daniel Dekany a écrit :
> Actually, the I have just see that the challenge directory must be
> /.well-known/acme-challenge/, so now it's that:
> http://try.freemarker.org/.well-known/acme-challenge/test.txt
> http://try.freemarker.apache.org/.well-known/acme-challenge/test.txt
> Also, now it doesn't redirect to HTTPS.
>
> And, don't install httpd now suddenly... that part of the problem is
> solved, we don't need it. It's going to be something like
>
>    certbot certonly --webroot -w /opt/fmonlinetester/var/letsencrypt-acme-challenge
>
>
> Tuesday, May 15, 2018, 8:43:06 PM, Daniel Dekany wrote:
>
>> OK, so now hopefully it's ready for Let's Encrypt.
>>
>> In /opt/fmonlinetester/etc/freemarker-online.yml you can see:
>>
>> - That now it also server with HTTPS, in additionally to HTTP.
>>    For now it uses /etc/letsencrypt/live/example.p12; it's just an example
>>    (I'm not even sure if the directory will be that.)
>>
>> - Dropwizard will need a standard p12 file. (No need for JKS, though that works
>>    as well.)
>>
>> - /opt/fmonlinetester/var/letsencrypt-verify is served as static
>>    content. Try this: http://try.freemarker.org/letsencrypt-verify
>>    So that's what certbot will have to overwrite for the verification.
>>
>> - http://try.apache.freemarker.org/ redirect to
>> https://try.apache.freemarker.org/
>>    Now that I think about it, I'm not sure if Let's Encrypt will like
>>    that during the vertification... with our example cert... well,
>>    let's hope it does.
>>
>> When cerbot is run by cron (I guess it does), then two extra steps
>> will be needed:
>>
>> 1. Converting to p12 format.
>> 2. Trigger SSL certificate reloading with curl (POST to localhost:8081/tasks/reload-ssl)
>>
>> Examples:
>> https://nbsoftsolutions.com/blog/dropwizard-1-1-and-lets-encrypt-with-no-downtime
>> https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html
>>
>> (Again, we don't need to convert the p12 further to jks... the p12 is
>> already good.)
>>
>>
>> Tuesday, May 15, 2018, 7:49:44 PM, Daniel Dekany wrote:
>>
>>> Ugh. OK, I have Googled into how certbot works, and it requres a few
>>> things from HTTP service itself... I will upload a new version of the
>>> Dropwizard app that can do those things soon.
>>>
>>>
>>> Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote:
>>>
>>>> Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:
>>>>
>>>>> Hi Daniel,
>>>>>
>>>>> I have closed INFRA-16498, we can do it locally, Puppet is not used.
>>>>>
>>>>> So I will use letsencrypt to create a certificate for the 2 domains
>>>>> try.freemarker.org and try.freemarker.apache.org
>>>>>
>>>>> At
>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>>
>>>>> I read that the port 22 and 80 are accessible from Internet and that
Java serves at port 8080.
>>>>>
>>>>> As I'm used to it, I want to use HTTPD + AJP with the port 443 and
>>>>> to replace the iptable redirection by AJP
>>>> There's no AJP or any such mess. It's just a Dropwizard (Java)
>>>> application (single runnable jar) with an embedded HTTP server, that
>>>> server everything directly. Well, except that we need the iptables
>>>> port redirection as we have no right to bind to ports < 1024... but
>>>> that's all.
>>>>
>>>>> but
>>>>>
>>>>>   1. Why do we need the port 22?
>>>> For SSH.
>>>>
>>>>>   2. I think we don't need to serve the port 8443 from Java and can
>>>>> redirect the port 443 to the port 8080, right? Not sure about that, maybe
a change
>>>>>      in code is needed?
>>>> No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
>>>> https on 8443 (I assume), which should corresponds to 443 via
>>>> iptables.
>>>>
>>>>>   3. I understand (did not check the whole code) that it does not
>>>>> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly,
right?
>>>> It uses embedded Jetty, but configure Dropwizard itself:
>>>> https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl
>>>>
>>>>>   4. I read that Grizzly supports AJP[1] but I don't know yet how it
>>>>> does, same way than Tomcat, nothing to add?
>>>>>
>>>>> Because when I try to install a letsencrypt certificate with
>>>>> certbot as root I can't. Using www-data user (HTTPD default user for
User and Group on
>>>>> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
>>>>>
>>>>> certbot --apache
>>>>>
>>>>> [... all correct so far]
>>>>>
>>>>> Performing the following challenges:
>>>>> http-01 challenge for try.freemarker.apache.org
>>>>> http-01 challenge for try.freemarker.org
>>>>> Waiting for verification...
>>>>> Cleaning up challenges
>>>>> Failed authorization procedure. try.freemarker.apache.org
>>>>> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient
authorization ::
>>>>> Invalid response from
>>>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
[54.71.67.193]: 404,
>>>>> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
>>>>> client lacks sufficient authorization :: Invalid response from
>>>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
[54.71.67.193]: 404
>>>>>
>>>>> IMPORTANT NOTES:
>>>>>    - The following errors were reported by the server:
>>>>>
>>>>>      Domain: try.freemarker.apache.org
>>>>>      Type:   unauthorized
>>>>>      Detail: Invalid response from
>>>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>>>>>      [54.71.67.193]: 404
>>>>>
>>>>>      Domain: try.freemarker.org
>>>>>      Type:   unauthorized
>>>>>      Detail: Invalid response from
>>>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>>>>>      [54.71.67.193]: 404
>>>>>
>>>>>      To fix these errors, please make sure that your domain name was
>>>>>      entered correctly and the DNS A/AAAA record(s) for that domain
>>>>>      contain(s) the right IP address.
>>>>>
>>>>> [domains are correct and 54.71.67.193 is currently the right IP]
>>>>>
>>>>>    - Your account credentials have been saved in your Certbot
>>>>>      configuration directory at /etc/letsencrypt. You should make a
>>>>>      secure backup of this folder now. This configuration directory
will
>>>>>      also contain certificates and private keys obtained by Certbot
so
>>>>>      making regular backups of this folder is ideal.
>>>>>
>>>>> [I have removed /etc/letsencryptn it's of no use as long as long as
>>>>> the challenges are not successful[2]]
>>>>>
>>>>> Obviously certbot is not able to put the challenge file where it needs.
>>>>>
>>>>> So it seems a change in code is needed? Else what would you suggest?
>>>> I haven no experience with certbot and all that. But I guess it just
>>>> replaces a certificate file somewhere. That will have to be converted
>>>> to JKS format ("Java Key Store", which is what Jetty or any other Java
>>>> SSL stuff need). Hopefully there's a solution for that on the net...
>>>> if not, we will figure out...
>>>>
>>>>> Jacques
>>>>>
>>>>> [1] https://javaee.github.io/grizzly/ajp.html
>>>>>
>>>>> [2]
>>>>> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key
>>>>>
>>>>>
>>>>> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
>>>>>> It's OK now with Chris Lambertus's help
>>>>>>
>>>>>> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>>
>>>>>> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :
>>>>>>> Thanks
>>>>>>>
>>>>>>> Just tried, did not work, not sure why
>>>>>>>
>>>>>>>
>>>>>>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit :
>>>>>>>> I'm a sudoer, so I can add you. Try now!
>>>>>>>>
>>>>>>>>
>>>>>>>> Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:
>>>>>>>>
>>>>>>>>> Thanks Daniel,
>>>>>>>>>
>>>>>>>>> I did not, but actually as I'm not in the sudoers it
does not help:
>>>>>>>>>
>>>>>>>>> otp-md5 499 fr516
>>>>>>>>> Password:
>>>>>>>>> jleroux is not in the sudoers file.  This incident will
be reported.
>>>>>>>>> jleroux@freemarker-vm:~$
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 05/05/2018 à 12:38, Daniel Dekany a écrit :
>>>>>>>>>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux
wrote:
>>>>>>>>>>
>>>>>>>>>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775
>>>>>>>>>> Have you done the OTP stuff? See on:
>>>>>>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
>>>>>>>>>>>> Hi Daniel,
>>>>>>>>>>>>
>>>>>>>>>>>> Yes completely forgot about that. I just
checked and I have access to the VM.
>>>>>>>>>>>>
>>>>>>>>>>>> Since we need to do it ourselves, I'll have
a look, hopefully this week (very possible)
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers
>>>>>>>>>>>>
>>>>>>>>>>>> Jacques
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
>>>>>>>>>>>>> Seems this was forgotten. Do you plan
to do it?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Monday, January 8, 2018, 11:04:31 AM,
Jacques Le Roux wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks Daniel,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> That's a good news. I did not want
to get further with
>>>>>>>>>>>>>> try.freemarker.org waiting for this
to happen. Once LetsEncrypt setting is done a redirection
>>>>>>>>>>>>>> should be enough
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le 08/01/2018 à 09:47, Daniel Dekany
a écrit :
>>>>>>>>>>>>>>> Greg commented on the request:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>        try.freemarker.apache.org
now works, and is propagated.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>        Since that hostname
maps to your VM, the certificate to be used for
>>>>>>>>>>>>>>>        try.freemarker.apache.org
will need to be hosted/operated by your VM.
>>>>>>>>>>>>>>>        Infra's current policy
for project VMs is to use LetsEncrypt for
>>>>>>>>>>>>>>>        certificates. [~pono]
will get you set up with that.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Wednesday, January 3, 2018, 11:34:32
PM, Jacques Le Roux wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Good, Greg closed INFRA-15476
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Le 03/01/2018 à 21:23, Daniel
Dekany a écrit :
>>>>>>>>>>>>>>>>> I'm "a bit" late with
this, but I have created the issue for it:
>>>>>>>>>>>>>>>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Friday, December 15,
2017, 1:57:04 PM, Daniel Dekany wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> To summarize, the
opininos were (whether we should switch to try.freemarker.apache.org):
>>>>>>>>>>>>>>>>>> - Daniel Dekany:
We better not risk not doing this
>>>>>>>>>>>>>>>>>> - Jacopo Cappellato:
Agrees with me (above) in this
>>>>>>>>>>>>>>>>>> - Jacques Le Roux:
No opinion was expressed, but it's technically fine
>>>>>>>>>>>>>>>>>> - Ralph Goers: It's
certainly not necessary to do
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> So, unless someone
has more to add, I will ask this from Infra in the
>>>>>>>>>>>>>>>>>> coming days... just
to be on the safe side.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Wednesday, November
29, 2017, 6:38:05 PM, Ralph Goers wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> The difference
is that try.freemarker.org
>>>>>>>>>>>>>>>>>>> <http://try.freemarker.org/>
is a companion site. So long as the
>>>>>>>>>>>>>>>>>>> main site is
freemarker.apache.org I don’t think anyone will complain about a companion site.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Nov 29,
2017, at 8:33 AM, Jacques Le Roux <jacques.le.roux@les7arts.com> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hi Ralph,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> IIRW openoffice.org
is an exception. There are others, when the domain was well established before entering the
incubator, subversion.org
>>>>>>>>>>>>>>>>>>>> comes to
mind.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> IMO freemarker.org
was well established before entering the incubator but not try.freemarker.apache.org which
is quite recent. Hence
>>>>>>>>>>>>>>>>>>>> maybe
>>>>>>>>>>>>>>>>>>>> some caution
needed...
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> My 2 cts
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Le 29/11/2017
à 14:55, Ralph Goers a écrit :
>>>>>>>>>>>>>>>>>>>>> Personally,
I don’t see why there should be a problem as long as try.freemarker.org <http://try.freemarker.org/>
is an Apache controlled
>>>>>>>>>>>>>>>>>>>>> domain.
You aren’t the only project that has a vanity domain. See www.openoffice.org <http://www.openoffice.org/>
as an example.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Ralph
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On
Nov 29, 2017, at 1:51 AM, Daniel Dekany <ddekany@apache.org> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Just
as a reminder, I'm planning to request try.freemarker.apache.org,
>>>>>>>>>>>>>>>>>>>>>> from
Infra and then redirect try.freemarker.org to it, because I'm
>>>>>>>>>>>>>>>>>>>>>> worried
that the IPMC will dislike that we use try.freemarker.org as
>>>>>>>>>>>>>>>>>>>>>> the
canonical address of the online template tester. It will also use
>>>>>>>>>>>>>>>>>>>>>> https
and a LetsEncrypt certificate (we can't use the *.apache.org
>>>>>>>>>>>>>>>>>>>>>> cert
on a VM).
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> BTW,
using a sub-sub domains is a bit extreme. I'm not aware of any
>>>>>>>>>>>>>>>>>>>>>> gotchas
in out case, but if anyone is aware some, like LetsEncrypt
>>>>>>>>>>>>>>>>>>>>>> doesn't
support them or something, please stop me! (Also, as this way
>>>>>>>>>>>>>>>>>>>>>> we
will receive the cookies of freemarker.apache.org, but certainly we
>>>>>>>>>>>>>>>>>>>>>> will
able to cope with that, if it ever causes a problem.)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Any
comments? And do you (especially PPMC members) agree?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> --

>>>>>>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>>>>>>> Daniel
Dekany
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>
>>>>>>


Mime
View raw message