Re: try.freemarker.apache.org instead of try.freemarker.org?

[Jacques Le Roux]

Yes, I'll take care of that

Thanks for the reminder :)

Jacques


Le 09/06/2018 à 11:26, Daniel Dekany a écrit :

You have intended to do these, to my understanding. You still plan to?


Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote:

Inline...

Le 19/05/2018 à 12:02, Daniel Dekany a écrit :

Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote:

Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, content:

cerbot renew
openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12
-inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in
/etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile
/etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass
pass:"theKnownPassword" (not copied here)

Though you have posted that password to this mailing list anyway... ;)

Yes indeed, just once, but you'r right I should have used private :/
Anyway we should change it and keep the new one in a specific file
at https://svn.apache.org/repos/private/pmc/freemarker

I think it should not change the rights to read in
/etc/letsencrypt/live (now with fmonlinetester in group)

It would be surprising if it changes it.

Yep, just got surprisingly bitten once, so...

but we should try it manually once and check.

If it does change then we will need to re-add fmonlinetester
in the group at end of cert-renew.sh. I crossed this read issue before as 
jleroux
user, initially the dir was readeable w/o sudo and then not. Not
sure if it's certbot or openssl which did that in my case.

Also I don't think we need to care about change in
/etc/letsencrypt/live/try.freemarker.apache.org/ If they are no
change certificate.p12 will be the
same, no worries.

Of course. It will need to issue that SSL cert reloading curl command
though.

Ah indeed

localhost:8081/tasks/reload-ssl

I think we should not show the "theKnownPassword" in the wiki page...

Yeah, I guess it's better star it out on cwiki. (Though to get the p12
or private key one has to pawn the server anyway... and then he finds
the password too.)

I think https://svn.apache.org/repos/private/pmc/freemarker better fits for all 
private things
For instance the cron job copy and all the rest. And simply refer to private 
things from the wiki

Are there any Let's Encrypt related credentials we should be aware of
(in case you become unavailable)?

Nope, I used only the temporary secret password everywhere and IIRW
it was only when creating the cert from .pem files.

I think "Enter email address (used for urgent renewal and security
notices)" should be priv...@freemarker.apache.org.

I agree! I used mine so far. To be changed like the cert password
Will you handle the job creation and the doc?

Have a good weekend

Jacques