Ah, not a big deal, but should we not restrict read (640) on
/opt/fmonlinetester/etc/freemarker-online.yml ?
It contains the cert secret key...
Le 19/05/2018 à 11:08, Jacques Le Roux a écrit :
Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:
cerbot renew
openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
/etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
pass:"theKnownPassword" (not copied here)
I think it should not change the rights to read in /etc/letsencrypt/live (now with fmonlinetester in group) but we should try it manually once and
check. If it does change then we will need to re-add fmonlinetester in the group at end of cert-renew.sh. I crossed this read issue before as
jleroux user, initially the dir was readeable w/o sudo and then not. Not sure if it's certbot or openssl which did that in my case.
Also I don't think we need to care about change in /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no change certificate.p12 will be
the same, no worries.
I think we should not show the "theKnownPassword" in the wiki page...
What do you think?
Jacques
Le 19/05/2018 à 10:32, Daniel Dekany a écrit :
Now https works, and only the cron job and documenting things on the
cwiki is missing (the copy-paste cron script mostly, I guess).
Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote:
Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote:
Le 17/05/2018 à 09:04, Jacques Le Roux a écrit :
Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :
When I read the content in my local Git repo it's commented out. I guess I
should manually change it on the VM and restart the app with Gradle?
As it's a bit late already, I let you handle this last part ;)
OK I remember now that you documented the app restart at
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
I'll do so now and will have a look at the code change for the renew
Jacques
I have just changed the file according to my previous message, ie modified to
keyStorePath: /etc/letsencrypt/live/certificate.p12
keyStorePassword: HTTPDisUnnecessary
and also while at it (not sure we want that)
validateCerts: true
But after setting the iptables for 443-8443 (v4 and v6), saving the
change and restarting the app it did not work:
May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester.
May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester.
May 17 11:52:10 freemarker-vm java[14009]:
MultiException[java.lang.IllegalStateException: no valid keystore,
java.lang.IllegalStateException: no
That was because the service had no right to read the parent directory
of the p12 file. (Yeah, that error message is not very helpful...) I
have fixed that. So now the only problem we have what I said in the
other mail. And we will need the cron script... or maybe a systemd
timer unit instead.
valid keystore, java.util.concurrent.RejectedExecutionException:
org.eclipse.jetty.io.Manag
May 17 11:52:10 freemarker-vm java[14009]: at
org.eclipse.jetty.server.Server.doStart(Server.java:382)
May 17 11:52:10 freemarker-vm java[14009]: at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.cli.Cli.run(Cli.java:78)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.Application.run(Application.java:93)
May 17 11:52:10 freemarker-vm java[14009]: at
org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43)
So I commented out the HTTPS part
# # FOR PRODUCTION:
# - type: https
# port: 8443
# keyStorePath: /etc/letsencrypt/live/certificate.p12
# keyStoreType: PKCS12
# keyStorePassword: HTTPDisUnnecessary
# validateCerts: true
and restarted the app
Now http://try.freemarker.org/ works again, but no longer
http://try.freemarker.apache.org/ which is redirected to
https://try.freemarker.apache.org/
I don't understand the redirect. Does have this changed before my change? I
don't know.
I have double-checked, thought I have not reverted the config yet, HTTPD is no
longer working.
Maybe it's due to the certificate (created for a.o) but I can't see
how DropWizard would now relate to it, since
keyStorePath: /etc/letsencrypt/live/certificate.p12
and the whole HTTPS block, is commented out :/
I'll get back to that later...
Jacques
