#1633: Update OSGeo SSL certificate - if needed
---------------------------+---------------------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords: ssl web certificate
---------------------------+---------------------------------
Received this email:
From: renewals@comodorenewals.com
To: tmitchell@osgeo.org
Sent: Wednesday, March 2, 2016 8:03:45 AM
Subject: You have 60 days to renew your SSL certificate
Dear Tyler Mitchell
This email is your notification of renewal for your SSL certificate for
*.osgeo.org You have 60 days to renew your certificate, but why delay and
put your customers security at risk? You don’t lose out with Comodo,
because if you act now to renew your certificate we will add the 60 days
remaining on your current certificate onto your new one at no extra charge
so you can begin using your new certificate immediately, plus to thank you
for being a valued customer we will even add an extra month FREE! Simply
click on the link below: http://www.instantssl.com/ttb_searcher/go_ssl?v1=21718773&v2=21
As an existing customer of InstantSSL we can expedite your renewal
application as long as you login using your existing username and
password.
Don’t forget, Comodo’s PremiumSSL Wildcard Certificates are the most cost-
effective range of fully trusted and recognized SSL certificates in the
market. To save money and avoid having to renew every year, we HIGHLY
RECOMMEND a 3 year certificate - http://www.instantssl.com/ttb_searcher/go_ssl2?v1=21718773&v2=35&v3=5
Thank you for choosing Comodo - we look forward to continuing to provide
you with the most cost-effective certificates in the market
If I recall the conversation from last time we did this. Many thought
the current vendor was overpriced.
Does someone want to volunteer to look at around at pricing options,
including logging into our current provider and getting the price for
renewal?
Maybe we can pull info together and make a decision by the end of the month?
Thanks,
Alex
On 03/02/2016 10:48 AM, OSGeo wrote:
#1633: Update OSGeo SSL certificate - if needed
---------------------------+---------------------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords: ssl web certificate
---------------------------+---------------------------------
Received this email:
From: renewals@comodorenewals.com
To: tmitchell@osgeo.org
Sent: Wednesday, March 2, 2016 8:03:45 AM
Subject: You have 60 days to renew your SSL certificate
Dear Tyler Mitchell
This email is your notification of renewal for your SSL certificate for
*.osgeo.org You have 60 days to renew your certificate, but why delay and
put your customers security at risk? You don’t lose out with Comodo,
because if you act now to renew your certificate we will add the 60 days
remaining on your current certificate onto your new one at no extra charge
so you can begin using your new certificate immediately, plus to thank you
for being a valued customer we will even add an extra month FREE! Simply
click on the link below: http://www.instantssl.com/ttb_searcher/go_ssl?v1=21718773&v2=21
As an existing customer of InstantSSL we can expedite your renewal
application as long as you login using your existing username and
password.
Don’t forget, Comodo’s PremiumSSL Wildcard Certificates are the most cost-
effective range of fully trusted and recognized SSL certificates in the
market. To save money and avoid having to renew every year, we HIGHLY
RECOMMEND a 3 year certificate - http://www.instantssl.com/ttb_searcher/go_ssl2?v1=21718773&v2=35&v3=5
Thank you for choosing Comodo - we look forward to continuing to provide
you with the most cost-effective certificates in the market
On March 3, 2016 6:35:22 PM GMT+08:00, Sandro Santilli strk@keybit.net wrote:
On Wed, Mar 02, 2016 at 11:13:03AM -0800, Alex M wrote:
> If I recall the conversation from last time we did this. Many thought
> the current vendor was overpriced.
>
> Does someone want to volunteer to look at around at pricing options,
> including logging into our current provider and getting the price for
> renewal?
>
> Maybe we can pull info together and make a decision by the end of the month?
Please consider switching to "Let's Encrypt":
[https://letsencrypt.org](https://letsencrypt.org)/
It's a free, automated and open certificate authority.
--strk;
---
Sac mailing list
Sac@lists.osgeo.org
[http://lists.osgeo.org/mailman/listinfo/sac](http://lists.osgeo.org/mailman/listinfo/sac)
We’ve used these (let’s encrypt) certs in a few places. You just want to remember the administration overhead from the short expiry.
– Sent from my Android device with K-9 Mail. Please excuse my brevity.
On March 3, 2016 6:35:22 PM GMT+08:00, Sandro Santilli <strk@keybit.net> wrote:
On Wed, Mar 02, 2016 at 11:13:03AM -0800, Alex M wrote:
If I recall the conversation from last time we did this. Many
thought the current vendor was overpriced. Does someone want
to volunteer to look at around at pricing options, including
logging into our current provider and getting the price for
renewal? Maybe we can pull info together and make a decision
by the end of the month?
#1633: Update OSGeo SSL certificate - if needed
---------------------------------+--------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl web certificate |
---------------------------------+--------------------
Comment (by wildintellect):
Will the letsencrypt cert work for our LDAP configuration? https://wiki.osgeo.org/wiki/SAC:SSLCert
Do we have any other services outside of http/https that rely on a higher
standard cert (svn, mail, git?).
I am +1 for adding letsencrypt as a service to all webites hosted on osgeo
that are not *.osgeo.org domains. We would need a good cron job/process
for staying up an the renewals.
Can someone shop around for types of certs and prices that meet our need?
My recommendation, we take the weekend to shop around and buy a new cert
for a better price for 3-5 years. Please everyone take 5 minutes to look
for an option and reply to the thread with url and prices.
Last time it was $1500 if I recall, I think we can at least get it down
to $1000 just by using a different vendor.
If I understand correctly we have 2 certs (can someone verify)?
osgeo.org
*.osgeo.org
Long term we should start using letsencrypt on various other domains we
host. Foss4g.org would be a good place to start.
We need to make the purchase roughly on Monday to have to time to get it
verified, created and deployed next week.
Any opinions?
Thanks,
Alex
On 04/06/2016 08:59 AM, OSGeo wrote:
#1633: Update OSGeo SSL certificate - if needed
---------------------------------+--------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl web certificate |
---------------------------------+--------------------
Comment (by wildintellect):
Will the letsencrypt cert work for our LDAP configuration? https://wiki.osgeo.org/wiki/SAC:SSLCert
Do we have any other services outside of http/https that rely on a higher
standard cert (svn, mail, git?).
I am +1 for adding letsencrypt as a service to all webites hosted on osgeo
that are not *.osgeo.org domains. We would need a good cron job/process
for staying up an the renewals.
Can someone shop around for types of certs and prices that meet our need?
No suggestions. We need a new top domain and wildcard cert in place end
of this week to avoid service interruption. While letsencrypt sounds
great I'm not ready to jump in without running it for a while on test
domains (volunteers welcome). Mostly I'm worried about the overhead of
dealing with renewals (automated or not), every 2 months we'd need to
make sure it goes smooth.
I'm recommending 2-3 year cert this time (last time was a 5 yr). The
gives us some time to think and test, and things will probably change
even more in that time.
Please chime in, as we need to get this process started today. Alternate
suggested vendors are welcome.
Thanks,
Alex
On 04/20/2016 12:48 PM, Alex M wrote:
This deadline is looming.
My recommendation, we take the weekend to shop around and buy a new cert
for a better price for 3-5 years. Please everyone take 5 minutes to look
for an option and reply to the thread with url and prices.
Last time it was $1500 if I recall, I think we can at least get it down
to $1000 just by using a different vendor.
If I understand correctly we have 2 certs (can someone verify)?
osgeo.org
*.osgeo.org
Long term we should start using letsencrypt on various other domains we
host. Foss4g.org would be a good place to start.
We need to make the purchase roughly on Monday to have to time to get it
verified, created and deployed next week.
Any opinions?
Thanks,
Alex
On 04/06/2016 08:59 AM, OSGeo wrote:
#1633: Update OSGeo SSL certificate - if needed
---------------------------------+--------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl web certificate |
---------------------------------+--------------------
Comment (by wildintellect):
Will the letsencrypt cert work for our LDAP configuration? https://wiki.osgeo.org/wiki/SAC:SSLCert
Do we have any other services outside of http/https that rely on a higher
standard cert (svn, mail, git?).
I am +1 for adding letsencrypt as a service to all webites hosted on osgeo
that are not *.osgeo.org domains. We would need a good cron job/process
for staying up an the renewals.
Can someone shop around for types of certs and prices that meet our need?
#1633: Update OSGeo SSL certificate - if needed
---------------------------------+--------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl web certificate |
---------------------------------+--------------------
Comment (by wildintellect):
I've created a new certificate good for 3 years (new vendor SSL.com).
Account info is in the access file.
New cert should be ready to use, all files are in ~/sslcerts/2016 of the
root account on secure. We should roll this out to a lesser used domain
1st to test, then to all *.osgeo.org domains before Sunday when the
current cert expires. Please chime in if you can handle particular
sites/servers.
Down the line I would like to pilot letsencrypt on all other domains we
host (offering optional SSL for everything). Anyone want to take charge of
this part of the project?
#1633: Update OSGeo SSL certificate - if needed
---------------------------------+--------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl web certificate |
---------------------------------+--------------------
Comment (by wildintellect):
Seems this drama isn't quite over. Anyone know the difference between a DV
and OV certificate, and if we really need an OV (I bought a DV it turns
out)?
Comodo is offering to renew our supposed OV (can't actually tell if it's
an OV because it's got a flag related to still using SHA-1) for $1200 with
2 yrs free (so 5 year). Which brings it back down closer to what we just
paid per year. FYI, we can get a full refund on the current purchase
within 30 days.
I'm trying to get access to the Comodo account to investigate more.
#1633: Update OSGeo SSL certificate - if needed
---------------------------------+--------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: critical | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl web certificate |
---------------------------------+--------------------
Comment (by strk):
Only 9 months are elapsed since the SSL.com certificate was issued, so
there should be time before we switch. Could your issue be a temporary
glitch on Travis ? I'm all for switching all to letsencrypt and happy to
do it but wouldn't rush if not needed. Anyway, my SSL cert (letsencrypt)
is rated A (for comparison): https://www.ssllabs.com/ssltest/analyze.html?d=strk.kbt.io
#1633: Update OSGeo SSL certificate - if needed
---------------------------------+--------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: critical | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl web certificate |
---------------------------------+--------------------
Comment (by strk):
Only 9 months are elapsed since the SSL.com certificate was issued, so
there should be time before we switch. Could your issue be a temporary
glitch on Travis ? I'm all for switching all to letsencrypt and happy to
do it but wouldn't rush if not needed. Anyway, my SSL cert (letsencrypt)
is rated A (for comparison): https://www.ssllabs.com/ssltest/analyze.html?d=strk.kbt.io
I agree we should try to solve what's wrong with the current
certificate. Long term a plan to transition to something else would be
fine, but it needs to be a planned, tested and scheduled roll out with
maintenance documented if automated renewals need to be coded.
On Mon, Jan 30, 2017 at 05:58:04PM +0100, Markus Neteler wrote:
On Mon, Jan 30, 2017 at 5:03 PM, Alex Mandel <tech_dev@wildintellect.com> wrote:
> On 01/30/2017 12:11 AM, OSGeo wrote:
>> #1633: Update OSGeo SSL certificate - if needed
...
> I agree we should try to solve what's wrong with the current
> certificate.
How to do that? Do other OSGeo projects have the same issue (the
should I think)?
Do you know of other OSGeo projects having Travis fetch code from SVN ?
Travis for PostGIS and GEOS fetch code from github mirror itself...
On Mon, Jan 30, 2017 at 8:03 AM, Alex Mandel <tech_dev@wildintellect.com> wrote:
On 01/30/2017 12:11 AM, OSGeo wrote:
#1633: Update OSGeo SSL certificate - if needed
---------------------------------+--------------------
Reporter: msmitherdc | Owner: sac@…
Type: task | Status: new
Priority: critical | Milestone:
Component: Systems Admin | Resolution:
Keywords: ssl web certificate |
---------------------------------+--------------------
Comment (by strk):
Only 9 months are elapsed since the SSL.com certificate was issued, so
there should be time before we switch. Could your issue be a temporary
glitch on Travis ? I'm all for switching all to letsencrypt and happy to
do it but wouldn't rush if not needed. Anyway, my SSL cert (letsencrypt)
is rated A (for comparison): https://www.ssllabs.com/ssltest/analyze.html?d=strk.kbt.io
I agree we should try to solve what's wrong with the current
certificate. Long term a plan to transition to something else would be
fine, but it needs to be a planned, tested and scheduled roll out with
maintenance documented if automated renewals need to be coded.
I think that the C rating comes from the supported (or rather not
supported) protocol versions, not the certificate. A new certificate
with the same config may have the same results.
On Tue, Jan 31, 2017 at 12:26:52AM +0100, Markus Neteler wrote:
On Jan 30, 2017 6:11 PM, "Sandro Santilli" <strk@kbt.io> wrote:
> Do you know of other OSGeo projects having Travis fetch code from SVN ?
> Travis for PostGIS and GEOS fetch code from github mirror itself...
Maybe GRASS GIS should set up a github as well? How to do that?
I don't want to be championing that, only it sounded weird to me that
Travis could be used outside of GitHub. I didn't know you could do that.
If you ask me, I'd have you try the experimental OSGeo GitLab
(https://git.osgeo.org/gitlab) or the more used experimental OSGeo
Gogs (https://git.osgeo.org/gogs). Both do come with support for
continuous integration, but I guess as you found out how to setup
Travis to fetch code from SVN you could as well set it up to fetch
code from any GIT repository too.
So, in the end, the Mac tests seem to be suboptimally configured at
our end. Will follow-up in grass-dev.
If you ask me, I'd have you try the experimental OSGeo GitLab
(https://git.osgeo.org/gitlab) or the more used experimental OSGeo
Gogs (https://git.osgeo.org/gogs). Both do come with support for
continuous integration, but I guess as you found out how to setup
Travis to fetch code from SVN you could as well set it up to fetch
code from any GIT repository too.
Yes, if the server hardware can handle more requests...