Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-06-13 Thread Jacques Le Roux 

Le 12/06/2018 à 21:43, Daniel Dekany a écrit :

Tuesday, June 12, 2018, 7:48:13 PM, Jacques Le Roux wrote:

[snip]

OK thanks, indeed
sudo curl -X POST http://localhost:8081/tasks/reload-ssl
works :)

All is ready and working manually. I will just check the
/var/log/fmonlinetester/letsencrypt.log tomorrow morning. I use the cron line:
0 0 * * * /opt/fmonlinetester/var/cert-renew.sh >
/var/log/fmonlinetester/letsencrypt.log

Great, thanks!

A small thing though. Scripts should be in bin, not var. And if you
are there anyway, AFAIR I have made /opt/fmonlinetester/var/log (which
links to /var/log/fmonlinetester), in which case it's better to use
that path.


OK, I have done the changes you suggested. The cron job works as expected and 
puts results in log.
I also set MAILTO to priv...@freemarker.apache.org not sure it's a good idea. 
Could be in case of issue.

Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-06-12 Thread Jacques Le Roux 

Hi Daniel,

It's done with an update of the wiki page 
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation

But I faced an issue with the cron job, this command:

jleroux@freemarker-vm:/opt/fmonlinetester/var$ sudo curl 
https://localhost:8081/tasks/reload-ssl
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

I also tried HTTP, no protocol  and both (//) to no avail so far. I don't know 
what I miss, if I miss something

jleroux@freemarker-vm:/opt/fmonlinetester/var$ sudo curl 
localhost:8081/tasks/reload-ssl



Error 405 Method Not Allowed

HTTP ERROR 405
Problem accessing /tasks/reload-ssl. Reason:
    Method Not Allowed



Jacques


Le 09/06/2018 à 14:31, Jacques Le Roux a écrit :

Yes, I'll take care of that

Thanks for the reminder :)

Jacques


Le 09/06/2018 à 11:26, Daniel Dekany a écrit :

You have intended to do these, to my understanding. You still plan to?


Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote:


Inline...

Le 19/05/2018 à 12:02, Daniel Dekany a écrit :

Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:


Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:

cerbot renew
openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
-inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
/etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
/etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
pass:"theKnownPassword" (not copied here)

Though you have posted that password to this mailing list anyway... ;)

Yes indeed, just once, but you'r right I should have used private :/
Anyway we should change it and keep the new one in a specific file
at https://svn.apache.org/repos/private/pmc/freemarker


I think it should not change the rights to read in
/etc/letsencrypt/live (now with fmonlinetester in group)

It would be surprising if it changes it.

Yep, just got surprisingly bitten once, so...


but we should try it manually once and check.

If it does change then we will need to re-add fmonlinetester
in the group at end of cert-renew.sh. I crossed this read issue before as 
jleroux
user, initially the dir was readeable w/o sudo and then not. Not
sure if it's certbot or openssl which did that in my case.

Also I don't think we need to care about change in
/etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
change certificate.p12 will be the
same, no worries.

Of course. It will need to issue that SSL cert reloading curl command
though.

Ah indeed

localhost:8081/tasks/reload-ssl



I think we should not show the "theKnownPassword" in the wiki page...

Yeah, I guess it's better star it out on cwiki. (Though to get the p12
or private key one has to pawn the server anyway... and then he finds
the password too.)

I think https://svn.apache.org/repos/private/pmc/freemarker better fits for all 
private things
For instance the cron job copy and all the rest. And simply refer to private 
things from the wiki


Are there any Let's Encrypt related credentials we should be aware of
(in case you become unavailable)?

Nope, I used only the temporary secret password everywhere and IIRW
it was only when creating the cert from .pem files.


I think "Enter email address (used for urgent renewal and security
notices)" should be priv...@freemarker.apache.org.

I agree! I used mine so far. To be changed like the cert password
Will you handle the job creation and the doc?

Have a good weekend

Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-06-09 Thread Daniel Dekany 
You have intended to do these, to my understanding. You still plan to?


Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote:

> Inline...
>
> Le 19/05/2018 à 12:02, Daniel Dekany a écrit :
>> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:
>>
>>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, 
>>> content:
>>>
>>> cerbot renew
>>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
>>> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
>>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
>>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
>>> pass:"theKnownPassword" (not copied here)
>> Though you have posted that password to this mailing list anyway... ;)
> Yes indeed, just once, but you'r right I should have used private :/
> Anyway we should change it and keep the new one in a specific file
> at https://svn.apache.org/repos/private/pmc/freemarker
>
>>> I think it should not change the rights to read in
>>> /etc/letsencrypt/live (now with fmonlinetester in group)
>> It would be surprising if it changes it.
> Yep, just got surprisingly bitten once, so...
>
>>
>>> but we should try it manually once and check.
>>>
>>> If it does change then we will need to re-add fmonlinetester
>>> in the group at end of cert-renew.sh. I crossed this read issue before as 
>>> jleroux
>>> user, initially the dir was readeable w/o sudo and then not. Not
>>> sure if it's certbot or openssl which did that in my case.
>>>
>>> Also I don't think we need to care about change in
>>> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
>>> change certificate.p12 will be the
>>> same, no worries.
>> Of course. It will need to issue that SSL cert reloading curl command
>> though.
> Ah indeed
>
> localhost:8081/tasks/reload-ssl
>
>
>>> I think we should not show the "theKnownPassword" in the wiki page...
>> Yeah, I guess it's better star it out on cwiki. (Though to get the p12
>> or private key one has to pawn the server anyway... and then he finds
>> the password too.)
> I think https://svn.apache.org/repos/private/pmc/freemarker better fits for 
> all private things
> For instance the cron job copy and all the rest. And simply refer to private 
> things from the wiki
>
>> Are there any Let's Encrypt related credentials we should be aware of
>> (in case you become unavailable)?
> Nope, I used only the temporary secret password everywhere and IIRW
> it was only when creating the cert from .pem files.
>
>> I think "Enter email address (used for urgent renewal and security
>> notices)" should be priv...@freemarker.apache.org.
> I agree! I used mine so far. To be changed like the cert password
> Will you handle the job creation and the doc?
>
> Have a good weekend
>
> Jacques
>

-- 
Thanks,
 Daniel Dekany

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-19 Thread Jacques Le Roux 

Le 19/05/2018 à 12:04, Daniel Dekany a écrit :

Saturday, May 19, 2018, 11:53:04 AM, Jacques Le Roux wrote:


Ah, not a big deal, but should we not restrict read (640) on
/opt/fmonlinetester/etc/freemarker-online.yml ?

It contains the cert secret key...

Sure, go ahead.


Done, I have also removed all the HTTPD config

Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-19 Thread Jacques Le Roux 

Le 19/05/2018 à 14:16, Daniel Dekany a écrit :

I thinkhttps://svn.apache.org/repos/private/pmc/freemarker  better fits for all 
private things
For instance the cron job copy and all the rest. And simply refer to private 
things from the wiki

For try.freemarker these security things doesn't mater much, but in
general, such a repo is not a good place to store security related
sensitive files. People just check it out, and it will be on the
HDD/SDD unencrypted for ever... then the notebook gets stolen or such.


What would you suggest then?

Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-19 Thread Daniel Dekany 
Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote:

> Inline...
>
> Le 19/05/2018 à 12:02, Daniel Dekany a écrit :
>> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:
>>
>>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, 
>>> content:
>>>
>>> cerbot renew
>>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
>>> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
>>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
>>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
>>> pass:"theKnownPassword" (not copied here)
>> Though you have posted that password to this mailing list anyway... ;)
> Yes indeed, just once, but you'r right I should have used private :/
> Anyway we should change it and keep the new one in a specific file
> at https://svn.apache.org/repos/private/pmc/freemarker
>
>>> I think it should not change the rights to read in
>>> /etc/letsencrypt/live (now with fmonlinetester in group)
>> It would be surprising if it changes it.
> Yep, just got surprisingly bitten once, so...
>
>>
>>> but we should try it manually once and check.
>>>
>>> If it does change then we will need to re-add fmonlinetester
>>> in the group at end of cert-renew.sh. I crossed this read issue before as 
>>> jleroux
>>> user, initially the dir was readeable w/o sudo and then not. Not
>>> sure if it's certbot or openssl which did that in my case.
>>>
>>> Also I don't think we need to care about change in
>>> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
>>> change certificate.p12 will be the
>>> same, no worries.
>> Of course. It will need to issue that SSL cert reloading curl command
>> though.
> Ah indeed
>
> localhost:8081/tasks/reload-ssl
>
>
>>> I think we should not show the "theKnownPassword" in the wiki page...
>> Yeah, I guess it's better star it out on cwiki. (Though to get the p12
>> or private key one has to pawn the server anyway... and then he finds
>> the password too.)
> I think https://svn.apache.org/repos/private/pmc/freemarker better fits for 
> all private things
> For instance the cron job copy and all the rest. And simply refer to private 
> things from the wiki

For try.freemarker these security things doesn't mater much, but in
general, such a repo is not a good place to store security related
sensitive files. People just check it out, and it will be on the
HDD/SDD unencrypted for ever... then the notebook gets stolen or such.

>> Are there any Let's Encrypt related credentials we should be aware of
>> (in case you become unavailable)?
> Nope, I used only the temporary secret password everywhere and IIRW
> it was only when creating the cert from .pem files.
>
>> I think "Enter email address (used for urgent renewal and security
>> notices)" should be priv...@freemarker.apache.org.
> I agree! I used mine so far. To be changed like the cert password
> Will you handle the job creation and the doc?

OK, I will then.

> Have a good weekend
>
> Jacques
>

-- 
Thanks,
 Daniel Dekany

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-19 Thread Daniel Dekany 
Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:

> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, 
> content:
>
> cerbot renew
> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
> pass:"theKnownPassword" (not copied here)

Though you have posted that password to this mailing list anyway... ;)

> I think it should not change the rights to read in
> /etc/letsencrypt/live (now with fmonlinetester in group)

It would be surprising if it changes it.

> but we should try it manually once and check.
>
> If it does change then we will need to re-add fmonlinetester
> in the group at end of cert-renew.sh. I crossed this read issue before as 
> jleroux
> user, initially the dir was readeable w/o sudo and then not. Not
> sure if it's certbot or openssl which did that in my case.
>
> Also I don't think we need to care about change in
> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
> change certificate.p12 will be the 
> same, no worries.

Of course. It will need to issue that SSL cert reloading curl command
though.

> I think we should not show the "theKnownPassword" in the wiki page...

Yeah, I guess it's better star it out on cwiki. (Though to get the p12
or private key one has to pawn the server anyway... and then he finds
the password too.)

Are there any Let's Encrypt related credentials we should be aware of
(in case you become unavailable)?

I think "Enter email address (used for urgent renewal and security
notices)" should be priv...@freemarker.apache.org.

> What do you think?
>
> Jacques
>
>
> Le 19/05/2018 à 10:32, Daniel Dekany a écrit :
>> Now https works, and only the cron job and documenting things on the
>> cwiki is missing (the copy-paste cron script mostly, I guess).
>>
>>
>> Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote:
>>
>>> Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote:
>>>
 Le 17/05/2018 à 09:04, Jacques Le Roux a écrit :
> Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :
>> When I read the content in my local Git repo it's commented out. I guess 
>> I should manually change it on the VM and restart the app with Gradle?
>>
>> As it's a bit late already, I let you handle this last part ;)
> OK I remember now that you documented the app restart at
> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
> I'll do so now and will have a look at the code change for the renew
>
> Jacques
>
 I have just changed the file according to my previous message, ie modified 
 to
       keyStorePath: /etc/letsencrypt/live/certificate.p12
       keyStorePassword: HTTPDisUnnecessary
 and also while at it (not sure we want that)
       validateCerts: true

 But after setting the iptables for 443-8443 (v4 and v6), saving the
 change and restarting the app it did not work:

 May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester.
 May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester.
 May 17 11:52:10 freemarker-vm java[14009]:
 MultiException[java.lang.IllegalStateException: no valid keystore,
 java.lang.IllegalStateException: no
>>> That was because the service had no right to read the parent directory
>>> of the p12 file. (Yeah, that error message is not very helpful...) I
>>> have fixed that. So now the only problem we have what I said in the
>>> other mail. And we will need the cron script... or maybe a systemd
>>> timer unit instead.
>>>
 valid keystore, java.util.concurrent.RejectedExecutionException: 
 org.eclipse.jetty.io.Manag
 May 17 11:52:10 freemarker-vm java[14009]: at
 org.eclipse.jetty.server.Server.doStart(Server.java:382)
 May 17 11:52:10 freemarker-vm java[14009]: at
 org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
 May 17 11:52:10 freemarker-vm java[14009]: at
 io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)
 May 17 11:52:10 freemarker-vm java[14009]: at
 io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
 May 17 11:52:10 freemarker-vm java[14009]: at
 io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
 May 17 11:52:10 freemarker-vm java[14009]: at
 io.dropwizard.cli.Cli.run(Cli.java:78)
 May 17 11:52:10 freemarker-vm java[14009]: at
 io.dropwizard.Application.run(Application.java:93)
 May 17 11:52:10 freemarker-vm java[14009]: at
 org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43)

 So I commented out the HTTPS part

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-19 Thread Jacques Le Roux 

Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:

cerbot renew
openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in 
/etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass 
pass:"theKnownPassword" (not copied here)


I think it should not change the rights to read in /etc/letsencrypt/live (now with fmonlinetester in group) but we should try it manually once and 
check. If it does change then we will need to re-add fmonlinetester in the group at end of cert-renew.sh. I crossed this read issue before as jleroux 
user, initially the dir was readeable w/o sudo and then not. Not sure if it's certbot or openssl which did that in my case.


Also I don't think we need to care about change in /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no change certificate.p12 will be the 
same, no worries.


I think we should not show the "theKnownPassword" in the wiki page...

What do you think?

Jacques


Le 19/05/2018 à 10:32, Daniel Dekany a écrit :

Now https works, and only the cron job and documenting things on the
cwiki is missing (the copy-paste cron script mostly, I guess).


Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote:


Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote:


Le 17/05/2018 à 09:04, Jacques Le Roux a écrit :

Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :

When I read the content in my local Git repo it's commented out. I guess I 
should manually change it on the VM and restart the app with Gradle?

As it's a bit late already, I let you handle this last part ;)

OK I remember now that you documented the app restart at
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
I'll do so now and will have a look at the code change for the renew

Jacques


I have just changed the file according to my previous message, ie modified to
      keyStorePath: /etc/letsencrypt/live/certificate.p12
      keyStorePassword: HTTPDisUnnecessary
and also while at it (not sure we want that)
      validateCerts: true

But after setting the iptables for 443-8443 (v4 and v6), saving the
change and restarting the app it did not work:

May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester.
May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester.
May 17 11:52:10 freemarker-vm java[14009]:
MultiException[java.lang.IllegalStateException: no valid keystore,
java.lang.IllegalStateException: no

That was because the service had no right to read the parent directory
of the p12 file. (Yeah, that error message is not very helpful...) I
have fixed that. So now the only problem we have what I said in the
other mail. And we will need the cron script... or maybe a systemd
timer unit instead.


valid keystore, java.util.concurrent.RejectedExecutionException: 
org.eclipse.jetty.io.Manag
May 17 11:52:10 freemarker-vm java[14009]: at
org.eclipse.jetty.server.Server.doStart(Server.java:382)
May 17 11:52:10 freemarker-vm java[14009]: at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.cli.Cli.run(Cli.java:78)
May 17 11:52:10 freemarker-vm java[14009]: at
io.dropwizard.Application.run(Application.java:93)
May 17 11:52:10 freemarker-vm java[14009]: at
org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43)

So I commented out the HTTPS part
      #  # FOR PRODUCTION:
      #  - type: https
      #    port: 8443
      #    keyStorePath: /etc/letsencrypt/live/certificate.p12
      #    keyStoreType: PKCS12
      #    keyStorePassword: HTTPDisUnnecessary
      #    validateCerts: true
and restarted the app

Now http://try.freemarker.org/ works again, but no longer
http://try.freemarker.apache.org/ which is redirected to
https://try.freemarker.apache.org/
I don't understand the redirect. Does have this changed before my change? I 
don't know.
I have double-checked, thought I have not reverted the config yet, HTTPD is no 
longer working.
Maybe it's due to the certificate (created for a.o) but I can't see
how DropWizard would now relate to it, since
      keyStorePath: /etc/letsencrypt/live/certificate.p12
and the whole HTTPS block, is commented out :/

I'll get back to that later...

Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-19 Thread Daniel Dekany 
Now https works, and only the cron job and documenting things on the
cwiki is missing (the copy-paste cron script mostly, I guess).


Thursday, May 17, 2018, 7:47:20 PM, Daniel Dekany wrote:

> Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote:
>
>> Le 17/05/2018 à 09:04, Jacques Le Roux a écrit :
>>> Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :
 When I read the content in my local Git repo it's commented out. I guess I 
 should manually change it on the VM and restart the app with Gradle?

 As it's a bit late already, I let you handle this last part ;)
>>> OK I remember now that you documented the app restart at
>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>> I'll do so now and will have a look at the code change for the renew
>>>
>>> Jacques
>>>
>> I have just changed the file according to my previous message, ie modified to
>>      keyStorePath: /etc/letsencrypt/live/certificate.p12
>>      keyStorePassword: HTTPDisUnnecessary
>> and also while at it (not sure we want that)
>>      validateCerts: true
>>
>> But after setting the iptables for 443-8443 (v4 and v6), saving the
>> change and restarting the app it did not work:
>>
>> May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester.
>> May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester.
>> May 17 11:52:10 freemarker-vm java[14009]:
>> MultiException[java.lang.IllegalStateException: no valid keystore,
>> java.lang.IllegalStateException: no
>
> That was because the service had no right to read the parent directory
> of the p12 file. (Yeah, that error message is not very helpful...) I
> have fixed that. So now the only problem we have what I said in the
> other mail. And we will need the cron script... or maybe a systemd
> timer unit instead.
>
>> valid keystore, java.util.concurrent.RejectedExecutionException: 
>> org.eclipse.jetty.io.Manag
>> May 17 11:52:10 freemarker-vm java[14009]: at
>> org.eclipse.jetty.server.Server.doStart(Server.java:382)
>> May 17 11:52:10 freemarker-vm java[14009]: at
>> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>> May 17 11:52:10 freemarker-vm java[14009]: at
>> io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)
>> May 17 11:52:10 freemarker-vm java[14009]: at
>> io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
>> May 17 11:52:10 freemarker-vm java[14009]: at
>> io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
>> May 17 11:52:10 freemarker-vm java[14009]: at
>> io.dropwizard.cli.Cli.run(Cli.java:78)
>> May 17 11:52:10 freemarker-vm java[14009]: at
>> io.dropwizard.Application.run(Application.java:93)
>> May 17 11:52:10 freemarker-vm java[14009]: at 
>> org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43)
>>
>> So I commented out the HTTPS part
>>      #  # FOR PRODUCTION:
>>      #  - type: https
>>      #    port: 8443
>>      #    keyStorePath: /etc/letsencrypt/live/certificate.p12
>>      #    keyStoreType: PKCS12
>>      #    keyStorePassword: HTTPDisUnnecessary
>>      #    validateCerts: true
>> and restarted the app
>>
>> Now http://try.freemarker.org/ works again, but no longer
>> http://try.freemarker.apache.org/ which is redirected to
>> https://try.freemarker.apache.org/
>> I don't understand the redirect. Does have this changed before my change? I 
>> don't know.
>> I have double-checked, thought I have not reverted the config yet, HTTPD is 
>> no longer working.
>> Maybe it's due to the certificate (created for a.o) but I can't see
>> how DropWizard would now relate to it, since
>>      keyStorePath: /etc/letsencrypt/live/certificate.p12
>> and the whole HTTPS block, is commented out :/
>>
>> I'll get back to that later...
>>
>> Jacques
>>
>>
>

-- 
Thanks,
 Daniel Dekany

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-17 Thread Daniel Dekany 
Thursday, May 17, 2018, 3:05:02 PM, Jacques Le Roux wrote:

> Le 17/05/2018 à 09:04, Jacques Le Roux a écrit :
>> Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :
>>> When I read the content in my local Git repo it's commented out. I guess I 
>>> should manually change it on the VM and restart the app with Gradle?
>>>
>>> As it's a bit late already, I let you handle this last part ;)
>> OK I remember now that you documented the app restart at
>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>> I'll do so now and will have a look at the code change for the renew
>>
>> Jacques
>>
> I have just changed the file according to my previous message, ie modified to
>      keyStorePath: /etc/letsencrypt/live/certificate.p12
>      keyStorePassword: HTTPDisUnnecessary
> and also while at it (not sure we want that)
>      validateCerts: true
>
> But after setting the iptables for 443-8443 (v4 and v6), saving the
> change and restarting the app it did not work:
>
> May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester.
> May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester.
> May 17 11:52:10 freemarker-vm java[14009]:
> MultiException[java.lang.IllegalStateException: no valid keystore,
> java.lang.IllegalStateException: no

That was because the service had no right to read the parent directory
of the p12 file. (Yeah, that error message is not very helpful...) I
have fixed that. So now the only problem we have what I said in the
other mail. And we will need the cron script... or maybe a systemd
timer unit instead.

> valid keystore, java.util.concurrent.RejectedExecutionException: 
> org.eclipse.jetty.io.Manag
> May 17 11:52:10 freemarker-vm java[14009]: at
> org.eclipse.jetty.server.Server.doStart(Server.java:382)
> May 17 11:52:10 freemarker-vm java[14009]: at
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> May 17 11:52:10 freemarker-vm java[14009]: at
> io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)
> May 17 11:52:10 freemarker-vm java[14009]: at
> io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
> May 17 11:52:10 freemarker-vm java[14009]: at
> io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
> May 17 11:52:10 freemarker-vm java[14009]: at
> io.dropwizard.cli.Cli.run(Cli.java:78)
> May 17 11:52:10 freemarker-vm java[14009]: at
> io.dropwizard.Application.run(Application.java:93)
> May 17 11:52:10 freemarker-vm java[14009]: at 
> org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43)
>
> So I commented out the HTTPS part
>      #  # FOR PRODUCTION:
>      #  - type: https
>      #    port: 8443
>      #    keyStorePath: /etc/letsencrypt/live/certificate.p12
>      #    keyStoreType: PKCS12
>      #    keyStorePassword: HTTPDisUnnecessary
>      #    validateCerts: true
> and restarted the app
>
> Now http://try.freemarker.org/ works again, but no longer
> http://try.freemarker.apache.org/ which is redirected to
> https://try.freemarker.apache.org/
> I don't understand the redirect. Does have this changed before my change? I 
> don't know.
> I have double-checked, thought I have not reverted the config yet, HTTPD is 
> no longer working.
> Maybe it's due to the certificate (created for a.o) but I can't see
> how DropWizard would now relate to it, since
>      keyStorePath: /etc/letsencrypt/live/certificate.p12
> and the whole HTTPS block, is commented out :/
>
> I'll get back to that later...
>
> Jacques
>
>

-- 
Thanks,
 Daniel Dekany

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-17 Thread Daniel Dekany 
Wednesday, May 16, 2018, 10:26:52 PM, Jacques Le Roux wrote:

> Hi Daniel,
>
> I guess I should now change
>
> #    keyStorePath: /etc/letsencrypt/live/example.p12
> #    keyStorePassword: secret
> in freemarker-online.yml
>
> to
>
> #    keyStorePath: /etc/letsencrypt/live/certificate.p12
> #    keyStorePassword: theRightPassword ;)
>
> When I read the content in my local Git repo it's commented out. I
> guess I should manually change it on the VM and restart the app with
> Gradle?

Gradle isn't used on the server. It's just an executable jar. But see
in the wiki.

> As it's a bit late already, I let you handle this last part ;)

I did these changes. But, of course, it doesn't work... because port
443 can't be accessed for the Internet for some reason. I have asked
Infra: https://issues.apache.org/jira/browse/INFRA-15775

>
> We have still to look at how renew the certificate using cron...
>
> Thanks
>
> Jacques
>
>
> Le 16/05/2018 à 21:54, Jacques Le Roux a écrit :
>> Le 16/05/2018 à 21:54, Jacques Le Roux a écrit :
>>> Le 15/05/2018 à 21:58, Daniel Dekany a écrit :
 It's going to be something like

    certbot certonly --webroot -w 
 /opt/fmonlinetester/var/letsencrypt-acme-challenge
>>> Almost, we just needed to add the domains (else it asks for one)
>>>
>>> jleroux@freemarker-vm:~$ sudo certbot certonly --webroot -w 
>>> /opt/fmonlinetester/var/letsencrypt-acme-challenge -d 
>>> try.freemarker.apache.org -d 
>>> try.freemarker.org
>>> Saving debug log to /var/log/letsencrypt/letsencrypt.log
>>> Plugins selected: Authenticator webroot, Installer None
>>> Enter email address (used for urgent renewal and security notices) (Enter 
>>> 'c' to
>>> cancel): jler...@apache.org
>>> Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
>>>
>>> ---
>>> Please read the Terms of Service at
>>> https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
>>> agree in order to register with the ACME server at
>>> https://acme-v01.api.letsencrypt.org/directory
>>> ---
>>> (A)gree/(C)ancel: A
>>>
>>> ---
>>> Would you be willing to share your email address with the Electronic 
>>> Frontier
>>> Foundation, a founding partner of the Let's Encrypt project and the 
>>> non-profit
>>> organization that develops Certbot? We'd like to send you email about EFF 
>>> and
>>> our work to encrypt the web, protect its users and defend digital rights.
>>> ---
>>> (Y)es/(N)o: N
>>> Obtaining a new certificate
>>> Performing the following challenges:
>>> http-01 challenge for try.freemarker.apache.org
>>> http-01 challenge for try.freemarker.org
>>> Using the webroot path /opt/fmonlinetester/var/letsencrypt-acme-challenge 
>>> for all unmatched domains.
>>> Waiting for verification...
>>> Cleaning up challenges
>>>
>>> IMPORTANT NOTES:
>>>  - Congratulations! Your certificate and chain have been saved at:
>>>    /etc/letsencrypt/live/try.freemarker.apache.org/fullchain.pem
>>>    Your key file has been saved at:
>>>    /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem
>>>    Your cert will expire on 2018-08-14. To obtain a new or tweaked
>>>    version of this certificate in the future, simply run certbot
>>>    again. To non-interactively renew *all* of your certificates, run
>>>    "certbot renew"
>>>  - Your account credentials have been saved in your Certbot
>>>    configuration directory at /etc/letsencrypt. You should make a
>>>    secure backup of this folder now. This configuration directory will
>>>    also contain certificates and private keys obtained by Certbot so
>>>    making regular backups of this folder is ideal.
>>>  - If you like Certbot, please consider supporting our work by:
>>>
>>>    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
>>>    Donating to EFF:    https://eff.org/donate-le
>>>
>>> I have then used
>>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 -inkey 
>>> /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in 
>>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile 
>>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem
>>> with pwd in next message
>>> Jacques
>>
>>
>
>

-- 
Thanks,
 Daniel Dekany

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-17 Thread Jacques Le Roux 

Le 17/05/2018 à 09:04, Jacques Le Roux a écrit :

Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :

When I read the content in my local Git repo it's commented out. I guess I 
should manually change it on the VM and restart the app with Gradle?

As it's a bit late already, I let you handle this last part ;)

OK I remember now that you documented the app restart at
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
I'll do so now and will have a look at the code change for the renew

Jacques


I have just changed the file according to my previous message, ie modified to
    keyStorePath: /etc/letsencrypt/live/certificate.p12
    keyStorePassword: HTTPDisUnnecessary
and also while at it (not sure we want that)
    validateCerts: true

But after setting the iptables for 443-8443 (v4 and v6), saving the change and 
restarting the app it did not work:

May 17 11:51:06 freemarker-vm systemd[1]: Stopped FreeMarker Online Tester.
May 17 11:51:06 freemarker-vm systemd[1]: Started FreeMarker Online Tester.
May 17 11:52:10 freemarker-vm java[14009]: MultiException[java.lang.IllegalStateException: no valid keystore, java.lang.IllegalStateException: no 
valid keystore, java.util.concurrent.RejectedExecutionException: org.eclipse.jetty.io.Manag

May 17 11:52:10 freemarker-vm java[14009]: at 
org.eclipse.jetty.server.Server.doStart(Server.java:382)
May 17 11:52:10 freemarker-vm java[14009]: at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
May 17 11:52:10 freemarker-vm java[14009]: at 
io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)
May 17 11:52:10 freemarker-vm java[14009]: at 
io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
May 17 11:52:10 freemarker-vm java[14009]: at 
io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
May 17 11:52:10 freemarker-vm java[14009]: at 
io.dropwizard.cli.Cli.run(Cli.java:78)
May 17 11:52:10 freemarker-vm java[14009]: at 
io.dropwizard.Application.run(Application.java:93)
May 17 11:52:10 freemarker-vm java[14009]: at 
org.apache.freemarker.onlinetester.dropwizard.FreeMarkerOnlineTester.main(FreeMarkerOnlineTester.java:43)


So I commented out the HTTPS part
    #  # FOR PRODUCTION:
    #  - type: https
    #    port: 8443
    #    keyStorePath: /etc/letsencrypt/live/certificate.p12
    #    keyStoreType: PKCS12
    #    keyStorePassword: HTTPDisUnnecessary
    #    validateCerts: true
and restarted the app

Now http://try.freemarker.org/ works again, but no longer 
http://try.freemarker.apache.org/ which is redirected to 
https://try.freemarker.apache.org/
I don't understand the redirect. Does have this changed before my change? I 
don't know.
I have double-checked, thought I have not reverted the config yet, HTTPD is no 
longer working.
Maybe it's due to the certificate (created for a.o) but I can't see how 
DropWizard would now relate to it, since
    keyStorePath: /etc/letsencrypt/live/certificate.p12
and the whole HTTPS block, is commented out :/

I'll get back to that later...

Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-17 Thread Jacques Le Roux 

Le 16/05/2018 à 22:26, Jacques Le Roux a écrit :

When I read the content in my local Git repo it's commented out. I guess I 
should manually change it on the VM and restart the app with Gradle?

As it's a bit late already, I let you handle this last part ;)

OK I remember now that you documented the app restart at
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
I'll do so now and will have a look at the code change for the renew

Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-16 Thread Jacques Le Roux 

Hi Daniel,

I guess I should now change

#    keyStorePath: /etc/letsencrypt/live/example.p12
#    keyStorePassword: secret
in freemarker-online.yml

to

#    keyStorePath: /etc/letsencrypt/live/certificate.p12
#    keyStorePassword: theRightPassword ;)

When I read the content in my local Git repo it's commented out. I guess I 
should manually change it on the VM and restart the app with Gradle?

As it's a bit late already, I let you handle this last part ;)

We have still to look at how renew the certificate using cron...

Thanks

Jacques


Le 16/05/2018 à 21:54, Jacques Le Roux a écrit :

Le 16/05/2018 à 21:54, Jacques Le Roux a écrit :

Le 15/05/2018 à 21:58, Daniel Dekany a écrit :

It's going to be something like

   certbot certonly --webroot -w 
/opt/fmonlinetester/var/letsencrypt-acme-challenge

Almost, we just needed to add the domains (else it asks for one)

jleroux@freemarker-vm:~$ sudo certbot certonly --webroot -w /opt/fmonlinetester/var/letsencrypt-acme-challenge -d try.freemarker.apache.org -d 
try.freemarker.org

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): jler...@apache.org
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

---
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
---
(A)gree/(C)ancel: A

---
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
---
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for try.freemarker.apache.org
http-01 challenge for try.freemarker.org
Using the webroot path /opt/fmonlinetester/var/letsencrypt-acme-challenge for 
all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/try.freemarker.apache.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem
   Your cert will expire on 2018-08-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
   Donating to EFF:    https://eff.org/donate-le

I have then used
openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in 
/etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem

with pwd in next message
Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-16 Thread Jacques Le Roux 

Le 15/05/2018 à 21:58, Daniel Dekany a écrit :

And, don't install httpd now suddenly... that part of the problem is
solved, we don't need it. It's going to be something like

Actually HTTPD is installed by default on all ASF VMs (no surprise, it's 
initially the HTTPD foundation after all ;))
I have already stopped it yesterday so I have only to get back to the default 
config (a very simple one). I'll do that when all will be clear.

Jacques

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-15 Thread Daniel Dekany 
Actually, the I have just see that the challenge directory must be
/.well-known/acme-challenge/, so now it's that:
http://try.freemarker.org/.well-known/acme-challenge/test.txt
http://try.freemarker.apache.org/.well-known/acme-challenge/test.txt
Also, now it doesn't redirect to HTTPS.

And, don't install httpd now suddenly... that part of the problem is
solved, we don't need it. It's going to be something like

  certbot certonly --webroot -w 
/opt/fmonlinetester/var/letsencrypt-acme-challenge


Tuesday, May 15, 2018, 8:43:06 PM, Daniel Dekany wrote:

> OK, so now hopefully it's ready for Let's Encrypt.
>
> In /opt/fmonlinetester/etc/freemarker-online.yml you can see:
>
> - That now it also server with HTTPS, in additionally to HTTP.
>   For now it uses /etc/letsencrypt/live/example.p12; it's just an example
>   (I'm not even sure if the directory will be that.)
>
> - Dropwizard will need a standard p12 file. (No need for JKS, though that 
> works
>   as well.)
>
> - /opt/fmonlinetester/var/letsencrypt-verify is served as static
>   content. Try this: http://try.freemarker.org/letsencrypt-verify
>   So that's what certbot will have to overwrite for the verification.
>
> - http://try.apache.freemarker.org/ redirect to
> https://try.apache.freemarker.org/
>   Now that I think about it, I'm not sure if Let's Encrypt will like
>   that during the vertification... with our example cert... well,
>   let's hope it does.
>
> When cerbot is run by cron (I guess it does), then two extra steps
> will be needed:
>
> 1. Converting to p12 format.
> 2. Trigger SSL certificate reloading with curl (POST to 
> localhost:8081/tasks/reload-ssl)
>
> Examples:
> https://nbsoftsolutions.com/blog/dropwizard-1-1-and-lets-encrypt-with-no-downtime
> https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html
>
> (Again, we don't need to convert the p12 further to jks... the p12 is
> already good.)
>
>
> Tuesday, May 15, 2018, 7:49:44 PM, Daniel Dekany wrote:
>
>> Ugh. OK, I have Googled into how certbot works, and it requres a few
>> things from HTTP service itself... I will upload a new version of the
>> Dropwizard app that can do those things soon.
>>
>>
>> Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote:
>>
>>> Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:
>>>
 Hi Daniel,

 I have closed INFRA-16498, we can do it locally, Puppet is not used.

 So I will use letsencrypt to create a certificate for the 2 domains
 try.freemarker.org and try.freemarker.apache.org

 At
 https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation

 I read that the port 22 and 80 are accessible from Internet and that Java 
 serves at port 8080.

 As I'm used to it, I want to use HTTPD + AJP with the port 443 and
 to replace the iptable redirection by AJP
>>>
>>> There's no AJP or any such mess. It's just a Dropwizard (Java)
>>> application (single runnable jar) with an embedded HTTP server, that
>>> server everything directly. Well, except that we need the iptables
>>> port redirection as we have no right to bind to ports < 1024... but
>>> that's all.
>>>
 but

  1. Why do we need the port 22?
>>>
>>> For SSH.
>>>
  2. I think we don't need to serve the port 8443 from Java and can
 redirect the port 443 to the port 8080, right? Not sure about that, maybe 
 a change
 in code is needed?
>>>
>>> No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
>>> https on 8443 (I assume), which should corresponds to 443 via
>>> iptables.
>>>
  3. I understand (did not check the whole code) that it does not
 use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, 
 right?
>>>
>>> It uses embedded Jetty, but configure Dropwizard itself:
>>> https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl
>>>
  4. I read that Grizzly supports AJP[1] but I don't know yet how it
 does, same way than Tomcat, nothing to add?

 Because when I try to install a letsencrypt certificate with
 certbot as root I can't. Using www-data user (HTTPD default user for User 
 and Group on
 Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)

 certbot --apache

 [... all correct so far]

 Performing the following challenges:
 http-01 challenge for try.freemarker.apache.org
 http-01 challenge for try.freemarker.org
 Waiting for verification...
 Cleaning up challenges
 Failed authorization procedure. try.freemarker.apache.org
 (http-01): urn:acme:error:unauthorized :: The client lacks sufficient 
 authorization ::
 Invalid response from
 http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
  [54.71.67.193]: 404,
 try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
 client lacks sufficient

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-15 Thread Daniel Dekany 
OK, so now hopefully it's ready for Let's Encrypt.

In /opt/fmonlinetester/etc/freemarker-online.yml you can see:

- That now it also server with HTTPS, in additionally to HTTP.
  For now it uses /etc/letsencrypt/live/example.p12; it's just an example
  (I'm not even sure if the directory will be that.)

- Dropwizard will need a standard p12 file. (No need for JKS, though that works
  as well.)

- /opt/fmonlinetester/var/letsencrypt-verify is served as static
  content. Try this: http://try.freemarker.org/letsencrypt-verify
  So that's what certbot will have to overwrite for the verification.

- http://try.apache.freemarker.org/ redirect to 
https://try.apache.freemarker.org/
  Now that I think about it, I'm not sure if Let's Encrypt will like
  that during the vertification... with our example cert... well,
  let's hope it does.

When cerbot is run by cron (I guess it does), then two extra steps
will be needed:

1. Converting to p12 format.
2. Trigger SSL certificate reloading with curl (POST to 
localhost:8081/tasks/reload-ssl)

Examples:
https://nbsoftsolutions.com/blog/dropwizard-1-1-and-lets-encrypt-with-no-downtime
https://danielflower.github.io/2017/04/08/Lets-Encrypt-Certs-with-embedded-Jetty.html

(Again, we don't need to convert the p12 further to jks... the p12 is
already good.)


Tuesday, May 15, 2018, 7:49:44 PM, Daniel Dekany wrote:

> Ugh. OK, I have Googled into how certbot works, and it requres a few
> things from HTTP service itself... I will upload a new version of the
> Dropwizard app that can do those things soon.
>
>
> Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote:
>
>> Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:
>>
>>> Hi Daniel,
>>>
>>> I have closed INFRA-16498, we can do it locally, Puppet is not used.
>>>
>>> So I will use letsencrypt to create a certificate for the 2 domains
>>> try.freemarker.org and try.freemarker.apache.org
>>>
>>> At
>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>>
>>> I read that the port 22 and 80 are accessible from Internet and that Java 
>>> serves at port 8080.
>>>
>>> As I'm used to it, I want to use HTTPD + AJP with the port 443 and
>>> to replace the iptable redirection by AJP
>>
>> There's no AJP or any such mess. It's just a Dropwizard (Java)
>> application (single runnable jar) with an embedded HTTP server, that
>> server everything directly. Well, except that we need the iptables
>> port redirection as we have no right to bind to ports < 1024... but
>> that's all.
>>
>>> but
>>>
>>>  1. Why do we need the port 22?
>>
>> For SSH.
>>
>>>  2. I think we don't need to serve the port 8443 from Java and can
>>> redirect the port 443 to the port 8080, right? Not sure about that, maybe a 
>>> change
>>> in code is needed?
>>
>> No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
>> https on 8443 (I assume), which should corresponds to 443 via
>> iptables.
>>
>>>  3. I understand (did not check the whole code) that it does not
>>> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, 
>>> right?
>>
>> It uses embedded Jetty, but configure Dropwizard itself:
>> https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl
>>
>>>  4. I read that Grizzly supports AJP[1] but I don't know yet how it
>>> does, same way than Tomcat, nothing to add?
>>>
>>> Because when I try to install a letsencrypt certificate with
>>> certbot as root I can't. Using www-data user (HTTPD default user for User 
>>> and Group on
>>> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
>>>
>>> certbot --apache
>>>
>>> [... all correct so far]
>>>
>>> Performing the following challenges:
>>> http-01 challenge for try.freemarker.apache.org
>>> http-01 challenge for try.freemarker.org
>>> Waiting for verification...
>>> Cleaning up challenges
>>> Failed authorization procedure. try.freemarker.apache.org
>>> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient 
>>> authorization ::
>>> Invalid response from
>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>>>  [54.71.67.193]: 404,
>>> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
>>> client lacks sufficient authorization :: Invalid response from 
>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>>>  [54.71.67.193]: 404
>>>
>>> IMPORTANT NOTES:
>>>   - The following errors were reported by the server:
>>>
>>>     Domain: try.freemarker.apache.org
>>>     Type:   unauthorized
>>>     Detail: Invalid response from
>>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>>>     [54.71.67.193]: 404
>>>
>>>     Domain: try.freemarker.org
>>>     Type:   unauthorized
>>>     Detail: Invalid response from
>>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>>>

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-15 Thread Daniel Dekany 
Ugh. OK, I have Googled into how certbot works, and it requres a few
things from HTTP service itself... I will upload a new version of the
Dropwizard app that can do those things soon.


Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote:

> Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:
>
>> Hi Daniel,
>>
>> I have closed INFRA-16498, we can do it locally, Puppet is not used.
>>
>> So I will use letsencrypt to create a certificate for the 2 domains
>> try.freemarker.org and try.freemarker.apache.org
>>
>> At
>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>
>> I read that the port 22 and 80 are accessible from Internet and that Java 
>> serves at port 8080.
>>
>> As I'm used to it, I want to use HTTPD + AJP with the port 443 and
>> to replace the iptable redirection by AJP
>
> There's no AJP or any such mess. It's just a Dropwizard (Java)
> application (single runnable jar) with an embedded HTTP server, that
> server everything directly. Well, except that we need the iptables
> port redirection as we have no right to bind to ports < 1024... but
> that's all.
>
>> but
>>
>>  1. Why do we need the port 22?
>
> For SSH.
>
>>  2. I think we don't need to serve the port 8443 from Java and can
>> redirect the port 443 to the port 8080, right? Not sure about that, maybe a 
>> change
>> in code is needed?
>
> No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
> https on 8443 (I assume), which should corresponds to 443 via
> iptables.
>
>>  3. I understand (did not check the whole code) that it does not
>> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, 
>> right?
>
> It uses embedded Jetty, but configure Dropwizard itself:
> https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl
>
>>  4. I read that Grizzly supports AJP[1] but I don't know yet how it
>> does, same way than Tomcat, nothing to add?
>>
>> Because when I try to install a letsencrypt certificate with
>> certbot as root I can't. Using www-data user (HTTPD default user for User 
>> and Group on
>> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
>>
>> certbot --apache
>>
>> [... all correct so far]
>>
>> Performing the following challenges:
>> http-01 challenge for try.freemarker.apache.org
>> http-01 challenge for try.freemarker.org
>> Waiting for verification...
>> Cleaning up challenges
>> Failed authorization procedure. try.freemarker.apache.org
>> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient 
>> authorization ::
>> Invalid response from
>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>>  [54.71.67.193]: 404,
>> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
>> client lacks sufficient authorization :: Invalid response from 
>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>>  [54.71.67.193]: 404
>>
>> IMPORTANT NOTES:
>>   - The following errors were reported by the server:
>>
>>     Domain: try.freemarker.apache.org
>>     Type:   unauthorized
>>     Detail: Invalid response from
>> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>>     [54.71.67.193]: 404
>>
>>     Domain: try.freemarker.org
>>     Type:   unauthorized
>>     Detail: Invalid response from
>> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>>     [54.71.67.193]: 404
>>
>>     To fix these errors, please make sure that your domain name was
>>     entered correctly and the DNS A/ record(s) for that domain
>>     contain(s) the right IP address.
>>
>> [domains are correct and 54.71.67.193 is currently the right IP]
>>
>>   - Your account credentials have been saved in your Certbot
>>     configuration directory at /etc/letsencrypt. You should make a
>>     secure backup of this folder now. This configuration directory will
>>     also contain certificates and private keys obtained by Certbot so
>>     making regular backups of this folder is ideal.
>>
>> [I have removed /etc/letsencryptn it's of no use as long as long as
>> the challenges are not successful[2]]
>>
>> Obviously certbot is not able to put the challenge file where it needs.
>>
>> So it seems a change in code is needed? Else what would you suggest?
>
> I haven no experience with certbot and all that. But I guess it just
> replaces a certificate file somewhere. That will have to be converted
> to JKS format ("Java Key Store", which is what Jetty or any other Java
> SSL stuff need). Hopefully there's a solution for that on the net...
> if not, we will figure out...
>
>> Jacques
>>
>> [1] https://javaee.github.io/grizzly/ajp.html
>>
>> [2]
>> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key
>>
>>
>> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
>>> It's OK now with Chris Lambertus's

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-15 Thread Daniel Dekany 
Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote:

> Hi Daniel,
>
> I have closed INFRA-16498, we can do it locally, Puppet is not used.
>
> So I will use letsencrypt to create a certificate for the 2 domains
> try.freemarker.org and try.freemarker.apache.org
>
> At
> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>
> I read that the port 22 and 80 are accessible from Internet and that Java 
> serves at port 8080.
>
> As I'm used to it, I want to use HTTPD + AJP with the port 443 and
> to replace the iptable redirection by AJP

There's no AJP or any such mess. It's just a Dropwizard (Java)
application (single runnable jar) with an embedded HTTP server, that
server everything directly. Well, except that we need the iptables
port redirection as we have no right to bind to ports < 1024... but
that's all.

> but
>
>  1. Why do we need the port 22?

For SSH.

>  2. I think we don't need to serve the port 8443 from Java and can
> redirect the port 443 to the port 8080, right? Not sure about that, maybe a 
> change
> in code is needed?

No, port 8080 corresponds to port 80. Dropwizard (Java) will serve
https on 8443 (I assume), which should corresponds to 443 via
iptables.

>  3. I understand (did not check the whole code) that it does not
> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, 
> right?

It uses embedded Jetty, but configure Dropwizard itself:
https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl

>  4. I read that Grizzly supports AJP[1] but I don't know yet how it
> does, same way than Tomcat, nothing to add?
>
> Because when I try to install a letsencrypt certificate with
> certbot as root I can't. Using www-data user (HTTPD default user for User and 
> Group on
> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case)
>
> certbot --apache
>
> [... all correct so far]
>
> Performing the following challenges:
> http-01 challenge for try.freemarker.apache.org
> http-01 challenge for try.freemarker.org
> Waiting for verification...
> Cleaning up challenges
> Failed authorization procedure. try.freemarker.apache.org
> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient 
> authorization ::
> Invalid response from
> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>  [54.71.67.193]: 404,
> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The
> client lacks sufficient authorization :: Invalid response from 
> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>  [54.71.67.193]: 404
>
> IMPORTANT NOTES:
>   - The following errors were reported by the server:
>
>     Domain: try.freemarker.apache.org
>     Type:   unauthorized
>     Detail: Invalid response from
> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI
>     [54.71.67.193]: 404
>
>     Domain: try.freemarker.org
>     Type:   unauthorized
>     Detail: Invalid response from
> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k
>     [54.71.67.193]: 404
>
>     To fix these errors, please make sure that your domain name was
>     entered correctly and the DNS A/ record(s) for that domain
>     contain(s) the right IP address.
>
> [domains are correct and 54.71.67.193 is currently the right IP]
>
>   - Your account credentials have been saved in your Certbot
>     configuration directory at /etc/letsencrypt. You should make a
>     secure backup of this folder now. This configuration directory will
>     also contain certificates and private keys obtained by Certbot so
>     making regular backups of this folder is ideal.
>
> [I have removed /etc/letsencryptn it's of no use as long as long as
> the challenges are not successful[2]]
>
> Obviously certbot is not able to put the challenge file where it needs.
>
> So it seems a change in code is needed? Else what would you suggest?

I haven no experience with certbot and all that. But I guess it just
replaces a certificate file somewhere. That will have to be converted
to JKS format ("Java Key Store", which is what Jetty or any other Java
SSL stuff need). Hopefully there's a solution for that on the net...
if not, we will figure out...

> Jacques
>
> [1] https://javaee.github.io/grizzly/ajp.html
>
> [2]
> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key
>
>
> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit :
>> It's OK now with Chris Lambertus's help
>>
>> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue
>>
>> Jacques
>>
>>
>> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :
>>> Thanks
>>>
>>> Just tried, did not work, not sure why
>>>
>>>
>>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit :
 I'm a sudoer, so I can add you. Try now!


 Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-08 Thread Jacques Le Roux 

It's OK now with Chris Lambertus's help

I created https://issues.apache.org/jira/browse/INFRA-16498 to continue

Jacques


Le 06/05/2018 à 09:10, Jacques Le Roux a écrit :

Thanks

Just tried, did not work, not sure why


Le 05/05/2018 à 19:05, Daniel Dekany a écrit :

I'm a sudoer, so I can add you. Try now!


Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:


Thanks Daniel,

I did not, but actually as I'm not in the sudoers it does not help:

otp-md5 499 fr516
Password:
jleroux is not in the sudoers file.  This incident will be reported.
jleroux@freemarker-vm:~$

Jacques


Le 05/05/2018 à 12:38, Daniel Dekany a écrit :

Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:


I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775

Have you done the OTP stuff? See on:
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation


Jacques


Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :

Hi Daniel,

Yes completely forgot about that. I just checked and I have access to the VM.

Since we need to do it ourselves, I'll have a look, hopefully this week (very 
possible)

Cheers

Jacques


Le 30/04/2018 à 16:51, Daniel Dekany a écrit :

Seems this was forgotten. Do you plan to do it?


Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote:


Thanks Daniel,

That's a good news. I did not want to get further with
try.freemarker.org waiting for this to happen. Once LetsEncrypt setting is done 
a redirection
should be enough

Jacques

Le 08/01/2018 à 09:47, Daniel Dekany a écrit :

Greg commented on the request:

      try.freemarker.apache.org now works, and is propagated.

      Since that hostname maps to your VM, the certificate to be used for
      try.freemarker.apache.org will need to be hosted/operated by your VM.
      Infra's current policy for project VMs is to use LetsEncrypt for
      certificates. [~pono] will get you set up with that.


Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote:


Good, Greg closed INFRA-15476

Jacques

Le 03/01/2018 à 21:23, Daniel Dekany a écrit :

I'm "a bit" late with this, but I have created the issue for it:
https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775


Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote:


To summarize, the opininos were (whether we should switch to 
try.freemarker.apache.org):
- Daniel Dekany: We better not risk not doing this
- Jacopo Cappellato: Agrees with me (above) in this
- Jacques Le Roux: No opinion was expressed, but it's technically fine
- Ralph Goers: It's certainly not necessary to do

So, unless someone has more to add, I will ask this from Infra in the
coming days... just to be on the safe side.

Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote:


The difference is that try.freemarker.org
 is a companion site. So long as the
main site is freemarker.apache.org I don’t think anyone will complain about a 
companion site.

Ralph


On Nov 29, 2017, at 8:33 AM, Jacques Le Roux  
wrote:

Hi Ralph,

IIRW openoffice.org is an exception. There are others, when the domain was well 
established before entering the incubator, subversion.org
comes to mind.

IMO freemarker.org was well established before entering the incubator but not 
try.freemarker.apache.org which is quite recent. Hence maybe
some caution needed...

My 2 cts

Jacques


Le 29/11/2017 à 14:55, Ralph Goers a écrit :

Personally, I don’t see why there should be a problem as long as try.freemarker.org 
 is an Apache controlled
domain. You aren’t the only project that has a vanity domain. See www.openoffice.org 
 as an example.

Ralph


On Nov 29, 2017, at 1:51 AM, Daniel Dekany  wrote:

Just as a reminder, I'm planning to request try.freemarker.apache.org,
from Infra and then redirect try.freemarker.org to it, because I'm
worried that the IPMC will dislike that we use try.freemarker.org as
the canonical address of the online template tester. It will also use
https and a LetsEncrypt certificate (we can't use the *.apache.org
cert on a VM).

BTW, using a sub-sub domains is a bit extreme. I'm not aware of any
gotchas in out case, but if anyone is aware some, like LetsEncrypt
doesn't support them or something, please stop me! (Also, as this way
we will receive the cookies of freemarker.apache.org, but certainly we
will able to cope with that, if it ever causes a problem.)

Any comments? And do you (especially PPMC members) agree?

--
Thanks,
Daniel Dekany

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-06 Thread Jacques Le Roux 

Thanks

Just tried, did not work, not sure why


Le 05/05/2018 à 19:05, Daniel Dekany a écrit :

I'm a sudoer, so I can add you. Try now!


Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:


Thanks Daniel,

I did not, but actually as I'm not in the sudoers it does not help:

otp-md5 499 fr516
Password:
jleroux is not in the sudoers file.  This incident will be reported.
jleroux@freemarker-vm:~$

Jacques


Le 05/05/2018 à 12:38, Daniel Dekany a écrit :

Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:


I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775

Have you done the OTP stuff? See on:
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation


Jacques


Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :

Hi Daniel,

Yes completely forgot about that. I just checked and I have access to the VM.

Since we need to do it ourselves, I'll have a look, hopefully this week (very 
possible)

Cheers

Jacques


Le 30/04/2018 à 16:51, Daniel Dekany a écrit :

Seems this was forgotten. Do you plan to do it?


Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote:


Thanks Daniel,

That's a good news. I did not want to get further with
try.freemarker.org waiting for this to happen. Once LetsEncrypt setting is done 
a redirection
should be enough

Jacques

Le 08/01/2018 à 09:47, Daniel Dekany a écrit :

Greg commented on the request:

      try.freemarker.apache.org now works, and is propagated.

      Since that hostname maps to your VM, the certificate to be used for
      try.freemarker.apache.org will need to be hosted/operated by your VM.
      Infra's current policy for project VMs is to use LetsEncrypt for
      certificates. [~pono] will get you set up with that.


Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote:


Good, Greg closed INFRA-15476

Jacques

Le 03/01/2018 à 21:23, Daniel Dekany a écrit :

I'm "a bit" late with this, but I have created the issue for it:
https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775


Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote:


To summarize, the opininos were (whether we should switch to 
try.freemarker.apache.org):
- Daniel Dekany: We better not risk not doing this
- Jacopo Cappellato: Agrees with me (above) in this
- Jacques Le Roux: No opinion was expressed, but it's technically fine
- Ralph Goers: It's certainly not necessary to do

So, unless someone has more to add, I will ask this from Infra in the
coming days... just to be on the safe side.

Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote:


The difference is that try.freemarker.org
 is a companion site. So long as the
main site is freemarker.apache.org I don’t think anyone will complain about a 
companion site.

Ralph


On Nov 29, 2017, at 8:33 AM, Jacques Le Roux  
wrote:

Hi Ralph,

IIRW openoffice.org is an exception. There are others, when the domain was well 
established before entering the incubator, subversion.org
comes to mind.

IMO freemarker.org was well established before entering the incubator but not 
try.freemarker.apache.org which is quite recent. Hence maybe
some caution needed...

My 2 cts

Jacques


Le 29/11/2017 à 14:55, Ralph Goers a écrit :

Personally, I don’t see why there should be a problem as long as try.freemarker.org 
 is an Apache controlled
domain. You aren’t the only project that has a vanity domain. See www.openoffice.org 
 as an example.

Ralph


On Nov 29, 2017, at 1:51 AM, Daniel Dekany  wrote:

Just as a reminder, I'm planning to request try.freemarker.apache.org,
from Infra and then redirect try.freemarker.org to it, because I'm
worried that the IPMC will dislike that we use try.freemarker.org as
the canonical address of the online template tester. It will also use
https and a LetsEncrypt certificate (we can't use the *.apache.org
cert on a VM).

BTW, using a sub-sub domains is a bit extreme. I'm not aware of any
gotchas in out case, but if anyone is aware some, like LetsEncrypt
doesn't support them or something, please stop me! (Also, as this way
we will receive the cookies of freemarker.apache.org, but certainly we
will able to cope with that, if it ever causes a problem.)

Any comments? And do you (especially PPMC members) agree?

--
Thanks,
Daniel Dekany

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-05 Thread Daniel Dekany 
I'm a sudoer, so I can add you. Try now!


Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote:

> Thanks Daniel,
>
> I did not, but actually as I'm not in the sudoers it does not help:
>
> otp-md5 499 fr516
> Password:
> jleroux is not in the sudoers file.  This incident will be reported.
> jleroux@freemarker-vm:~$
>
> Jacques
>
>
> Le 05/05/2018 à 12:38, Daniel Dekany a écrit :
>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:
>>
>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775
>> Have you done the OTP stuff? See on:
>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation
>>
>>> Jacques
>>>
>>>
>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
 Hi Daniel,

 Yes completely forgot about that. I just checked and I have access to the 
 VM.

 Since we need to do it ourselves, I'll have a look, hopefully this week 
 (very possible)

 Cheers

 Jacques


 Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
> Seems this was forgotten. Do you plan to do it?
>
>
> Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote:
>
>> Thanks Daniel,
>>
>> That's a good news. I did not want to get further with
>> try.freemarker.org waiting for this to happen. Once LetsEncrypt setting 
>> is done a redirection
>> should be enough
>>
>> Jacques
>>
>> Le 08/01/2018 à 09:47, Daniel Dekany a écrit :
>>> Greg commented on the request:
>>>
>>>      try.freemarker.apache.org now works, and is propagated.
>>>
>>>      Since that hostname maps to your VM, the certificate to be used for
>>>      try.freemarker.apache.org will need to be hosted/operated by your 
>>> VM.
>>>      Infra's current policy for project VMs is to use LetsEncrypt for
>>>      certificates. [~pono] will get you set up with that.
>>>
>>>
>>> Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote:
>>>
 Good, Greg closed INFRA-15476

 Jacques

 Le 03/01/2018 à 21:23, Daniel Dekany a écrit :
> I'm "a bit" late with this, but I have created the issue for it:
> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
>
>
> Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote:
>
>> To summarize, the opininos were (whether we should switch to 
>> try.freemarker.apache.org):
>> - Daniel Dekany: We better not risk not doing this
>> - Jacopo Cappellato: Agrees with me (above) in this
>> - Jacques Le Roux: No opinion was expressed, but it's technically 
>> fine
>> - Ralph Goers: It's certainly not necessary to do
>>
>> So, unless someone has more to add, I will ask this from Infra in the
>> coming days... just to be on the safe side.
>>
>> Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote:
>>
>>> The difference is that try.freemarker.org
>>>  is a companion site. So long as the
>>> main site is freemarker.apache.org I don’t think anyone will 
>>> complain about a companion site.
>>>
>>> Ralph
>>>
 On Nov 29, 2017, at 8:33 AM, Jacques Le Roux 
  wrote:

 Hi Ralph,

 IIRW openoffice.org is an exception. There are others, when the 
 domain was well established before entering the incubator, 
 subversion.org
 comes to mind.

 IMO freemarker.org was well established before entering the 
 incubator but not try.freemarker.apache.org which is quite recent. 
 Hence maybe
 some caution needed...

 My 2 cts

 Jacques


 Le 29/11/2017 à 14:55, Ralph Goers a écrit :
> Personally, I don’t see why there should be a problem as long as 
> try.freemarker.org  is an Apache 
> controlled
> domain. You aren’t the only project that has a vanity domain. See 
> www.openoffice.org  as an example.
>
> Ralph
>
>> On Nov 29, 2017, at 1:51 AM, Daniel Dekany  
>> wrote:
>>
>> Just as a reminder, I'm planning to request 
>> try.freemarker.apache.org,
>> from Infra and then redirect try.freemarker.org to it, because 
>> I'm
>> worried that the IPMC will dislike that we use 
>> try.freemarker.org as
>> the canonical address of the online template tester. It will 
>>

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-05 Thread Daniel Dekany 
Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote:

> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775

Have you done the OTP stuff? See on:
https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation

> Jacques
>
>
> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :
>> Hi Daniel,
>>
>> Yes completely forgot about that. I just checked and I have access to the VM.
>>
>> Since we need to do it ourselves, I'll have a look, hopefully this week 
>> (very possible)
>>
>> Cheers
>>
>> Jacques
>>
>>
>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit :
>>> Seems this was forgotten. Do you plan to do it?
>>>
>>>
>>> Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote:
>>>
 Thanks Daniel,

 That's a good news. I did not want to get further with
 try.freemarker.org waiting for this to happen. Once LetsEncrypt setting is 
 done a redirection
 should be enough

 Jacques

 Le 08/01/2018 à 09:47, Daniel Dekany a écrit :
> Greg commented on the request:
>
>     try.freemarker.apache.org now works, and is propagated.
>
>     Since that hostname maps to your VM, the certificate to be used for
>     try.freemarker.apache.org will need to be hosted/operated by your VM.
>     Infra's current policy for project VMs is to use LetsEncrypt for
>     certificates. [~pono] will get you set up with that.
>
>
> Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote:
>
>> Good, Greg closed INFRA-15476
>>
>> Jacques
>>
>> Le 03/01/2018 à 21:23, Daniel Dekany a écrit :
>>> I'm "a bit" late with this, but I have created the issue for it:
>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775
>>>
>>>
>>> Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote:
>>>
 To summarize, the opininos were (whether we should switch to 
 try.freemarker.apache.org):
 - Daniel Dekany: We better not risk not doing this
 - Jacopo Cappellato: Agrees with me (above) in this
 - Jacques Le Roux: No opinion was expressed, but it's technically fine
 - Ralph Goers: It's certainly not necessary to do

 So, unless someone has more to add, I will ask this from Infra in the
 coming days... just to be on the safe side.

 Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote:

> The difference is that try.freemarker.org
>  is a companion site. So long as the
> main site is freemarker.apache.org I don’t think anyone will complain 
> about a companion site.
>
> Ralph
>
>> On Nov 29, 2017, at 8:33 AM, Jacques Le Roux 
>>  wrote:
>>
>> Hi Ralph,
>>
>> IIRW openoffice.org is an exception. There are others, when the 
>> domain was well established before entering the incubator, 
>> subversion.org 
>> comes to mind.
>>
>> IMO freemarker.org was well established before entering the 
>> incubator but not try.freemarker.apache.org which is quite recent. 
>> Hence maybe 
>> some caution needed...
>>
>> My 2 cts
>>
>> Jacques
>>
>>
>> Le 29/11/2017 à 14:55, Ralph Goers a écrit :
>>> Personally, I don’t see why there should be a problem as long as 
>>> try.freemarker.org  is an Apache 
>>> controlled 
>>> domain. You aren’t the only project that has a vanity domain. See 
>>> www.openoffice.org  as an example.
>>>
>>> Ralph
>>>
 On Nov 29, 2017, at 1:51 AM, Daniel Dekany  
 wrote:

 Just as a reminder, I'm planning to request 
 try.freemarker.apache.org,
 from Infra and then redirect try.freemarker.org to it, because I'm
 worried that the IPMC will dislike that we use try.freemarker.org 
 as
 the canonical address of the online template tester. It will also 
 use
 https and a LetsEncrypt certificate (we can't use the *.apache.org
 cert on a VM).

 BTW, using a sub-sub domains is a bit extreme. I'm not aware of any
 gotchas in out case, but if anyone is aware some, like LetsEncrypt
 doesn't support them or something, please stop me! (Also, as this 
 way
 we will receive the cookies of freemarker.apache.org, but 
 certainly we
 will able to cope with that, if it ever causes a problem.)

 Any comments? And do you (especially PPMC members) agree?

 --

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-05 Thread Jacques Le Roux 

I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775

Jacques


Le 01/05/2018 à 14:50, Jacques Le Roux a écrit :

Hi Daniel,

Yes completely forgot about that. I just checked and I have access to the VM.

Since we need to do it ourselves, I'll have a look, hopefully this week (very 
possible)

Cheers

Jacques


Le 30/04/2018 à 16:51, Daniel Dekany a écrit :

Seems this was forgotten. Do you plan to do it?


Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote:


Thanks Daniel,

That's a good news. I did not want to get further with
try.freemarker.org waiting for this to happen. Once LetsEncrypt setting is done 
a redirection
should be enough

Jacques

Le 08/01/2018 à 09:47, Daniel Dekany a écrit :

Greg commented on the request:

    try.freemarker.apache.org now works, and is propagated.

    Since that hostname maps to your VM, the certificate to be used for
    try.freemarker.apache.org will need to be hosted/operated by your VM.
    Infra's current policy for project VMs is to use LetsEncrypt for
    certificates. [~pono] will get you set up with that.


Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote:


Good, Greg closed INFRA-15476

Jacques

Le 03/01/2018 à 21:23, Daniel Dekany a écrit :

I'm "a bit" late with this, but I have created the issue for it:
https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775


Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote:


To summarize, the opininos were (whether we should switch to 
try.freemarker.apache.org):
- Daniel Dekany: We better not risk not doing this
- Jacopo Cappellato: Agrees with me (above) in this
- Jacques Le Roux: No opinion was expressed, but it's technically fine
- Ralph Goers: It's certainly not necessary to do

So, unless someone has more to add, I will ask this from Infra in the
coming days... just to be on the safe side.

Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote:


The difference is that try.freemarker.org
 is a companion site. So long as the
main site is freemarker.apache.org I don’t think anyone will complain about a 
companion site.

Ralph


On Nov 29, 2017, at 8:33 AM, Jacques Le Roux  
wrote:

Hi Ralph,

IIRW openoffice.org is an exception. There are others, when the domain was well established before entering the incubator, subversion.org 
comes to mind.


IMO freemarker.org was well established before entering the incubator but not try.freemarker.apache.org which is quite recent. Hence maybe 
some caution needed...


My 2 cts

Jacques


Le 29/11/2017 à 14:55, Ralph Goers a écrit :
Personally, I don’t see why there should be a problem as long as try.freemarker.org  is an Apache controlled 
domain. You aren’t the only project that has a vanity domain. See www.openoffice.org  as an example.


Ralph


On Nov 29, 2017, at 1:51 AM, Daniel Dekany  wrote:

Just as a reminder, I'm planning to request try.freemarker.apache.org,
from Infra and then redirect try.freemarker.org to it, because I'm
worried that the IPMC will dislike that we use try.freemarker.org as
the canonical address of the online template tester. It will also use
https and a LetsEncrypt certificate (we can't use the *.apache.org
cert on a VM).

BTW, using a sub-sub domains is a bit extreme. I'm not aware of any
gotchas in out case, but if anyone is aware some, like LetsEncrypt
doesn't support them or something, please stop me! (Also, as this way
we will receive the cookies of freemarker.apache.org, but certainly we
will able to cope with that, if it ever causes a problem.)

Any comments? And do you (especially PPMC members) agree?

--
Thanks,
Daniel Dekany

Re: try.freemarker.apache.org instead of try.freemarker.org?

2018-05-01 Thread Jacques Le Roux 

Hi Daniel,

Yes completely forgot about that. I just checked and I have access to the VM.

Since we need to do it ourselves, I'll have a look, hopefully this week (very 
possible)

Cheers

Jacques


Le 30/04/2018 à 16:51, Daniel Dekany a écrit :

Seems this was forgotten. Do you plan to do it?


Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote:


Thanks Daniel,

That's a good news. I did not want to get further with
try.freemarker.org waiting for this to happen. Once LetsEncrypt setting is done 
a redirection
should be enough

Jacques

Le 08/01/2018 à 09:47, Daniel Dekany a écrit :

Greg commented on the request:

try.freemarker.apache.org now works, and is propagated.

Since that hostname maps to your VM, the certificate to be used for
try.freemarker.apache.org will need to be hosted/operated by your VM.
Infra's current policy for project VMs is to use LetsEncrypt for
certificates. [~pono] will get you set up with that.


Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote:


Good, Greg closed INFRA-15476

Jacques

Le 03/01/2018 à 21:23, Daniel Dekany a écrit :

I'm "a bit" late with this, but I have created the issue for it:
https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775


Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote:


To summarize, the opininos were (whether we should switch to 
try.freemarker.apache.org):
- Daniel Dekany: We better not risk not doing this
- Jacopo Cappellato: Agrees with me (above) in this
- Jacques Le Roux: No opinion was expressed, but it's technically fine
- Ralph Goers: It's certainly not necessary to do

So, unless someone has more to add, I will ask this from Infra in the
coming days... just to be on the safe side.

Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote:


The difference is that try.freemarker.org
 is a companion site. So long as the
main site is freemarker.apache.org I don’t think anyone will complain about a 
companion site.

Ralph


On Nov 29, 2017, at 8:33 AM, Jacques Le Roux  
wrote:

Hi Ralph,

IIRW openoffice.org is an exception. There are others, when the domain was well 
established before entering the incubator, subversion.org comes to mind.

IMO freemarker.org was well established before entering the incubator but not 
try.freemarker.apache.org which is quite recent. Hence maybe some caution 
needed...

My 2 cts

Jacques


Le 29/11/2017 à 14:55, Ralph Goers a écrit :

Personally, I don’t see why there should be a problem as long as try.freemarker.org 
 is an Apache controlled domain. You aren’t the only 
project that has a vanity domain. See www.openoffice.org  
as an example.

Ralph


On Nov 29, 2017, at 1:51 AM, Daniel Dekany  wrote:

Just as a reminder, I'm planning to request try.freemarker.apache.org,
from Infra and then redirect try.freemarker.org to it, because I'm
worried that the IPMC will dislike that we use try.freemarker.org as
the canonical address of the online template tester. It will also use
https and a LetsEncrypt certificate (we can't use the *.apache.org
cert on a VM).

BTW, using a sub-sub domains is a bit extreme. I'm not aware of any
gotchas in out case, but if anyone is aware some, like LetsEncrypt
doesn't support them or something, please stop me! (Also, as this way
we will receive the cookies of freemarker.apache.org, but certainly we
will able to cope with that, if it ever causes a problem.)

Any comments? And do you (especially PPMC members) agree?

--
Thanks,
Daniel Dekany