Make download.osgeo.org also available via HTTPS

[Bas Couwenberg]

The lintian QA tool complains about the insecure URI used for various projects on download.osgeo.org.

Please make download.osgeo.org also available via HTTPS.

[robe]

as discussed we'll put in lets encrypt. I'll take ownership and try to get done this week or next.

[robe]

Bas can you give it a try now

​https://download.osgeo.org/

I also had to change logo on page to use the ssl logo on osgeo site.

I ended up not going with letsencrypt because no certbot package for wheezy and using the alternative certbot-auto wanted to install like 90 packages and python etc. so figured it was safer to just go with the wildcard ssl certificate we have (which I copied from trac).

There was actually an older ssl site disabled (but it was using the expired key and also tried to secure download.osgeo.osuosl.org (which would need a different key), so I chucked that site and replaced with new ssl one.

[Bas Couwenberg]

Looks like the CA chain is not configured correctly:

uscan warn: In watchfile debian/watch, reading webpage
  https://download.osgeo.org/geos failed: 500 Can't connect to download.osgeo.org:443 (certificate verify failed)

The SSL Labs Server Test confirms this:

Additional Certificates (if supplied)

Certificates provided 	1 (1214 bytes)
Chain issues 	Incomplete

See: ​https://www.ssllabs.com/ssltest/analyze.html?d=download.osgeo.org&hideResults=on

[robe]

Should be fixed now I rechecked and now gives an A+ rating.

[Bas Couwenberg]

Yes, much better. Thanks!

Is there monitoring or a calendar reminder for the certificate renewal?

[martin]

Just to be safe, I'll add one to my business calendar ;-)

[robe]

The wildcard ssl is expiring May 1st, 2019. I don't think we have plans to renew.

We'll probably have all switched to letsencrypt by that time. I didn't since it was too much hassle for this old hardware/OS.