#3540 closed defect (fixed)
Enable https for winnie/debbie
Reported by: | strk | Owned by: | robe |
---|---|---|---|
Priority: | medium | Milestone: | Website Management, Bots |
Component: | QA/buildbots | Version: | 2.2.x |
Keywords: | Cc: |
Description
Or web browsers show warning icon when using trac.osgeo.org/postgis due to the winnie/debbie bedges coming from HTTP rather than HTTPS.
See letsencrypt for free and automated SSL certs: https://letsencrypt.org/
Change History (9)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Or I wonder if you could turn "winnie" into a slave-only instance, reporting to debbie, so to centralize reporting (badges etc.) some more.
comment:3 by , 9 years ago
Yah I was thinking about that. Never got that far in my study on Jenkins before I got distracted by something else.
I fear it may be more of a hassle than its worth since I suspect I'd need to copy all the jobs she does right now to debbie to make that work and she does a lot of packaging for windows — so I've got postgis, geos, pgrouting, sfcgal, pgpointcloud etc. Vicky (pgRouting) triggers jobs as needed to test things and pgrouting has a ci folder for winnie (similar to what we have for postgis).
Though I guess I could just copy over the postgis jobs but even that seems like a bit of a pain.
If the only purpose is for https, much easier to just enable it on her for jenkins and download website. I suspect I can use the same key for jenkins and IIS if they are on different ports which they will be.
comment:4 by , 9 years ago
I guess a single master would simplify things, in general. For example there could need to be a single webhook to trigger all builds.
And it would be a way to get used to the "slave" concept to open up the possibility for other PostGIS users to provide their own slave for testing those architectures that are currently untested.
comment:5 by , 9 years ago
well doesn't look like letsencyrpt works for windows, so I guess I'd have to buy an ssl for winnie or you can maybe proxy through on another port on debbie for https for winnie.
I did get https self-signed to work but that gives a this is self-signed certs.
https://winnie.postgis.net:1501
Cert for a year is only $10 so I could just buy one for winnie and call it a day.
comment:6 by , 9 years ago
Regarding slaves. In theory sounds nice. Not sure how it would be in execution.
Really what I'd like more than slaves is repos that people can have experimental builds of PostGIS to test out. We've got some of that going already with OSGeo-Live, apt-postgresql, yum.postgresql.org but more would be nice and even more experimental would be nicer. Then people could be testing real workloads without hassle of gtting all teh bits.
comment:7 by , 9 years ago
There, winnie proxied by debbie (certified by letsencrypt):
The proxy will use https to connect to winnie, so encryption chain is not broken. Only, debbie will not check winnie's certificate for being trusted (I guess we could tech debbie to trust winnie certificate but I wouldn't trust a proprietary server myself so won't teach debbie to do that
So, if you can keep that 1501 port on we can switch all winnie links to debbie:444. Actually, I'm doing that now for trac.
comment:8 by , 9 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
There, WikiStart page is green-locked for me now: https://trac.osgeo.org/postgis/wiki/WikiStart
Will close this, and we can use a different ticket for slaves (which I still think are the direction we should take)
I've enabled HTTPS for debbie, using letsencrypt (but did not prepare any provision for renewing the certs, so will need to check it again when that happens).
For winnie, it would be easy if "winnie.postgis.net" pointed to debbie's IP, so I could use it as a proxy for the real winnie. Is that possible ?