Actually, the I have just see that the challenge directory must be /.well-known/acme-challenge/, so now it's that: http://try.freemarker.org/.well-known/acme-challenge/test.txt http://try.freemarker.apache.org/.well-known/acme-challenge/test.txt Also, now it doesn't redirect to HTTPS.
And, don't install httpd now suddenly... that part of the problem is solved, we don't need it. It's going to be something like certbot certonly --webroot -w /opt/fmonlinetester/var/letsencrypt-acme-challenge Tuesday, May 15, 2018, 8:43:06 PM, Daniel Dekany wrote: > OK, so now hopefully it's ready for Let's Encrypt. > > In /opt/fmonlinetester/etc/freemarker-online.yml you can see: > > - That now it also server with HTTPS, in additionally to HTTP. > For now it uses /etc/letsencrypt/live/example.p12; it's just an example > (I'm not even sure if the directory will be that.) > > - Dropwizard will need a standard p12 file. (No need for JKS, though that > works > as well.) > > - /opt/fmonlinetester/var/letsencrypt-verify is served as static > content. Try this: http://try.freemarker.org/letsencrypt-verify > So that's what certbot will have to overwrite for the verification. > > - http://try.apache.freemarker.org/ redirect to > https://try.apache.freemarker.org/ > Now that I think about it, I'm not sure if Let's Encrypt will like > that during the vertification... with our example cert... well, > let's hope it does. > > When cerbot is run by cron (I guess it does), then two extra steps > will be needed: > > 1. Converting to p12 format. > 2. Trigger SSL certificate reloading with curl (POST to > localhost:8081/tasks/reload-ssl) > > Examples: > https://nbsoftsolutions.com/blog/dropwizard-1-1-and-lets-encrypt-with-no-downtime > https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html > > (Again, we don't need to convert the p12 further to jks... the p12 is > already good.) > > > Tuesday, May 15, 2018, 7:49:44 PM, Daniel Dekany wrote: > >> Ugh. OK, I have Googled into how certbot works, and it requres a few >> things from HTTP service itself... I will upload a new version of the >> Dropwizard app that can do those things soon. >> >> >> Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote: >> >>> Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote: >>> >>>> Hi Daniel, >>>> >>>> I have closed INFRA-16498, we can do it locally, Puppet is not used. >>>> >>>> So I will use letsencrypt to create a certificate for the 2 domains >>>> try.freemarker.org and try.freemarker.apache.org >>>> >>>> At >>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation >>>> >>>> I read that the port 22 and 80 are accessible from Internet and that Java >>>> serves at port 8080. >>>> >>>> As I'm used to it, I want to use HTTPD + AJP with the port 443 and >>>> to replace the iptable redirection by AJP >>> >>> There's no AJP or any such mess. It's just a Dropwizard (Java) >>> application (single runnable jar) with an embedded HTTP server, that >>> server everything directly. Well, except that we need the iptables >>> port redirection as we have no right to bind to ports < 1024... but >>> that's all. >>> >>>> but >>>> >>>> 1. Why do we need the port 22? >>> >>> For SSH. >>> >>>> 2. I think we don't need to serve the port 8443 from Java and can >>>> redirect the port 443 to the port 8080, right? Not sure about that, maybe >>>> a change >>>> in code is needed? >>> >>> No, port 8080 corresponds to port 80. Dropwizard (Java) will serve >>> https on 8443 (I assume), which should corresponds to 443 via >>> iptables. >>> >>>> 3. I understand (did not check the whole code) that it does not >>>> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, >>>> right? >>> >>> It uses embedded Jetty, but configure Dropwizard itself: >>> https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl >>> >>>> 4. I read that Grizzly supports AJP[1] but I don't know yet how it >>>> does, same way than Tomcat, nothing to add? >>>> >>>> Because when I try to install a letsencrypt certificate with >>>> certbot as root I can't. Using www-data user (HTTPD default user for User >>>> and Group on >>>> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case) >>>> >>>> certbot --apache >>>> >>>> [... all correct so far] >>>> >>>> Performing the following challenges: >>>> http-01 challenge for try.freemarker.apache.org >>>> http-01 challenge for try.freemarker.org >>>> Waiting for verification... >>>> Cleaning up challenges >>>> Failed authorization procedure. try.freemarker.apache.org >>>> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient >>>> authorization :: >>>> Invalid response from >>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI >>>> [54.71.67.193]: 404, >>>> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The >>>> client lacks sufficient authorization :: Invalid response from >>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k >>>> [54.71.67.193]: 404 >>>> >>>> IMPORTANT NOTES: >>>> - The following errors were reported by the server: >>>> >>>> Domain: try.freemarker.apache.org >>>> Type: unauthorized >>>> Detail: Invalid response from >>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI >>>> [54.71.67.193]: 404 >>>> >>>> Domain: try.freemarker.org >>>> Type: unauthorized >>>> Detail: Invalid response from >>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k >>>> [54.71.67.193]: 404 >>>> >>>> To fix these errors, please make sure that your domain name was >>>> entered correctly and the DNS A/AAAA record(s) for that domain >>>> contain(s) the right IP address. >>>> >>>> [domains are correct and 54.71.67.193 is currently the right IP] >>>> >>>> - Your account credentials have been saved in your Certbot >>>> configuration directory at /etc/letsencrypt. You should make a >>>> secure backup of this folder now. This configuration directory will >>>> also contain certificates and private keys obtained by Certbot so >>>> making regular backups of this folder is ideal. >>>> >>>> [I have removed /etc/letsencryptn it's of no use as long as long as >>>> the challenges are not successful[2]] >>>> >>>> Obviously certbot is not able to put the challenge file where it needs. >>>> >>>> So it seems a change in code is needed? Else what would you suggest? >>> >>> I haven no experience with certbot and all that. But I guess it just >>> replaces a certificate file somewhere. That will have to be converted >>> to JKS format ("Java Key Store", which is what Jetty or any other Java >>> SSL stuff need). Hopefully there's a solution for that on the net... >>> if not, we will figure out... >>> >>>> Jacques >>>> >>>> [1] https://javaee.github.io/grizzly/ajp.html >>>> >>>> [2] >>>> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key >>>> >>>> >>>> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit : >>>>> It's OK now with Chris Lambertus's help >>>>> >>>>> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue >>>>> >>>>> Jacques >>>>> >>>>> >>>>> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit : >>>>>> Thanks >>>>>> >>>>>> Just tried, did not work, not sure why >>>>>> >>>>>> >>>>>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit : >>>>>>> I'm a sudoer, so I can add you. Try now! >>>>>>> >>>>>>> >>>>>>> Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote: >>>>>>> >>>>>>>> Thanks Daniel, >>>>>>>> >>>>>>>> I did not, but actually as I'm not in the sudoers it does not help: >>>>>>>> >>>>>>>> otp-md5 499 fr516 >>>>>>>> Password: >>>>>>>> jleroux is not in the sudoers file. This incident will be reported. >>>>>>>> jleroux@freemarker-vm:~$ >>>>>>>> >>>>>>>> Jacques >>>>>>>> >>>>>>>> >>>>>>>> Le 05/05/2018 à 12:38, Daniel Dekany a écrit : >>>>>>>>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote: >>>>>>>>> >>>>>>>>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775 >>>>>>>>> Have you done the OTP stuff? See on: >>>>>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation >>>>>>>>> >>>>>>>>>> Jacques >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit : >>>>>>>>>>> Hi Daniel, >>>>>>>>>>> >>>>>>>>>>> Yes completely forgot about that. I just checked and I have access >>>>>>>>>>> to the VM. >>>>>>>>>>> >>>>>>>>>>> Since we need to do it ourselves, I'll have a look, hopefully this >>>>>>>>>>> week (very possible) >>>>>>>>>>> >>>>>>>>>>> Cheers >>>>>>>>>>> >>>>>>>>>>> Jacques >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit : >>>>>>>>>>>> Seems this was forgotten. Do you plan to do it? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Thanks Daniel, >>>>>>>>>>>>> >>>>>>>>>>>>> That's a good news. I did not want to get further with >>>>>>>>>>>>> try.freemarker.org waiting for this to happen. Once LetsEncrypt >>>>>>>>>>>>> setting is done a redirection >>>>>>>>>>>>> should be enough >>>>>>>>>>>>> >>>>>>>>>>>>> Jacques >>>>>>>>>>>>> >>>>>>>>>>>>> Le 08/01/2018 à 09:47, Daniel Dekany a écrit : >>>>>>>>>>>>>> Greg commented on the request: >>>>>>>>>>>>>> >>>>>>>>>>>>>> try.freemarker.apache.org now works, and is propagated. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Since that hostname maps to your VM, the certificate to be >>>>>>>>>>>>>> used for >>>>>>>>>>>>>> try.freemarker.apache.org will need to be hosted/operated >>>>>>>>>>>>>> by your VM. >>>>>>>>>>>>>> Infra's current policy for project VMs is to use >>>>>>>>>>>>>> LetsEncrypt for >>>>>>>>>>>>>> certificates. [~pono] will get you set up with that. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Good, Greg closed INFRA-15476 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Jacques >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Le 03/01/2018 à 21:23, Daniel Dekany a écrit : >>>>>>>>>>>>>>>> I'm "a bit" late with this, but I have created the issue for >>>>>>>>>>>>>>>> it: >>>>>>>>>>>>>>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> To summarize, the opininos were (whether we should switch to >>>>>>>>>>>>>>>>> try.freemarker.apache.org): >>>>>>>>>>>>>>>>> - Daniel Dekany: We better not risk not doing this >>>>>>>>>>>>>>>>> - Jacopo Cappellato: Agrees with me (above) in this >>>>>>>>>>>>>>>>> - Jacques Le Roux: No opinion was expressed, but it's >>>>>>>>>>>>>>>>> technically fine >>>>>>>>>>>>>>>>> - Ralph Goers: It's certainly not necessary to do >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> So, unless someone has more to add, I will ask this from >>>>>>>>>>>>>>>>> Infra in the >>>>>>>>>>>>>>>>> coming days... just to be on the safe side. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The difference is that try.freemarker.org >>>>>>>>>>>>>>>>>> <http://try.freemarker.org/> is a companion site. So long as >>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> main site is freemarker.apache.org I don’t think anyone will >>>>>>>>>>>>>>>>>> complain about a companion site. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Ralph >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Nov 29, 2017, at 8:33 AM, Jacques Le Roux >>>>>>>>>>>>>>>>>>> <jacques.le.r...@les7arts.com> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi Ralph, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> IIRW openoffice.org is an exception. There are others, when >>>>>>>>>>>>>>>>>>> the domain was well established before entering the >>>>>>>>>>>>>>>>>>> incubator, subversion.org >>>>>>>>>>>>>>>>>>> comes to mind. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> IMO freemarker.org was well established before entering the >>>>>>>>>>>>>>>>>>> incubator but not try.freemarker.apache.org which is quite >>>>>>>>>>>>>>>>>>> recent. Hence >>>>>>>>>>>>>>>>>>> maybe >>>>>>>>>>>>>>>>>>> some caution needed... >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> My 2 cts >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Jacques >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Le 29/11/2017 à 14:55, Ralph Goers a écrit : >>>>>>>>>>>>>>>>>>>> Personally, I don’t see why there should be a problem as >>>>>>>>>>>>>>>>>>>> long as try.freemarker.org <http://try.freemarker.org/> is >>>>>>>>>>>>>>>>>>>> an Apache controlled >>>>>>>>>>>>>>>>>>>> domain. You aren’t the only project that has a vanity >>>>>>>>>>>>>>>>>>>> domain. See www.openoffice.org >>>>>>>>>>>>>>>>>>>> <http://www.openoffice.org/> as an example. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Ralph >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On Nov 29, 2017, at 1:51 AM, Daniel Dekany >>>>>>>>>>>>>>>>>>>>> <ddek...@apache.org> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Just as a reminder, I'm planning to request >>>>>>>>>>>>>>>>>>>>> try.freemarker.apache.org, >>>>>>>>>>>>>>>>>>>>> from Infra and then redirect try.freemarker.org to it, >>>>>>>>>>>>>>>>>>>>> because I'm >>>>>>>>>>>>>>>>>>>>> worried that the IPMC will dislike that we use >>>>>>>>>>>>>>>>>>>>> try.freemarker.org as >>>>>>>>>>>>>>>>>>>>> the canonical address of the online template tester. It >>>>>>>>>>>>>>>>>>>>> will also use >>>>>>>>>>>>>>>>>>>>> https and a LetsEncrypt certificate (we can't use the >>>>>>>>>>>>>>>>>>>>> *.apache.org >>>>>>>>>>>>>>>>>>>>> cert on a VM). >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> BTW, using a sub-sub domains is a bit extreme. I'm not >>>>>>>>>>>>>>>>>>>>> aware of any >>>>>>>>>>>>>>>>>>>>> gotchas in out case, but if anyone is aware some, like >>>>>>>>>>>>>>>>>>>>> LetsEncrypt >>>>>>>>>>>>>>>>>>>>> doesn't support them or something, please stop me! (Also, >>>>>>>>>>>>>>>>>>>>> as this way >>>>>>>>>>>>>>>>>>>>> we will receive the cookies of freemarker.apache.org, but >>>>>>>>>>>>>>>>>>>>> certainly we >>>>>>>>>>>>>>>>>>>>> will able to cope with that, if it ever causes a problem.) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Any comments? And do you (especially PPMC members) agree? >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>>>>> Daniel Dekany >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>> >> > -- Thanks, Daniel Dekany
