Opened 5 years ago

Closed 5 years ago

#2256 closed task (fixed)

Migrate All HTTPS Certs to Lets Encrypt

Reported by: wildintellect Owned by: robe
Priority: normal Milestone: Sysadmin Contract 2019-I
Component: SysAdmin Keywords:
Cc:

Description

The *.osgeo.org cert expires May 1, 2019. We should find an move all remaining domains that are still using it to Let's Encrypt.

  1. Inventory of osgeo.org domains and which cert they use.
  2. Plan on how to convert each of those over.

Related Ticket #2143

Change History (8)

comment:1 by robe, 5 years ago

Milestone: Sysadmin Contract 2019-I
Owner: changed from sac@… to robe

Ones that need to be migrated

These uses SSL.com *.osgeo.org cert which expires May 1st, 2019

download.osgeo.org
id.osgeo.org
journal.osgeo.org -- is this still used?
planet.osgeo.org
trac.osgeo.org
svn.osgeo.org
wiki.osgeo.org
git.osgeo.org

NO SSL Cert

http://foss4g.org/
Last edited 5 years ago by robe (previous) (diff)

comment:2 by robe, 5 years ago

Added letsencrupt cert to the following websites on webextra (I did not bother with the old archived foss4g sites)

Note for webextra it's important to use the --no-self-upgrade when doing this since the server is so ancient and can't support the new let's encrypt

 /usr/src/letsencrypt/certbot/certbot-auto  --no-self-upgrade

#these got new ssl (didn't have any before)

foss4g.org
www.foss4g.org
webextra.osgeo.osuosl.org
video.foss4g.org (there are some unsecure logos so https gives warnings)

#replaces the ssl.com with Letsencrypt

live.osgeo.org
journal.osgeo.org
planet.osgeo.org

comment:3 by robe, 5 years ago

osgeo6 had the old certbot and it's running Debian 8. Certbot recommends using the certbot-auto for debian8 (and not the one from repo which is too old).

So first had to remove the old certbot and install new one I assumed martin used aptitude here since I know he prefers that so I used that

aptitude remove certbot #was at 0.11
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
mv certbot-auto /bin/
certbot-auto --apache

Some domains were live in here but they are not hosted here or seem dead so left them alone or disabled the site

featureserver.org (this is running on projects.osgeo.osuosl.org)
ol3js.org (was showing foss4g2018 community review - I didn't renew or kill but should be killed probably.  I'll send a note about this one
www.openlayers.org, blog.openlayers.org (Are hosted at 104.211.15.* however dev,docs (which points at OL2 docs is still here) - can we kill this (they are all in the openlayer.conf along with the live sites so I didn't disable them)

projects.osgeo.osuosl.org is not on this server #looks like maybe Martin started moving everything to osgeo6 from that server as all left there appears to be community-rewiew.foss4g.org.conf and featureserver.org.conf and sr.org.conf (so nixed this)

remotesensing.org, www.remotesensing.org  - just got a WIX flash page so disabled it
www.tilecache.org -- is this project still alive?  I didn't renew but didn't disabled the site either
ol3js.org - pointing to projects but it's mixed in with everything else

Then then certs I renewed with certbot-auto

#these were already using it, but needed to be renewed with new TLS

drone.osgeo.org
gdal.org, www.gdal.org #was using certbot, was expiring 4/24
grass.osgeo.org
grasswiki.osgeo.org
lists.osgeo.org
mapserver.osgeo.org

These had no cert so added letsencrypt

geotools.org, www.geotools.org
docs.geotools.org
mapserver.gis.umn.edu

comment:4 by wildintellect, 5 years ago

We have a report that gdal.org and mapserver.org certs are not working. Ticket #2270

comment:5 by robe, 5 years ago

Moved trac.osgeo.org, svn.osgeo.org, git.osgeo.org to LetsEncrypt.

Note I had to copy the certbot-auto from webextra because the one you pull from letsencrypt doesn't work with Debian Wheezy which is running on trac and set to not auto-upgrade. Added to crontab to auto renew

Installed the new certs with these commands

certbot-auto -d svn.osgeo.org --no-self-upgrade
certbot-auto -d trac.osgeo.org --no-self-upgrade
certbot-auto -d git.osgeo.org --no-self-upgrade

I did not both with I also had to bundle the trac.openlayers.org, svn.openlayers.org but those will need to be bundled. Not sure they are even still in use..

I think we will be coming close to our cap of renewals - as it's 5 every 7 days.

comment:6 by robe, 5 years ago

nevermind about the limit -- I think we are okay - https://letsencrypt.org/docs/rate-limits/

comment:7 by robe, 5 years ago

I couldn't get letsencrypt to install on web.osgeo.osuosl.org so I reimaged it as a lxd container called old-web.

Then I repointed fdo.osgeo.org, id.osgeo.org to new container proxying thru nginx.

I did discover that even with the redirects, I could proxy (old or new) using https:/140.211.15.66:443 (I think it ends up using an eventually expired cert).

Rather than fiddling with the redirect and having it go straight http, I decided to do

https://old-web.lxd (it shows it's using letsencrypt, but since it relies on the ssl wild card about to expire, it may not hold - we'll see).

comment:8 by robe, 5 years ago

Resolution: fixed
Status: newclosed

I think I got all the sites. Will reopen if I missed any.

Note: See TracTickets for help on using tickets.