Opened 6 years ago
Closed 6 years ago
#2256 closed task (fixed)
Migrate All HTTPS Certs to Lets Encrypt
| Reported by: | wildintellect | Owned by: | robe |
|---|---|---|---|
| Priority: | normal | Milestone: | Sysadmin Contract 2019-I |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
The *.osgeo.org cert expires May 1, 2019. We should find an move all remaining domains that are still using it to Let's Encrypt.
- Inventory of osgeo.org domains and which cert they use.
- Plan on how to convert each of those over.
Related Ticket #2143
Change History (8)
comment:1 by , 6 years ago
| Milestone: | → Sysadmin Contract 2019-I |
|---|---|
| Owner: | changed from to |
comment:2 by , 6 years ago
Added letsencrupt cert to the following websites on webextra (I did not bother with the old archived foss4g sites)
Note for webextra it's important to use the --no-self-upgrade when doing this since the server is so ancient and can't support the new let's encrypt
/usr/src/letsencrypt/certbot/certbot-auto --no-self-upgrade
#these got new ssl (didn't have any before)
foss4g.org www.foss4g.org webextra.osgeo.osuosl.org video.foss4g.org (there are some unsecure logos so https gives warnings)
#replaces the ssl.com with Letsencrypt
live.osgeo.org journal.osgeo.org planet.osgeo.org
comment:3 by , 6 years ago
osgeo6 had the old certbot and it's running Debian 8. Certbot recommends using the certbot-auto for debian8 (and not the one from repo which is too old).
So first had to remove the old certbot and install new one I assumed martin used aptitude here since I know he prefers that so I used that
aptitude remove certbot #was at 0.11 wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto mv certbot-auto /bin/ certbot-auto --apache
Some domains were live in here but they are not hosted here or seem dead so left them alone or disabled the site
featureserver.org (this is running on projects.osgeo.osuosl.org) ol3js.org (was showing foss4g2018 community review - I didn't renew or kill but should be killed probably. I'll send a note about this one www.openlayers.org, blog.openlayers.org (Are hosted at 104.211.15.* however dev,docs (which points at OL2 docs is still here) - can we kill this (they are all in the openlayer.conf along with the live sites so I didn't disable them) projects.osgeo.osuosl.org is not on this server #looks like maybe Martin started moving everything to osgeo6 from that server as all left there appears to be community-rewiew.foss4g.org.conf and featureserver.org.conf and sr.org.conf (so nixed this) remotesensing.org, www.remotesensing.org - just got a WIX flash page so disabled it www.tilecache.org -- is this project still alive? I didn't renew but didn't disabled the site either ol3js.org - pointing to projects but it's mixed in with everything else
Then then certs I renewed with certbot-auto
#these were already using it, but needed to be renewed with new TLS
drone.osgeo.org gdal.org, www.gdal.org #was using certbot, was expiring 4/24 grass.osgeo.org grasswiki.osgeo.org lists.osgeo.org mapserver.osgeo.org
These had no cert so added letsencrypt
geotools.org, www.geotools.org docs.geotools.org mapserver.gis.umn.edu
comment:4 by , 6 years ago
We have a report that gdal.org and mapserver.org certs are not working. Ticket #2270
comment:5 by , 6 years ago
Moved trac.osgeo.org, svn.osgeo.org, git.osgeo.org to LetsEncrypt.
Note I had to copy the certbot-auto from webextra because the one you pull from letsencrypt doesn't work with Debian Wheezy which is running on trac and set to not auto-upgrade. Added to crontab to auto renew
Installed the new certs with these commands
certbot-auto -d svn.osgeo.org --no-self-upgrade certbot-auto -d trac.osgeo.org --no-self-upgrade certbot-auto -d git.osgeo.org --no-self-upgrade
I did not both with I also had to bundle the trac.openlayers.org, svn.openlayers.org but those will need to be bundled. Not sure they are even still in use..
I think we will be coming close to our cap of renewals - as it's 5 every 7 days.
comment:6 by , 6 years ago
nevermind about the limit -- I think we are okay - https://letsencrypt.org/docs/rate-limits/
comment:7 by , 6 years ago
I couldn't get letsencrypt to install on web.osgeo.osuosl.org so I reimaged it as a lxd container called old-web.
Then I repointed fdo.osgeo.org, id.osgeo.org to new container proxying thru nginx.
I did discover that even with the redirects, I could proxy (old or new) using https:/140.211.15.66:443 (I think it ends up using an eventually expired cert).
Rather than fiddling with the redirect and having it go straight http, I decided to do
https://old-web.lxd (it shows it's using letsencrypt, but since it relies on the ssl wild card about to expire, it may not hold - we'll see).
comment:8 by , 6 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
I think I got all the sites. Will reopen if I missed any.
Ones that need to be migrated
These uses SSL.com *.osgeo.org cert which expires May 1st, 2019
NO SSL Cert