Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On 03.05.2017 09:06, Michael Van Canneyt wrote: > > > On Wed, 3 May 2017, Tomas Hajny wrote: > >> On Wed, May 3, 2017 00:33, Michael Van Canneyt wrote: >>> On Tue, 2 May 2017, Martin wrote: On 02/05/2017 22:59, Michael Van Canneyt wrote: > >> That's probably good as the fastest / short-term solution, but as >> long as >> both DNS records are valid and point to the same IP address (and http >> access to both is redirected to the https version), the certificate >> should >> cover both domain names as well. > > That mayb be so, but I have no idea how to do this. > As far as I know, lets encrypt does not support wildcard certificates. I would think you need 2 individual certs. Since both domains are on the same IP, the server must support SNI (but most servers do). Then have 2 virtual hosts, one for each domain. Each using the correct cert for its domain. The rest of the virtualhosts will be a copy of each other (or including the same include file) >>> >>> I will see if this is a possibility. >> >> As far as I can see, having a certificate for multiple domain names seems >> perfectly possible with Let's Encrypt - see >> https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04, >> > >> or >> https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2 >> >> - there's no need for wildcards, just for the complete list of valid >> domain names you want to cover. > > I'll try this for mantis/bugs first. Maybe you'll also want to do this for svn.freepascal.org (and svn2.freepascal.org?) as at least my PowerBook complained about the mismatched URL (aside from the root certificate not being trusted :P ) Regards, Sven ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
Another alternative I have used is to get a new certificate that includes all the subdomains. Dave Copeland. On 02/05/17 06:17 PM, Martin wrote: > On 02/05/2017 22:59, Michael Van Canneyt wrote: >> >>> That's probably good as the fastest / short-term solution, but as >>> long as >>> both DNS records are valid and point to the same IP address (and http >>> access to both is redirected to the https version), the certificate >>> should >>> cover both domain names as well. >> >> That mayb be so, but I have no idea how to do this. >> As far as I know, lets encrypt does not support wildcard certificates. > > I would think you need 2 individual certs. > > Since both domains are on the same IP, the server must support SNI > (but most servers do). > > Then have 2 virtual hosts, one for each domain. Each using the correct > cert for its domain. > The rest of the virtualhosts will be a copy of each other (or > including the same include file) > ___ > fpc-devel maillist - fpc-devel@lists.freepascal.org > http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel -- David Copeland JSI Data Systems Limited 613-727-9353 www.jsidata.ca ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On Wed, 3 May 2017, Ondrej Pokorny wrote: On 02.05.2017 19:20, Michael Van Canneyt wrote: Changed the bugtraq:url. Revision 36062. Off-topic: I now switched from mantis.freepascal.org to bugs.freepascal.org and had to block the running cheetah icon again. Remember the good webpage designer (generally speaking UI designer) rule: Don't play endless animations. Never. Considering that we're probably living in a simulation, we can stop living right now ? Michael. ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On 02.05.2017 19:20, Michael Van Canneyt wrote: Changed the bugtraq:url. Revision 36062. Off-topic: I now switched from mantis.freepascal.org to bugs.freepascal.org and had to block the running cheetah icon again. Remember the good webpage designer (generally speaking UI designer) rule: Don't play endless animations. Never. Ondrej ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On Wed, 3 May 2017, Tomas Hajny wrote: On Wed, May 3, 2017 00:33, Michael Van Canneyt wrote: On Tue, 2 May 2017, Martin wrote: On 02/05/2017 22:59, Michael Van Canneyt wrote: That's probably good as the fastest / short-term solution, but as long as both DNS records are valid and point to the same IP address (and http access to both is redirected to the https version), the certificate should cover both domain names as well. That mayb be so, but I have no idea how to do this. As far as I know, lets encrypt does not support wildcard certificates. I would think you need 2 individual certs. Since both domains are on the same IP, the server must support SNI (but most servers do). Then have 2 virtual hosts, one for each domain. Each using the correct cert for its domain. The rest of the virtualhosts will be a copy of each other (or including the same include file) I will see if this is a possibility. As far as I can see, having a certificate for multiple domain names seems perfectly possible with Let's Encrypt - see https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04, or https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2 - there's no need for wildcards, just for the complete list of valid domain names you want to cover. I'll try this for mantis/bugs first. Michael. ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On Tue, May 2, 2017 at 6:59 PM, Michael Van Canneytwrote: > On Tue, 2 May 2017, Tomas Hajny wrote: > >> On Tue, May 2, 2017 19:20, Michael Van Canneyt wrote: >> >>> On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote: >>> >> >> Hi Michael, >> > Hello dudes, > is it possible to add the domain mantis.freepascal.org in the let's encrypt cert or change the subversion bugtrack:url property from mantis.freepascal.org to bugs.freepascal.org ? >>> >>> Changed the bugtraq:url. Revision 36062. >>> >> >> That's probably good as the fastest / short-term solution, but as long as >> both DNS records are valid and point to the same IP address (and http >> access to both is redirected to the https version), the certificate should >> cover both domain names as well. >> > > That mayb be so, but I have no idea how to do this. > Which client was used in the challenge, certbot? It allows to specify many domains (however, I'm using acme-client today, but some time ago I used certbot and got success with sub-domains too, eg: www.mydomain.com, smtp.mydomain.com, docs.mydomain.com etc.). As far as I know, lets encrypt does not support wildcard certificates. > > Michael. I have some knowledge about this issue and I would be glad to help on that. I've replaced certbot with acme-client because it have just some KBs against many MB of certbot and its dependencies. Acme-client was written in C, and its dependencies are just libbsd and libressl. I did some changes in my copy to make it working in my Ubuntu Server 16.04, and I created a cron job that checks twice a day (time recommended by certbot/acme-client team) if the certificate is still valid. -- Silvio Clécio ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
El 02/05/17 a les 23:59, Michael Van Canneyt ha escrit: On Tue, 2 May 2017, Tomas Hajny wrote: On Tue, May 2, 2017 19:20, Michael Van Canneyt wrote: On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote: Hi Michael, is it possible to add the domain mantis.freepascal.org in the let's encrypt cert or change the subversion bugtrack:url property from mantis.freepascal.org to bugs.freepascal.org ? Changed the bugtraq:url. Revision 36062. That's probably good as the fastest / short-term solution, but as long as both DNS records are valid and point to the same IP address (and http access to both is redirected to the https version), the certificate should cover both domain names as well. That mayb be so, but I have no idea how to do this. As far as I know, lets encrypt does not support wildcard certificates. But it supports more than one name in the same certificate. I'm using dehydrated[1] and it's just a matter of specifying all the domains in the same line in domains.txt. Other acme clients should support it as well. [1]https://github.com/lukas2511/dehydrated Bye -- Luca ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On Wed, May 3, 2017 00:33, Michael Van Canneyt wrote: > On Tue, 2 May 2017, Martin wrote: >> On 02/05/2017 22:59, Michael Van Canneyt wrote: >>> That's probably good as the fastest / short-term solution, but as long as both DNS records are valid and point to the same IP address (and http access to both is redirected to the https version), the certificate should cover both domain names as well. >>> >>> That mayb be so, but I have no idea how to do this. >>> As far as I know, lets encrypt does not support wildcard certificates. >> >> I would think you need 2 individual certs. >> >> Since both domains are on the same IP, the server must support SNI (but >> most servers do). >> >> Then have 2 virtual hosts, one for each domain. Each using the correct >> cert for its domain. >> The rest of the virtualhosts will be a copy of each other (or including >> the same include file) > > I will see if this is a possibility. As far as I can see, having a certificate for multiple domain names seems perfectly possible with Let's Encrypt - see https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04, or https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2 - there's no need for wildcards, just for the complete list of valid domain names you want to cover. BTW, the certificate used for www.freepascal.org should include plain freepascal.org, because an access to http://freepascal.org results in a security complaint from the browser now. Tomas ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On Tue, 2 May 2017, Martin wrote: On 02/05/2017 22:59, Michael Van Canneyt wrote: That's probably good as the fastest / short-term solution, but as long as both DNS records are valid and point to the same IP address (and http access to both is redirected to the https version), the certificate should cover both domain names as well. That mayb be so, but I have no idea how to do this. As far as I know, lets encrypt does not support wildcard certificates. I would think you need 2 individual certs. Since both domains are on the same IP, the server must support SNI (but most servers do). Then have 2 virtual hosts, one for each domain. Each using the correct cert for its domain. The rest of the virtualhosts will be a copy of each other (or including the same include file) I will see if this is a possibility. Michael. ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On 02/05/2017 22:59, Michael Van Canneyt wrote: That's probably good as the fastest / short-term solution, but as long as both DNS records are valid and point to the same IP address (and http access to both is redirected to the https version), the certificate should cover both domain names as well. That mayb be so, but I have no idea how to do this. As far as I know, lets encrypt does not support wildcard certificates. I would think you need 2 individual certs. Since both domains are on the same IP, the server must support SNI (but most servers do). Then have 2 virtual hosts, one for each domain. Each using the correct cert for its domain. The rest of the virtualhosts will be a copy of each other (or including the same include file) ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On Tue, 2 May 2017, Tomas Hajny wrote: On Tue, May 2, 2017 19:20, Michael Van Canneyt wrote: On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote: Hi Michael, is it possible to add the domain mantis.freepascal.org in the let's encrypt cert or change the subversion bugtrack:url property from mantis.freepascal.org to bugs.freepascal.org ? Changed the bugtraq:url. Revision 36062. That's probably good as the fastest / short-term solution, but as long as both DNS records are valid and point to the same IP address (and http access to both is redirected to the https version), the certificate should cover both domain names as well. That mayb be so, but I have no idea how to do this. As far as I know, lets encrypt does not support wildcard certificates. Michael. ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On Tue, May 2, 2017 19:20, Michael Van Canneyt wrote: > On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote: Hi Michael, >> is it possible to add the domain mantis.freepascal.org in the let's >> encrypt cert or change the subversion bugtrack:url property from >> mantis.freepascal.org to bugs.freepascal.org ? > > Changed the bugtraq:url. Revision 36062. That's probably good as the fastest / short-term solution, but as long as both DNS records are valid and point to the same IP address (and http access to both is redirected to the https version), the certificate should cover both domain names as well. Tomas ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Re: [fpc-devel] Let's Encrypt cert and mantis.freepascal.org
On Tue, 2 May 2017, Dimitrios Chr. Ioannidis via fpc-devel wrote: Hi, is it possible to add the domain mantis.freepascal.org in the let's encrypt cert or change the subversion bugtrack:url property from mantis.freepascal.org to bugs.freepascal.org ? Changed the bugtraq:url. Revision 36062. Michael. ___ fpc-devel maillist - fpc-devel@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel