Ugh. OK, I have Googled into how certbot works, and it requres a few things from HTTP service itself... I will upload a new version of the Dropwizard app that can do those things soon.
Tuesday, May 15, 2018, 4:14:55 PM, Daniel Dekany wrote: > Tuesday, May 15, 2018, 2:26:14 PM, Jacques Le Roux wrote: > >> Hi Daniel, >> >> I have closed INFRA-16498, we can do it locally, Puppet is not used. >> >> So I will use letsencrypt to create a certificate for the 2 domains >> try.freemarker.org and try.freemarker.apache.org >> >> At >> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation >> >> I read that the port 22 and 80 are accessible from Internet and that Java >> serves at port 8080. >> >> As I'm used to it, I want to use HTTPD + AJP with the port 443 and >> to replace the iptable redirection by AJP > > There's no AJP or any such mess. It's just a Dropwizard (Java) > application (single runnable jar) with an embedded HTTP server, that > server everything directly. Well, except that we need the iptables > port redirection as we have no right to bind to ports < 1024... but > that's all. > >> but >> >> 1. Why do we need the port 22? > > For SSH. > >> 2. I think we don't need to serve the port 8443 from Java and can >> redirect the port 443 to the port 8080, right? Not sure about that, maybe a >> change >> in code is needed? > > No, port 8080 corresponds to port 80. Dropwizard (Java) will serve > https on 8443 (I assume), which should corresponds to 443 via > iptables. > >> 3. I understand (did not check the whole code) that it does not >> use a web server like Tomcat or Jetty (to handle AJP) but Jersey+Grizzly, >> right? > > It uses embedded Jetty, but configure Dropwizard itself: > https://www.dropwizard.io/1.3.2/docs/manual/core.html#ssl > >> 4. I read that Grizzly supports AJP[1] but I don't know yet how it >> does, same way than Tomcat, nothing to add? >> >> Because when I try to install a letsencrypt certificate with >> certbot as root I can't. Using www-data user (HTTPD default user for User >> and Group on >> Debian in apache2.conf) I get: (I also tried fmonlinetester user in case) >> >> certbot --apache >> >> [... all correct so far] >> >> Performing the following challenges: >> http-01 challenge for try.freemarker.apache.org >> http-01 challenge for try.freemarker.org >> Waiting for verification... >> Cleaning up challenges >> Failed authorization procedure. try.freemarker.apache.org >> (http-01): urn:acme:error:unauthorized :: The client lacks sufficient >> authorization :: >> Invalid response from >> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI >> [54.71.67.193]: 404, >> try.freemarker.org (http-01): urn:acme:error:unauthorized :: The >> client lacks sufficient authorization :: Invalid response from >> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k >> [54.71.67.193]: 404 >> >> IMPORTANT NOTES: >> - The following errors were reported by the server: >> >> Domain: try.freemarker.apache.org >> Type: unauthorized >> Detail: Invalid response from >> http://try.freemarker.apache.org/.well-known/acme-challenge/ZXA7ZVpVHW4JHl-UnOnSOnsxTZkknbfyG94F0O4BPRI >> [54.71.67.193]: 404 >> >> Domain: try.freemarker.org >> Type: unauthorized >> Detail: Invalid response from >> http://try.freemarker.org/.well-known/acme-challenge/XM0ZwcY91Hdn67kNkRAqHj0_SRC1esu8avbVZYTVe2k >> [54.71.67.193]: 404 >> >> To fix these errors, please make sure that your domain name was >> entered correctly and the DNS A/AAAA record(s) for that domain >> contain(s) the right IP address. >> >> [domains are correct and 54.71.67.193 is currently the right IP] >> >> - Your account credentials have been saved in your Certbot >> configuration directory at /etc/letsencrypt. You should make a >> secure backup of this folder now. This configuration directory will >> also contain certificates and private keys obtained by Certbot so >> making regular backups of this folder is ideal. >> >> [I have removed /etc/letsencryptn it's of no use as long as long as >> the challenges are not successful[2]] >> >> Obviously certbot is not able to put the challenge file where it needs. >> >> So it seems a change in code is needed? Else what would you suggest? > > I haven no experience with certbot and all that. But I guess it just > replaces a certificate file somewhere. That will have to be converted > to JKS format ("Java Key Store", which is what Jetty or any other Java > SSL stuff need). Hopefully there's a solution for that on the net... > if not, we will figure out... > >> Jacques >> >> [1] https://javaee.github.io/grizzly/ajp.html >> >> [2] >> https://superuser.com/questions/1194523/lets-encrypt-certbot-where-is-the-private-key >> >> >> Le 08/05/2018 à 14:25, Jacques Le Roux a écrit : >>> It's OK now with Chris Lambertus's help >>> >>> I created https://issues.apache.org/jira/browse/INFRA-16498 to continue >>> >>> Jacques >>> >>> >>> Le 06/05/2018 à 09:10, Jacques Le Roux a écrit : >>>> Thanks >>>> >>>> Just tried, did not work, not sure why >>>> >>>> >>>> Le 05/05/2018 à 19:05, Daniel Dekany a écrit : >>>>> I'm a sudoer, so I can add you. Try now! >>>>> >>>>> >>>>> Saturday, May 5, 2018, 3:07:13 PM, Jacques Le Roux wrote: >>>>> >>>>>> Thanks Daniel, >>>>>> >>>>>> I did not, but actually as I'm not in the sudoers it does not help: >>>>>> >>>>>> otp-md5 499 fr516 >>>>>> Password: >>>>>> jleroux is not in the sudoers file. This incident will be reported. >>>>>> jleroux@freemarker-vm:~$ >>>>>> >>>>>> Jacques >>>>>> >>>>>> >>>>>> Le 05/05/2018 à 12:38, Daniel Dekany a écrit : >>>>>>> Saturday, May 5, 2018, 11:24:37 AM, Jacques Le Roux wrote: >>>>>>> >>>>>>>> I asked for sudo: https://issues.apache.org/jira/browse/INFRA-15775 >>>>>>> Have you done the OTP stuff? See on: >>>>>>> https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation >>>>>>> >>>>>>>> Jacques >>>>>>>> >>>>>>>> >>>>>>>> Le 01/05/2018 à 14:50, Jacques Le Roux a écrit : >>>>>>>>> Hi Daniel, >>>>>>>>> >>>>>>>>> Yes completely forgot about that. I just checked and I have access to >>>>>>>>> the VM. >>>>>>>>> >>>>>>>>> Since we need to do it ourselves, I'll have a look, hopefully this >>>>>>>>> week (very possible) >>>>>>>>> >>>>>>>>> Cheers >>>>>>>>> >>>>>>>>> Jacques >>>>>>>>> >>>>>>>>> >>>>>>>>> Le 30/04/2018 à 16:51, Daniel Dekany a écrit : >>>>>>>>>> Seems this was forgotten. Do you plan to do it? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Monday, January 8, 2018, 11:04:31 AM, Jacques Le Roux wrote: >>>>>>>>>> >>>>>>>>>>> Thanks Daniel, >>>>>>>>>>> >>>>>>>>>>> That's a good news. I did not want to get further with >>>>>>>>>>> try.freemarker.org waiting for this to happen. Once LetsEncrypt >>>>>>>>>>> setting is done a redirection >>>>>>>>>>> should be enough >>>>>>>>>>> >>>>>>>>>>> Jacques >>>>>>>>>>> >>>>>>>>>>> Le 08/01/2018 à 09:47, Daniel Dekany a écrit : >>>>>>>>>>>> Greg commented on the request: >>>>>>>>>>>> >>>>>>>>>>>> try.freemarker.apache.org now works, and is propagated. >>>>>>>>>>>> >>>>>>>>>>>> Since that hostname maps to your VM, the certificate to be >>>>>>>>>>>> used for >>>>>>>>>>>> try.freemarker.apache.org will need to be hosted/operated by >>>>>>>>>>>> your VM. >>>>>>>>>>>> Infra's current policy for project VMs is to use LetsEncrypt >>>>>>>>>>>> for >>>>>>>>>>>> certificates. [~pono] will get you set up with that. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Wednesday, January 3, 2018, 11:34:32 PM, Jacques Le Roux wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Good, Greg closed INFRA-15476 >>>>>>>>>>>>> >>>>>>>>>>>>> Jacques >>>>>>>>>>>>> >>>>>>>>>>>>> Le 03/01/2018 à 21:23, Daniel Dekany a écrit : >>>>>>>>>>>>>> I'm "a bit" late with this, but I have created the issue for it: >>>>>>>>>>>>>> https://issues.apache.org/jira/servicedesk/agent/INFRA/issue/INFRA-15775 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Friday, December 15, 2017, 1:57:04 PM, Daniel Dekany wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> To summarize, the opininos were (whether we should switch to >>>>>>>>>>>>>>> try.freemarker.apache.org): >>>>>>>>>>>>>>> - Daniel Dekany: We better not risk not doing this >>>>>>>>>>>>>>> - Jacopo Cappellato: Agrees with me (above) in this >>>>>>>>>>>>>>> - Jacques Le Roux: No opinion was expressed, but it's >>>>>>>>>>>>>>> technically fine >>>>>>>>>>>>>>> - Ralph Goers: It's certainly not necessary to do >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So, unless someone has more to add, I will ask this from Infra >>>>>>>>>>>>>>> in the >>>>>>>>>>>>>>> coming days... just to be on the safe side. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Wednesday, November 29, 2017, 6:38:05 PM, Ralph Goers wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The difference is that try.freemarker.org >>>>>>>>>>>>>>>> <http://try.freemarker.org/> is a companion site. So long as >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> main site is freemarker.apache.org I don’t think anyone will >>>>>>>>>>>>>>>> complain about a companion site. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Ralph >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Nov 29, 2017, at 8:33 AM, Jacques Le Roux >>>>>>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi Ralph, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> IIRW openoffice.org is an exception. There are others, when >>>>>>>>>>>>>>>>> the domain was well established before entering the >>>>>>>>>>>>>>>>> incubator, subversion.org >>>>>>>>>>>>>>>>> comes to mind. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> IMO freemarker.org was well established before entering the >>>>>>>>>>>>>>>>> incubator but not try.freemarker.apache.org which is quite >>>>>>>>>>>>>>>>> recent. Hence >>>>>>>>>>>>>>>>> maybe >>>>>>>>>>>>>>>>> some caution needed... >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> My 2 cts >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Jacques >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Le 29/11/2017 à 14:55, Ralph Goers a écrit : >>>>>>>>>>>>>>>>>> Personally, I don’t see why there should be a problem as >>>>>>>>>>>>>>>>>> long as try.freemarker.org <http://try.freemarker.org/> is >>>>>>>>>>>>>>>>>> an Apache controlled >>>>>>>>>>>>>>>>>> domain. You aren’t the only project that has a vanity >>>>>>>>>>>>>>>>>> domain. See www.openoffice.org <http://www.openoffice.org/> >>>>>>>>>>>>>>>>>> as an example. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Ralph >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Nov 29, 2017, at 1:51 AM, Daniel Dekany >>>>>>>>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Just as a reminder, I'm planning to request >>>>>>>>>>>>>>>>>>> try.freemarker.apache.org, >>>>>>>>>>>>>>>>>>> from Infra and then redirect try.freemarker.org to it, >>>>>>>>>>>>>>>>>>> because I'm >>>>>>>>>>>>>>>>>>> worried that the IPMC will dislike that we use >>>>>>>>>>>>>>>>>>> try.freemarker.org as >>>>>>>>>>>>>>>>>>> the canonical address of the online template tester. It >>>>>>>>>>>>>>>>>>> will also use >>>>>>>>>>>>>>>>>>> https and a LetsEncrypt certificate (we can't use the >>>>>>>>>>>>>>>>>>> *.apache.org >>>>>>>>>>>>>>>>>>> cert on a VM). >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> BTW, using a sub-sub domains is a bit extreme. I'm not >>>>>>>>>>>>>>>>>>> aware of any >>>>>>>>>>>>>>>>>>> gotchas in out case, but if anyone is aware some, like >>>>>>>>>>>>>>>>>>> LetsEncrypt >>>>>>>>>>>>>>>>>>> doesn't support them or something, please stop me! (Also, >>>>>>>>>>>>>>>>>>> as this way >>>>>>>>>>>>>>>>>>> we will receive the cookies of freemarker.apache.org, but >>>>>>>>>>>>>>>>>>> certainly we >>>>>>>>>>>>>>>>>>> will able to cope with that, if it ever causes a problem.) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Any comments? And do you (especially PPMC members) agree? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>>>>> Daniel Dekany >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>> >>>> >>>> >>> >>> >> > -- Thanks, Daniel Dekany
