#2115 closed task (fixed)
Make download.osgeo.org also available via HTTPS
Reported by: | Bas Couwenberg | Owned by: | robe |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | SysAdmin | Keywords: | |
Cc: |
Description
The lintian QA tool complains about the insecure URI used for various projects on download.osgeo.org.
Please make download.osgeo.org also available via HTTPS.
Change History (8)
comment:1 by , 7 years ago
Owner: | changed from | to
---|
comment:2 by , 7 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Bas can you give it a try now
I also had to change logo on page to use the ssl logo on osgeo site.
I ended up not going with letsencrypt because no certbot package for wheezy and using the alternative certbot-auto wanted to install like 90 packages and python etc. so figured it was safer to just go with the wildcard ssl certificate we have (which I copied from trac).
There was actually an older ssl site disabled (but it was using the expired key and also tried to secure download.osgeo.osuosl.org (which would need a different key), so I chucked that site and replaced with new ssl one.
comment:3 by , 7 years ago
Looks like the CA chain is not configured correctly:
uscan warn: In watchfile debian/watch, reading webpage https://download.osgeo.org/geos failed: 500 Can't connect to download.osgeo.org:443 (certificate verify failed)
The SSL Labs Server Test confirms this:
Additional Certificates (if supplied) Certificates provided 1 (1214 bytes) Chain issues Incomplete
See: https://www.ssllabs.com/ssltest/analyze.html?d=download.osgeo.org&hideResults=on
comment:4 by , 7 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
comment:5 by , 7 years ago
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
Should be fixed now I rechecked and now gives an A+ rating.
comment:6 by , 7 years ago
Yes, much better. Thanks!
Is there monitoring or a calendar reminder for the certificate renewal?
comment:8 by , 7 years ago
The wildcard ssl is expiring May 1st, 2019. I don't think we have plans to renew.
We'll probably have all switched to letsencrypt by that time. I didn't since it was too much hassle for this old hardware/OS.
as discussed we'll put in lets encrypt. I'll take ownership and try to get done this week or next.