Re: try.freemarker.apache.org instead of try.freemarker.org?
Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content: cerbot renew openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass pass:"theKnownPassword" (not copied here) I think it should not change the rights to read in /etc/letsencrypt/live (now with fmonlinetester in group) but we should try it manually once and check. If it does change then we will need to re-add fmonlinetester in the group at end of cert-renew.sh. I crossed this read issue before as jleroux user, initially the dir was readeable w/o sudo and then not. Not sure if it's certbot or openssl which did that in my case. Also I don't think we need to care about change in /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no change certificate.p12 will be the same, no worries. I think we should not show the "theKnownPassword" in the wiki page... What do you think? Jacques Le 19/05/2018 à 10:32, Daniel Dekany a écrit : Now https works, and only the cron job and documenting things on the cwiki is missing (the copy-paste cron script mostly, I guess). Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote: Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote: Le 17/05/2018 à 09:04, Jacques Le Roux a écrit : Le 16/05/2018 à 22:26, Jacques Le Roux a écrit : When I read the content in my local Git repo it's commented out. I guess I should manually change it on the VM and restart the app with Gradle? As it's a bit late already, I let you handle this last part ;) OK I remember now that you documented the app restart at https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation I'll do so now and will have a look at the code change for the renew Jacques I have just changed the file according to my previous message, ie modified to keyStorePath: /etc/letsencrypt/live/certificate.p12 keyStorePassword: HTTPDisUnnecessary and also while at it (not sure we want that) validateCerts: true But after setting the iptables for 443-8443 (v4 and v6), saving the change and restarting the app it did not work: May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester. May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester. May 17 11:52:10 freemarker-vm java[14009]: MultiException[java.lang.IllegalStateException: no valid keystore, java.lang.IllegalStateException: no That was because the service had no right to read the parent directory of the p12 file. (Yeah, that error message is not very helpful...) I have fixed that. So now the only problem we have what I said in the other mail. And we will need the cron script... or maybe a systemd timer unit instead. valid keystore, java.util.concurrent.RejectedExecutionException: org.eclipse.jetty.io.Manag May 17 11:52:10 freemarker-vm java[14009]: at org.eclipse.jetty.server.Server.doStart(Server.java:382) May 17 11:52:10 freemarker-vm java[14009]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.cli.Cli.run(Cli.java:78) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.Application.run(Application.java:93) May 17 11:52:10 freemarker-vm java[14009]: at org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43) So I commented out the HTTPS part # # FOR PRODUCTION: # - type: https # port: 8443 # keyStorePath: /etc/letsencrypt/live/certificate.p12 # keyStoreType: PKCS12 # keyStorePassword: HTTPDisUnnecessary # validateCerts: true and restarted the app Now http://try.freemarker.org/ works again, but no longer http://try.freemarker.apache.org/ which is redirected to https://try.freemarker.apache.org/ I don't understand the redirect. Does have this changed before my change? I don't know. I have double-checked, thought I have not reverted the config yet, HTTPD is no longer working. Maybe it's due to the certificate (created for a.o) but I can't see how DropWizard would now relate to it, since keyStorePath: /etc/letsencrypt/live/certificate.p12 and the whole HTTPS block, is commented out :/ I'll get back to that later... Jacques
Re: try.freemarker.apache.org instead of try.freemarker.org?
Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote: > Inline... > > Le 19/05/2018 à 12:02, Daniel Dekany a écrit : >> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote: >> >>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, >>> content: >>> >>> cerbot renew >>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 >>> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in >>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile >>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass >>> pass:"theKnownPassword" (not copied here) >> Though you have posted that password to this mailing list anyway... ;) > Yes indeed, just once, but you'r right I should have used private :/ > Anyway we should change it and keep the new one in a specific file > at https://svn.apache.org/repos/private/pmc/freemarker > >>> I think it should not change the rights to read in >>> /etc/letsencrypt/live (now with fmonlinetester in group) >> It would be surprising if it changes it. > Yep, just got surprisingly bitten once, so... > >> >>> but we should try it manually once and check. >>> >>> If it does change then we will need to re-add fmonlinetester >>> in the group at end of cert-renew.sh. I crossed this read issue before as >>> jleroux >>> user, initially the dir was readeable w/o sudo and then not. Not >>> sure if it's certbot or openssl which did that in my case. >>> >>> Also I don't think we need to care about change in >>> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no >>> change certificate.p12 will be the >>> same, no worries. >> Of course. It will need to issue that SSL cert reloading curl command >> though. > Ah indeed > > localhost:8081/tasks/reload-ssl > > >>> I think we should not show the "theKnownPassword" in the wiki page... >> Yeah, I guess it's better star it out on cwiki. (Though to get the p12 >> or private key one has to pawn the server anyway... and then he finds >> the password too.) > I think https://svn.apache.org/repos/private/pmc/freemarker better fits for > all private things > For instance the cron job copy and all the rest. And simply refer to private > things from the wiki For try.freemarker these security things doesn't mater much, but in general, such a repo is not a good place to store security related sensitive files. People just check it out, and it will be on the HDD/SDD unencrypted for ever... then the notebook gets stolen or such. >> Are there any Let's Encrypt related credentials we should be aware of >> (in case you become unavailable)? > Nope, I used only the temporary secret password everywhere and IIRW > it was only when creating the cert from .pem files. > >> I think "Enter email address (used for urgent renewal and security >> notices)" should be priv...@freemarker.apache.org. > I agree! I used mine so far. To be changed like the cert password > Will you handle the job creation and the doc? OK, I will then. > Have a good weekend > > Jacques > -- Thanks, Daniel Dekany
Re: try.freemarker.apache.org instead of try.freemarker.org?
Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote: > Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, > content: > > cerbot renew > openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 > -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in > /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile > /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass > pass:"theKnownPassword" (not copied here) Though you have posted that password to this mailing list anyway... ;) > I think it should not change the rights to read in > /etc/letsencrypt/live (now with fmonlinetester in group) It would be surprising if it changes it. > but we should try it manually once and check. > > If it does change then we will need to re-add fmonlinetester > in the group at end of cert-renew.sh. I crossed this read issue before as > jleroux > user, initially the dir was readeable w/o sudo and then not. Not > sure if it's certbot or openssl which did that in my case. > > Also I don't think we need to care about change in > /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no > change certificate.p12 will be the > same, no worries. Of course. It will need to issue that SSL cert reloading curl command though. > I think we should not show the "theKnownPassword" in the wiki page... Yeah, I guess it's better star it out on cwiki. (Though to get the p12 or private key one has to pawn the server anyway... and then he finds the password too.) Are there any Let's Encrypt related credentials we should be aware of (in case you become unavailable)? I think "Enter email address (used for urgent renewal and security notices)" should be priv...@freemarker.apache.org. > What do you think? > > Jacques > > > Le 19/05/2018 à 10:32, Daniel Dekany a écrit : >> Now https works, and only the cron job and documenting things on the >> cwiki is missing (the copy-paste cron script mostly, I guess). >> >> >> Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote: >> >>> Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote: >>> Le 17/05/2018 à 09:04, Jacques Le Roux a écrit : > Le 16/05/2018 à 22:26, Jacques Le Roux a écrit : >> When I read the content in my local Git repo it's commented out. I guess >> I should manually change it on the VM and restart the app with Gradle? >> >> As it's a bit late already, I let you handle this last part ;) > OK I remember now that you documented the app restart at > https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation > I'll do so now and will have a look at the code change for the renew > > Jacques > I have just changed the file according to my previous message, ie modified to keyStorePath: /etc/letsencrypt/live/certificate.p12 keyStorePassword: HTTPDisUnnecessary and also while at it (not sure we want that) validateCerts: true But after setting the iptables for 443-8443 (v4 and v6), saving the change and restarting the app it did not work: May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester. May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester. May 17 11:52:10 freemarker-vm java[14009]: MultiException[java.lang.IllegalStateException: no valid keystore, java.lang.IllegalStateException: no >>> That was because the service had no right to read the parent directory >>> of the p12 file. (Yeah, that error message is not very helpful...) I >>> have fixed that. So now the only problem we have what I said in the >>> other mail. And we will need the cron script... or maybe a systemd >>> timer unit instead. >>> valid keystore, java.util.concurrent.RejectedExecutionException: org.eclipse.jetty.io.Manag May 17 11:52:10 freemarker-vm java[14009]: at org.eclipse.jetty.server.Server.doStart(Server.java:382) May 17 11:52:10 freemarker-vm java[14009]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.cli.Cli.run(Cli.java:78) May 17 11:52:10 freemarker-vm java[14009]: at io.dropwizard.Application.run(Application.java:93) May 17 11:52:10 freemarker-vm java[14009]: at org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43) So I commented out the HTTPS part
Re: try.freemarker.apache.org instead of try.freemarker.org?
Now https works, and only the cron job and documenting things on the cwiki is missing (the copy-paste cron script mostly, I guess). Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote: > Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote: > >> Le 17/05/2018 à 09:04, Jacques Le Roux a écrit : >>> Le 16/05/2018 à 22:26, Jacques Le Roux a écrit : When I read the content in my local Git repo it's commented out. I guess I should manually change it on the VM and restart the app with Gradle? As it's a bit late already, I let you handle this last part ;) >>> OK I remember now that you documented the app restart at >>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation >>> I'll do so now and will have a look at the code change for the renew >>> >>> Jacques >>> >> I have just changed the file according to my previous message, ie modified to >> keyStorePath: /etc/letsencrypt/live/certificate.p12 >> keyStorePassword: HTTPDisUnnecessary >> and also while at it (not sure we want that) >> validateCerts: true >> >> But after setting the iptables for 443-8443 (v4 and v6), saving the >> change and restarting the app it did not work: >> >> May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester. >> May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester. >> May 17 11:52:10 freemarker-vm java[14009]: >> MultiException[java.lang.IllegalStateException: no valid keystore, >> java.lang.IllegalStateException: no > > That was because the service had no right to read the parent directory > of the p12 file. (Yeah, that error message is not very helpful...) I > have fixed that. So now the only problem we have what I said in the > other mail. And we will need the cron script... or maybe a systemd > timer unit instead. > >> valid keystore, java.util.concurrent.RejectedExecutionException: >> org.eclipse.jetty.io.Manag >> May 17 11:52:10 freemarker-vm java[14009]: at >> org.eclipse.jetty.server.Server.doStart(Server.java:382) >> May 17 11:52:10 freemarker-vm java[14009]: at >> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) >> May 17 11:52:10 freemarker-vm java[14009]: at >> io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53) >> May 17 11:52:10 freemarker-vm java[14009]: at >> io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44) >> May 17 11:52:10 freemarker-vm java[14009]: at >> io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87) >> May 17 11:52:10 freemarker-vm java[14009]: at >> io.dropwizard.cli.Cli.run(Cli.java:78) >> May 17 11:52:10 freemarker-vm java[14009]: at >> io.dropwizard.Application.run(Application.java:93) >> May 17 11:52:10 freemarker-vm java[14009]: at >> org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43) >> >> So I commented out the HTTPS part >> # # FOR PRODUCTION: >> # - type: https >> # port: 8443 >> # keyStorePath: /etc/letsencrypt/live/certificate.p12 >> # keyStoreType: PKCS12 >> # keyStorePassword: HTTPDisUnnecessary >> # validateCerts: true >> and restarted the app >> >> Now http://try.freemarker.org/ works again, but no longer >> http://try.freemarker.apache.org/ which is redirected to >> https://try.freemarker.apache.org/ >> I don't understand the redirect. Does have this changed before my change? I >> don't know. >> I have double-checked, thought I have not reverted the config yet, HTTPD is >> no longer working. >> Maybe it's due to the certificate (created for a.o) but I can't see >> how DropWizard would now relate to it, since >> keyStorePath: /etc/letsencrypt/live/certificate.p12 >> and the whole HTTPS block, is commented out :/ >> >> I'll get back to that later... >> >> Jacques >> >> > -- Thanks, Daniel Dekany
Re: try.freemarker.apache.org instead of try.freemarker.org?
Le 19/05/2018 à 14:16, Daniel Dekany a écrit : I thinkhttps://svn.apache.org/repos/private/pmc/freemarker better fits for all private things For instance the cron job copy and all the rest. And simply refer to private things from the wiki For try.freemarker these security things doesn't mater much, but in general, such a repo is not a good place to store security related sensitive files. People just check it out, and it will be on the HDD/SDD unencrypted for ever... then the notebook gets stolen or such. What would you suggest then? Jacques
Re: try.freemarker.apache.org instead of try.freemarker.org?
Le 19/05/2018 à 12:04, Daniel Dekany a écrit : Saturday, May 19, 2018, 11:53:04 AM, Jacques Le Roux wrote: Ah, not a big deal, but should we not restrict read (640) on /opt/fmonlinetester/etc/freemarker-online.yml ? It contains the cert secret key... Sure, go ahead. Done, I have also removed all the HTTPD config Jacques
