Opened 8 years ago

Closed 6 years ago

#1633 closed task (fixed)

Update OSGeo SSL certificate - if needed

Reported by: msmitherdc Owned by: sac@…
Priority: critical Milestone:
Component: SysAdmin Keywords: ssl web certificate
Cc:

Description

Received this email:

From: renewals@… To: tmitchell@… Sent: Wednesday, March 2, 2016 8:03:45 AM Subject: You have 60 days to renew your SSL certificate

Dear Tyler Mitchell

This email is your notification of renewal for your SSL certificate for *.osgeo.org You have 60 days to renew your certificate, but why delay and put your customers security at risk? You don’t lose out with Comodo, because if you act now to renew your certificate we will add the 60 days remaining on your current certificate onto your new one at no extra charge so you can begin using your new certificate immediately, plus to thank you for being a valued customer we will even add an extra month FREE! Simply click on the link below: http://www.instantssl.com/ttb_searcher/go_ssl?v1=21718773&v2=21

As an existing customer of InstantSSL we can expedite your renewal application as long as you login using your existing username and password.

Don’t forget, Comodo’s PremiumSSL Wildcard Certificates are the most cost-effective range of fully trusted and recognized SSL certificates in the market. To save money and avoid having to renew every year, we HIGHLY RECOMMEND a 3 year certificate - http://www.instantssl.com/ttb_searcher/go_ssl2?v1=21718773&v2=35&v3=5

Thank you for choosing Comodo - we look forward to continuing to provide you with the most cost-effective certificates in the market

Kind Regards,

Comodo Security Services

If you do not require any further renewal alerts in respect of this particular SSL Certificate please click http://www.instantssl.com/ttb_searcher/ssl_opt_out?v1=21718773 to be automatically removed from this free alert service.

We have contacted you because you are a valued customer of Comodo InstantSSL. However, if you would prefer not to receive any renewal emails from Comodo in the future, please click http://secure.comodo.net/products/opt?v=tmitchell@osgeo.org&c=r

Change History (11)

comment:1 by strk, 8 years ago

I suggest to switch to https://letsencrypt.org/, it's free and very easy to use and script (having short expiration, circa 2 months).

comment:2 by wildintellect, 8 years ago

Will the letsencrypt cert work for our LDAP configuration? https://wiki.osgeo.org/wiki/SAC:SSLCert Do we have any other services outside of http/https that rely on a higher standard cert (svn, mail, git?).

I am +1 for adding letsencrypt as a service to all webites hosted on osgeo that are not *.osgeo.org domains. We would need a good cron job/process for staying up an the renewals.

Can someone shop around for types of certs and prices that meet our need?

comment:3 by wildintellect, 8 years ago

I've created a new certificate good for 3 years (new vendor SSL.com). Account info is in the access file.

New cert should be ready to use, all files are in ~/sslcerts/2016 of the root account on secure. We should roll this out to a lesser used domain 1st to test, then to all *.osgeo.org domains before Sunday when the current cert expires. Please chime in if you can handle particular sites/servers.

Down the line I would like to pilot letsencrypt on all other domains we host (offering optional SSL for everything). Anyone want to take charge of this part of the project?

comment:4 by wildintellect, 8 years ago

Seems this drama isn't quite over. Anyone know the difference between a DV and OV certificate, and if we really need an OV (I bought a DV it turns out)?

Comodo is offering to renew our supposed OV (can't actually tell if it's an OV because it's got a flag related to still using SHA-1) for $1200 with 2 yrs free (so 5 year). Which brings it back down closer to what we just paid per year. FYI, we can get a full refund on the current purchase within 30 days.

I'm trying to get access to the Comodo account to investigate more.

in reply to:  3 comment:5 by neteler, 7 years ago

Priority: normalcritical

Replying to wildintellect:

I've created a new certificate good for 3 years (new vendor SSL.com). Account info is in the access file.

This SSL certificate now rejected by Travis CI.

See e.g. https://travis-ci.org/GRASS-GIS/grass-ci/jobs/196398204

==> Cloning https://svn.osgeo.org/grass/grass/trunk

Error validating server certificate for 'https://svn.osgeo.org:443':

 - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually!

Certificate information:
 - Hostname: *.osgeo.org
 - Valid: from Thu, 28 Apr 2016 00:00:00 GMT until Wed, 01 May 2019 23:59:59 GMT
 - Issuer: www.ssl.com, SSL.com, US
 - Fingerprint: 56:50:0d:63:0f:47:10:92:7a:3a:b5:a9:83:f8:97:92:fe:d6:19:95

(R)eject, accept (t)emporarily or accept (p)ermanently? svn: E175002: Unable to connect to a repository at URL 'https://svn.osgeo.org/grass/grass/trunk'

svn: E175002: OPTIONS of 'https://svn.osgeo.org/grass/grass/trunk': Server certificate verification failed: issuer is not trusted (https://svn.osgeo.org)

Error: Failed to download resource "grass-trunk"

Quality check:

https://www.ssllabs.com/ssltest/analyze.html?d=svn.osgeo.org

--> Overall Rating: C

Time to switch to https://letsencrypt.org/ (eg with certbot)?

comment:6 by strk, 7 years ago

Only 9 months are elapsed since the SSL.com certificate was issued, so there should be time before we switch. Could your issue be a temporary glitch on Travis ? I'm all for switching all to letsencrypt and happy to do it but wouldn't rush if not needed. Anyway, my SSL cert (letsencrypt) is rated A (for comparison): https://www.ssllabs.com/ssltest/analyze.html?d=strk.kbt.io

comment:7 by neteler, 7 years ago

For the record: some more SSL issues discussed on the list:

https://lists.osgeo.org/pipermail/sac/2017-February/008061.html

comment:8 by neteler, 7 years ago

What's our plan here? More users start to have troubles to connect to OSGeo servers (see lists).

comment:9 by strk, 7 years ago

I guess this would be one of the first tasks by the new sysadmin contractor (any news on that Alex?)

comment:10 by strk, 7 years ago

Is the real cause of refusal the SSL protocol supported by apache as reported in #1981 ?

comment:11 by strk, 6 years ago

Resolution: fixed
Status: newclosed

I'm closing this because the only test provided reporting a problem was https://www.ssllabs.com/ssltest/analyze.html?d=svn.osgeo.org and that URL now gives A+ rating.

Please reopen or better open a NEW ticket for new problems. Thanks.

Note: See TracTickets for help on using tickets.