Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-04 Thread Sven Barth via fpc-devel 
On 03.05.2017 09:06, Michael Van Canneyt wrote:
> 
> 
> On Wed, 3 May 2017, Tomas Hajny wrote:
> 
>> On Wed, May 3, 2017 00:33, Michael Van Canneyt wrote:
>>> On Tue, 2 May 2017, Martin wrote:
 On 02/05/2017 22:59, Michael Van Canneyt wrote:
>
>> That's probably good as the fastest / short-term solution, but as
>> long as
>> both DNS records are valid and point to the same IP address (and http
>> access to both is redirected to the https version), the certificate
>> should
>> cover both domain names as well.
>
> That mayb be so, but I have no idea how to do this.
> As far as I know, lets encrypt does not support wildcard certificates.

 I would think you need 2 individual certs.

 Since both domains are on the same IP, the server must support SNI (but
 most servers do).

 Then have 2 virtual hosts, one for each domain. Each using the correct
 cert for its domain.
 The rest of the virtualhosts will be a copy of each other (or including
 the same include file)
>>>
>>> I will see if this is a possibility.
>>
>> As far as I can see, having a certificate for multiple domain names seems
>> perfectly possible with Let's Encrypt - see
>> https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04,
>>
> 
>> or
>> https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2
>>
>> - there's no need for wildcards, just for the complete list of valid
>> domain names you want to cover.
> 
> I'll try this for mantis/bugs first.

Maybe you'll also want to do this for svn.freepascal.org (and
svn2.freepascal.org?) as at least my PowerBook complained about the
mismatched URL (aside from the root certificate not being trusted :P )

Regards,
Sven

___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-03 Thread David Copeland 
Another alternative I have used is to get a new certificate that
includes all the subdomains.

Dave Copeland.

On 02/05/17 06:17 PM, Martin wrote:
> On 02/05/2017 22:59, Michael Van Canneyt wrote:
>>
>>> That's probably good as the fastest / short-term solution, but as
>>> long as
>>> both DNS records are valid and point to the same IP address (and http
>>> access to both is redirected to the https version), the certificate
>>> should
>>> cover both domain names as well.
>>
>> That mayb be so, but I have no idea how to do this.
>> As far as I know, lets encrypt does not support wildcard certificates.
>
> I would think you need 2 individual certs.
>
> Since both domains are on the same IP, the server must support SNI
> (but most servers do).
>
> Then have 2 virtual hosts, one for each domain. Each using the correct
> cert for its domain.
> The rest of the virtualhosts will be a copy of each other (or
> including the same include file)
> ___
> fpc-devel maillist  -  fpc-devel@lists.freepascal.org
> http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel


-- 
David Copeland
JSI Data Systems Limited
613-727-9353
www.jsidata.ca

___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-03 Thread Michael Van Canneyt 



On Wed, 3 May 2017, Ondrej Pokorny wrote:


On 02.05.2017 19:20, Michael Van Canneyt wrote:

Changed the bugtraq:url. Revision 36062.


Off-topic:

I now switched from mantis.freepascal.org to bugs.freepascal.org and had 
to block the running cheetah icon again.


Remember the good webpage designer (generally speaking UI designer) 
rule: Don't play endless animations. Never.


Considering that we're probably living in a simulation, 
we can stop living right now ?


Michael.
___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-03 Thread Ondrej Pokorny 

On 02.05.2017 19:20, Michael Van Canneyt wrote:

Changed the bugtraq:url. Revision 36062.


Off-topic:

I now switched from mantis.freepascal.org to bugs.freepascal.org and had 
to block the running cheetah icon again.


Remember the good webpage designer (generally speaking UI designer) 
rule: Don't play endless animations. Never.


Ondrej
___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-03 Thread Michael Van Canneyt 



On Wed, 3 May 2017, Tomas Hajny wrote:


On Wed, May 3, 2017 00:33, Michael Van Canneyt wrote:

On Tue, 2 May 2017, Martin wrote:

On 02/05/2017 22:59, Michael Van Canneyt wrote:



That's probably good as the fastest / short-term solution, but as
long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate
should
cover both domain names as well.


That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.


I would think you need 2 individual certs.

Since both domains are on the same IP, the server must support SNI (but
most servers do).

Then have 2 virtual hosts, one for each domain. Each using the correct
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or including
the same include file)


I will see if this is a possibility.


As far as I can see, having a certificate for multiple domain names seems
perfectly possible with Let's Encrypt - see
https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04,


or 
https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2

- there's no need for wildcards, just for the complete list of valid
domain names you want to cover.


I'll try this for mantis/bugs first.

Michael.
___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-02 Thread silvioprog 
On Tue, May 2, 2017 at 6:59 PM, Michael Van Canneyt 
wrote:

> On Tue, 2 May 2017, Tomas Hajny wrote:
>
>> On Tue, May 2, 2017 19:20, Michael Van Canneyt wrote:
>>
>>> On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote:
>>>
>>
>> Hi Michael,
>>
>
Hello dudes,


>   is it possible to add the domain mantis.freepascal.org in the let's
 encrypt cert or change the subversion bugtrack:url property from
 mantis.freepascal.org to bugs.freepascal.org ?

>>>
>>> Changed the bugtraq:url. Revision 36062.
>>>
>>
>> That's probably good as the fastest / short-term solution, but as long as
>> both DNS records are valid and point to the same IP address (and http
>> access to both is redirected to the https version), the certificate should
>> cover both domain names as well.
>>
>
> That mayb be so, but I have no idea how to do this.
>

Which client was used in the challenge, certbot? It allows to specify many
domains (however, I'm using acme-client today, but some time ago I used
certbot and got success with sub-domains too, eg: www.mydomain.com,
smtp.mydomain.com, docs.mydomain.com etc.).

As far as I know, lets encrypt does not support wildcard certificates.
>
> Michael.


I have some knowledge about this issue and I would be glad to help on that.

I've replaced certbot with acme-client because it have just some KBs
against many MB of certbot and its dependencies. Acme-client was written in
C, and its dependencies are just libbsd and libressl.

I did some changes in my copy to make it working in my Ubuntu Server
16.04, and I created a cron job that checks twice a day (time recommended
by certbot/acme-client team) if the certificate is still valid.

-- 
Silvio Clécio
___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-02 Thread Luca Olivetti 

El 02/05/17 a les 23:59, Michael Van Canneyt ha escrit:



On Tue, 2 May 2017, Tomas Hajny wrote:


On Tue, May 2, 2017 19:20, Michael Van Canneyt wrote:

On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote:



Hi Michael,


  is it possible to add the domain mantis.freepascal.org in the let's
encrypt cert or change the subversion bugtrack:url property from
mantis.freepascal.org to bugs.freepascal.org ?


Changed the bugtraq:url. Revision 36062.


That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate
should
cover both domain names as well.


That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.


But it supports more than one name in the same certificate.
I'm using dehydrated[1] and it's just a matter of specifying all the 
domains in the same line in domains.txt.

Other acme clients should support it as well.

[1]https://github.com/lukas2511/dehydrated

Bye
--
Luca

___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-02 Thread Tomas Hajny 
On Wed, May 3, 2017 00:33, Michael Van Canneyt wrote:
> On Tue, 2 May 2017, Martin wrote:
>> On 02/05/2017 22:59, Michael Van Canneyt wrote:
>>>
 That's probably good as the fastest / short-term solution, but as
 long as
 both DNS records are valid and point to the same IP address (and http
 access to both is redirected to the https version), the certificate
 should
 cover both domain names as well.
>>>
>>> That mayb be so, but I have no idea how to do this.
>>> As far as I know, lets encrypt does not support wildcard certificates.
>>
>> I would think you need 2 individual certs.
>>
>> Since both domains are on the same IP, the server must support SNI (but
>> most servers do).
>>
>> Then have 2 virtual hosts, one for each domain. Each using the correct
>> cert for its domain.
>> The rest of the virtualhosts will be a copy of each other (or including
>> the same include file)
>
> I will see if this is a possibility.

As far as I can see, having a certificate for multiple domain names seems
perfectly possible with Let's Encrypt - see
https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04,
or 
https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2
- there's no need for wildcards, just for the complete list of valid
domain names you want to cover.

BTW, the certificate used for www.freepascal.org should include plain
freepascal.org, because an access to http://freepascal.org results in a
security complaint from the browser now.

Tomas


___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-02 Thread Michael Van Canneyt 



On Tue, 2 May 2017, Martin wrote:


On 02/05/2017 22:59, Michael Van Canneyt wrote:


That's probably good as the fastest / short-term solution, but as 
long as

both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate 
should

cover both domain names as well.


That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.


I would think you need 2 individual certs.

Since both domains are on the same IP, the server must support SNI (but 
most servers do).


Then have 2 virtual hosts, one for each domain. Each using the correct 
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or including 
the same include file)


I will see if this is a possibility.

Michael.
___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-02 Thread Martin 

On 02/05/2017 22:59, Michael Van Canneyt wrote:


That's probably good as the fastest / short-term solution, but as 
long as

both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate 
should

cover both domain names as well.


That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.


I would think you need 2 individual certs.

Since both domains are on the same IP, the server must support SNI (but 
most servers do).


Then have 2 virtual hosts, one for each domain. Each using the correct 
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or including 
the same include file)

___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-02 Thread Michael Van Canneyt 



On Tue, 2 May 2017, Tomas Hajny wrote:


On Tue, May 2, 2017 19:20, Michael Van Canneyt wrote:

On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote:



Hi Michael,


  is it possible to add the domain mantis.freepascal.org in the let's
encrypt cert or change the subversion bugtrack:url property from
mantis.freepascal.org to bugs.freepascal.org ?


Changed the bugtraq:url. Revision 36062.


That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.


That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.

Michael.
___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-02 Thread Tomas Hajny 
On Tue, May 2, 2017 19:20, Michael Van Canneyt wrote:
> On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote:


Hi Michael,

>>   is it possible to add the domain mantis.freepascal.org in the let's
>> encrypt cert or change the subversion bugtrack:url property from
>> mantis.freepascal.org to bugs.freepascal.org ?
>
> Changed the bugtraq:url. Revision 36062.

That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.

Tomas


___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel

Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org

2017-05-02 Thread Michael Van Canneyt 



On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote:


Hi,

  is it possible to add the domain mantis.freepascal.org in the let's 
encrypt cert or change the subversion bugtrack:url property from 
mantis.freepascal.org to bugs.freepascal.org ?


Changed the bugtraq:url. Revision 36062.

Michael.
___
fpc-devel maillist  -  fpc-devel@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel