Opened 14 months ago

Closed 14 months ago

Last modified 14 months ago

#2115 closed task (fixed)

Make download.osgeo.org also available via HTTPS

Reported by: Bas Couwenberg Owned by: robe
Priority: normal Milestone:
Component: Systems Admin Keywords:
Cc:

Description

The lintian QA tool complains about the insecure URI used for various projects on download.osgeo.org.

Please make download.osgeo.org also available via HTTPS.

Change History (8)

comment:1 Changed 14 months ago by robe

Owner: changed from sac@… to robe

as discussed we'll put in lets encrypt. I'll take ownership and try to get done this week or next.

comment:2 Changed 14 months ago by robe

Resolution: fixed
Status: newclosed

Bas can you give it a try now

https://download.osgeo.org/

I also had to change logo on page to use the ssl logo on osgeo site.

I ended up not going with letsencrypt because no certbot package for wheezy and using the alternative certbot-auto wanted to install like 90 packages and python etc. so figured it was safer to just go with the wildcard ssl certificate we have (which I copied from trac).

There was actually an older ssl site disabled (but it was using the expired key and also tried to secure download.osgeo.osuosl.org (which would need a different key), so I chucked that site and replaced with new ssl one.

comment:3 Changed 14 months ago by Bas Couwenberg

Looks like the CA chain is not configured correctly:

uscan warn: In watchfile debian/watch, reading webpage
  https://download.osgeo.org/geos failed: 500 Can't connect to download.osgeo.org:443 (certificate verify failed)

The SSL Labs Server Test confirms this:

Additional Certificates (if supplied)

Certificates provided 	1 (1214 bytes)
Chain issues 	Incomplete

See: https://www.ssllabs.com/ssltest/analyze.html?d=download.osgeo.org&hideResults=on

comment:4 Changed 14 months ago by robe

Resolution: fixed
Status: closedreopened

comment:5 Changed 14 months ago by robe

Resolution: fixed
Status: reopenedclosed

Should be fixed now I rechecked and now gives an A+ rating.

comment:6 Changed 14 months ago by Bas Couwenberg

Yes, much better. Thanks!

Is there monitoring or a calendar reminder for the certificate renewal?

comment:7 Changed 14 months ago by martin

Just to be safe, I'll add one to my business calendar ;-)

comment:8 Changed 14 months ago by robe

The wildcard ssl is expiring May 1st, 2019. I don't think we have plans to renew.

We'll probably have all switched to letsencrypt by that time. I didn't since it was too much hassle for this old hardware/OS.

Note: See TracTickets for help on using tickets.