Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:
Hi Daniel,
I have closed INFRA-16498, we can do it locally, Puppet is not used.
So I will use letsencrypt to create a certificate for the 2 domains
try.freemarker.org and try.freemarker.apache.org
At
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
I read that the port 22 and 80 are accessible from Internet and that Java
serves at port 8080.
As I'm used to it, I want to use HTTPD + AJP with the port 443 and
to replace the iptable redirection by AJP
There's no AJP or any such mess. It's just a Dropwizard (Java)
application (single runnable jar) with an embedded HTTP server, that
server everything directly. Well, except that we need the iptables
port redirection as we have no right to bind to ports < 1024... but
that's all.
but
1. Why do we need the port 22?
For SSH.
2. I think we don't need to serve the port 8443 from Java and can
redirect the port 443 to the port 8080, right? Not sure about that, maybe a
change
in code is needed?
No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
https on 8443 (I assume), which should corresponds to 443 via
iptables.
3. I understand (did not check the whole code) that it does not
use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, right?
It uses embedded Jetty, but configure Dropwizard itself:
https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl
4. I read that Grizzly supports AJP[1] but I don't know yet how it
does, same way than Tomcat, nothing to add?
Because when I try to install a letsencrypt certificate with
certbot as root I can't. Using www-data user (HTTPD default user for User and
Group on
Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
certbot --apache
[... all correct so far]
Performing the following challenges:
http-01 challenge for try.freemarker.apache.org
http-01 challenge for try.freemarker.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. try.freemarker.apache.org
(http-01): urn:acme:error:unauthorized :: The client lacks sufficient
authorization ::
Invalid response from
http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
[54.71.67.193]: 404,
try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
client lacks sufficient authorization :: Invalid response from
http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
[54.71.67.193]: 404
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: try.freemarker.apache.org
Type: unauthorized
Detail: Invalid response from
http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
[54.71.67.193]: 404
Domain: try.freemarker.org
Type: unauthorized
Detail: Invalid response from
http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
[54.71.67.193]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[domains are correct and 54.71.67.193 is currently the right IP]
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
[I have removed /etc/letsencryptn it's of no use as long as long as
the challenges are not successful[2]]
Obviously certbot is not able to put the challenge file where it needs.
So it seems a change in code is needed? Else what would you suggest?
I haven no experience with certbot and all that. But I guess it just
replaces a certificate file somewhere. That will have to be converted
to JKS format ("Java Key Store", which is what Jetty or any other Java
SSL stuff need). Hopefully there's a solution for that on the net...
if not, we will figure out...
Jacques
[1] https://javaee.github.io/grizzly/ajp.html
[2]
https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key
Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
It's OK now with Chris Lambertus's help
I created https://issues.apache.org/jira/browse/INFRA-16498 to continue
Jacques
Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :
Thanks
Just tried, did not work, not sure why
Le 05/05/2018 à 19:05, Daniel Dekany a écrit :
I'm a sudoer, so I can add you. Try now!
Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:
Thanks Daniel,
I did not, but actually as I'm not in the sudoers it does not help:
otp-md5 499 fr516
Password:
jleroux is not in the sudoers file. This incident will be reported.
jleroux@freemarker-vm:~$
Jacques
Le 05/05/2018 à 12:38, Daniel Dekany a écrit :
Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:
I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775
Have you done the OTP stuff? See on:
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
Jacques
Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
Hi Daniel,
Yes completely forgot about that. I just checked and I have access to the VM.
Since we need to do it ourselves, I'll have a look, hopefully this week (very
possible)
Cheers
Jacques
Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
Seems this was forgotten. Do you plan to do it?
Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote:
Thanks Daniel,
That's a good news. I did not want to get further with
try.freemarker.org waiting for this to happen. Once LetsEncrypt setting is done
a redirection
should be enough
Jacques
Le 08/01/2018 à 09:47, Daniel Dekany a écrit :
Greg commented on the request:
try.freemarker.apache.org now works, and is propagated.
Since that hostname maps to your VM, the certificate to be used for
try.freemarker.apache.org will need to be hosted/operated by your VM.
Infra's current policy for project VMs is to use LetsEncrypt for
certificates. [~pono] will get you set up with that.
Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote:
Good, Greg closed INFRA-15476
Jacques
Le 03/01/2018 à 21:23, Daniel Dekany a écrit :
I'm "a bit" late with this, but I have created the issue for it:
https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote:
To summarize, the opininos were (whether we should switch to
try.freemarker.apache.org):
- Daniel Dekany: We better not risk not doing this
- Jacopo Cappellato: Agrees with me (above) in this
- Jacques Le Roux: No opinion was expressed, but it's technically fine
- Ralph Goers: It's certainly not necessary to do
So, unless someone has more to add, I will ask this from Infra in the
coming days... just to be on the safe side.
Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote:
The difference is that try.freemarker.org
<http://try.freemarker.org/> is a companion site. So long as the
main site is freemarker.apache.org I don’t think anyone will complain about a
companion site.
Ralph
On Nov 29, 2017, at 8:33 AM, Jacques Le Roux <jacques.le.r...@les7arts.com>
wrote:
Hi Ralph,
IIRW openoffice.org is an exception. There are others, when the domain was well
established before entering the incubator, subversion.org
comes to mind.
IMO freemarker.org was well established before entering the incubator but not
try.freemarker.apache.org which is quite recent. Hence
maybe
some caution needed...
My 2 cts
Jacques
Le 29/11/2017 à 14:55, Ralph Goers a écrit :
Personally, I don’t see why there should be a problem as long as try.freemarker.org
<http://try.freemarker.org/> is an Apache controlled
domain. You aren’t the only project that has a vanity domain. See www.openoffice.org
<http://www.openoffice.org/> as an example.
Ralph
On Nov 29, 2017, at 1:51 AM, Daniel Dekany <ddek...@apache.org> wrote:
Just as a reminder, I'm planning to request try.freemarker.apache.org,
from Infra and then redirect try.freemarker.org to it, because I'm
worried that the IPMC will dislike that we use try.freemarker.org as
the canonical address of the online template tester. It will also use
https and a LetsEncrypt certificate (we can't use the *.apache.org
cert on a VM).
BTW, using a sub-sub domains is a bit extreme. I'm not aware of any
gotchas in out case, but if anyone is aware some, like LetsEncrypt
doesn't support them or something, please stop me! (Also, as this way
we will receive the cookies of freemarker.apache.org, but certainly we
will able to cope with that, if it ever causes a problem.)
Any comments? And do you (especially PPMC members) agree?
--
Thanks,
Daniel Dekany
