Tuesday, June 12, 2018, 6:06:17 PM, Jacques Le Roux wrote: > Hi Daniel, > > It's done with an update of the wiki page > https://cwiki.apache.org/confluence/display/FREEMARKER/try.freemarker.org+maintenance+and+installation > > But I faced an issue with the cron job, this command: > > jleroux@freemarker-vm:/opt/fmonlinetester/var$ sudo curl > https://localhost:8081/tasks/reload-ssl > curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received. > > I also tried HTTP, no protocol and both (//) to no avail so far. I > don't know what I miss, if I miss something > > jleroux@freemarker-vm:/opt/fmonlinetester/var$ sudo curl > localhost:8081/tasks/reload-ssl > <html> > <head> > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> > <title>Error 405 Method Not Allowed</title> > </head> > <body><h2>HTTP ERROR 405</h2> > <p>Problem accessing /tasks/reload-ssl. Reason: > <pre> Method Not Allowed</pre></p> > </body> > </html>
It's HTTP, not HTTPS, and it seems the HTTP method must be POST, not GET. > Jacques > > > Le 09/06/2018 à 14:31, Jacques Le Roux a écrit : >> Yes, I'll take care of that >> >> Thanks for the reminder :) >> >> Jacques >> >> >> Le 09/06/2018 à 11:26, Daniel Dekany a écrit : >>> You have intended to do these, to my understanding. You still plan to? >>> >>> >>> Saturday, May 19, 2018, 1:42:57 PM, Jacques Le Roux wrote: >>> >>>> Inline... >>>> >>>> Le 19/05/2018 à 12:02, Daniel Dekany a écrit : >>>>> Saturday, May 19, 2018, 11:08:36 AM, Jacques Le Roux wrote: >>>>> >>>>>> Yes, the cron job (cert-renew.sh) should be run daily/nightly by root, >>>>>> content: >>>>>> >>>>>> cerbot renew >>>>>> openssl pkcs12 -export -out /etc/letsencrypt/live/certificate.p12 >>>>>> -inkey /etc/letsencrypt/live/try.freemarker.apache.org/privkey.pem -in >>>>>> /etc/letsencrypt/live/try.freemarker.apache.org/cert.pem -certfile >>>>>> /etc/letsencrypt/live/try.freemarker.apache.org/chain.pem -pass >>>>>> pass:"theKnownPassword" (not copied here) >>>>> Though you have posted that password to this mailing list anyway... ;) >>>> Yes indeed, just once, but you'r right I should have used private :/ >>>> Anyway we should change it and keep the new one in a specific file >>>> at https://svn.apache.org/repos/private/pmc/freemarker >>>> >>>>>> I think it should not change the rights to read in >>>>>> /etc/letsencrypt/live (now with fmonlinetester in group) >>>>> It would be surprising if it changes it. >>>> Yep, just got surprisingly bitten once, so... >>>> >>>>>> but we should try it manually once and check. >>>>>> >>>>>> If it does change then we will need to re-add fmonlinetester >>>>>> in the group at end of cert-renew.sh. I crossed this read issue before >>>>>> as jleroux >>>>>> user, initially the dir was readeable w/o sudo and then not. Not >>>>>> sure if it's certbot or openssl which did that in my case. >>>>>> >>>>>> Also I don't think we need to care about change in >>>>>> /etc/letsencrypt/live/try.freemarker.apache.org/ If they are no >>>>>> change certificate.p12 will be the >>>>>> same, no worries. >>>>> Of course. It will need to issue that SSL cert reloading curl command >>>>> though. >>>> Ah indeed >>>> >>>> localhost:8081/tasks/reload-ssl >>>> >>>> >>>>>> I think we should not show the "theKnownPassword" in the wiki page... >>>>> Yeah, I guess it's better star it out on cwiki. (Though to get the p12 >>>>> or private key one has to pawn the server anyway... and then he finds >>>>> the password too.) >>>> I think https://svn.apache.org/repos/private/pmc/freemarker better fits >>>> for all private things >>>> For instance the cron job copy and all the rest. And simply refer to >>>> private things from the wiki >>>> >>>>> Are there any Let's Encrypt related credentials we should be aware of >>>>> (in case you become unavailable)? >>>> Nope, I used only the temporary secret password everywhere and IIRW >>>> it was only when creating the cert from .pem files. >>>> >>>>> I think "Enter email address (used for urgent renewal and security >>>>> notices)" should be [email protected]. >>>> I agree! I used mine so far. To be changed like the cert password >>>> Will you handle the job creation and the doc? >>>> >>>> Have a good weekend >>>> >>>> Jacques >>>> >> >> > > -- Thanks, Daniel Dekany
