Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#2115 closed task (fixed)

Make also available via HTTPS

Reported by: Bas Couwenberg Owned by: robe
Priority: normal Milestone:
Component: SysAdmin Keywords:


The lintian QA tool complains about the insecure URI used for various projects on

Please make also available via HTTPS.

Change History (8)

comment:1 by robe, 6 years ago

Owner: changed from sac@… to robe

as discussed we'll put in lets encrypt. I'll take ownership and try to get done this week or next.

comment:2 by robe, 6 years ago

Resolution: fixed
Status: newclosed

Bas can you give it a try now

I also had to change logo on page to use the ssl logo on osgeo site.

I ended up not going with letsencrypt because no certbot package for wheezy and using the alternative certbot-auto wanted to install like 90 packages and python etc. so figured it was safer to just go with the wildcard ssl certificate we have (which I copied from trac).

There was actually an older ssl site disabled (but it was using the expired key and also tried to secure (which would need a different key), so I chucked that site and replaced with new ssl one.

comment:3 by Bas Couwenberg, 6 years ago

Looks like the CA chain is not configured correctly:

uscan warn: In watchfile debian/watch, reading webpage failed: 500 Can't connect to (certificate verify failed)

The SSL Labs Server Test confirms this:

Additional Certificates (if supplied)

Certificates provided 	1 (1214 bytes)
Chain issues 	Incomplete


comment:4 by robe, 6 years ago

Resolution: fixed
Status: closedreopened

comment:5 by robe, 6 years ago

Resolution: fixed
Status: reopenedclosed

Should be fixed now I rechecked and now gives an A+ rating.

comment:6 by Bas Couwenberg, 6 years ago

Yes, much better. Thanks!

Is there monitoring or a calendar reminder for the certificate renewal?

comment:7 by martin, 6 years ago

Just to be safe, I'll add one to my business calendar ;-)

comment:8 by robe, 6 years ago

The wildcard ssl is expiring May 1st, 2019. I don't think we have plans to renew.

We'll probably have all switched to letsencrypt by that time. I didn't since it was too much hassle for this old hardware/OS.

Note: See TracTickets for help on using tickets.