#2115: Make download.osgeo.org also available via HTTPS
----------------------------+-------------------
Reporter: Bas Couwenberg | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords:
----------------------------+-------------------
The lintian QA tool complains about the insecure URI used for various
projects on download.osgeo.org.
Please make download.osgeo.org also available via HTTPS.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2115: Make download.osgeo.org also available via HTTPS
----------------------------+-------------------
Reporter: Bas Couwenberg | Owner: robe
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
----------------------------+-------------------
Changes (by robe):
* owner: sac@… => robe
Comment:
as discussed we'll put in lets encrypt. I'll take ownership and try to get
done this week or next.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2115: Make download.osgeo.org also available via HTTPS
----------------------------+---------------------
Reporter: Bas Couwenberg | Owner: robe
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
----------------------------+---------------------
Changes (by robe):
* status: new => closed
* resolution: => fixed
Comment:
Bas can you give it a try now
https://download.osgeo.org/
I also had to change logo on page to use the ssl logo on osgeo site.
I ended up not going with letsencrypt because no certbot package for
wheezy and using the alternative certbot-auto wanted to install like 90
packages and python etc. so figured it was safer to just go with the
wildcard ssl certificate we have (which I copied from trac).
There was actually an older ssl site disabled (but it was using the
expired key and also tried to secure download.osgeo.osuosl.org (which
would need a different key), so I chucked that site and replaced with new
ssl one.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2115: Make download.osgeo.org also available via HTTPS
----------------------------+---------------------
Reporter: Bas Couwenberg | Owner: robe
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
----------------------------+---------------------
Comment (by Bas Couwenberg):
Looks like the CA chain is not configured correctly:
{{{
uscan warn: In watchfile debian/watch, reading webpage
https://download.osgeo.org/geos failed: 500 Can't connect to
download.osgeo.org:443 (certificate verify failed)
}}}
The SSL Labs Server Test confirms this:
{{{
Additional Certificates (if supplied)
Certificates provided 1 (1214 bytes)
Chain issues Incomplete
}}}
See:
https://www.ssllabs.com/ssltest/analyze.html?d=download.osgeo.org&hideResults=on
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2115: Make download.osgeo.org also available via HTTPS
----------------------------+-----------------------
Reporter: Bas Couwenberg | Owner: robe
Type: task | Status: reopened
Priority: normal | Milestone:
Component: Systems Admin | Resolution:
Keywords: |
----------------------------+-----------------------
Changes (by robe):
* status: closed => reopened
* resolution: fixed =>
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115#comment:4>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2115: Make download.osgeo.org also available via HTTPS
----------------------------+---------------------
Reporter: Bas Couwenberg | Owner: robe
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
----------------------------+---------------------
Changes (by robe):
* status: reopened => closed
* resolution: => fixed
Comment:
Should be fixed now I rechecked and now gives an A+ rating.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115#comment:5>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2115: Make download.osgeo.org also available via HTTPS
----------------------------+---------------------
Reporter: Bas Couwenberg | Owner: robe
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
----------------------------+---------------------
Comment (by Bas Couwenberg):
Yes, much better. Thanks!
Is there monitoring or a calendar reminder for the certificate renewal?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115#comment:6>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2115: Make download.osgeo.org also available via HTTPS
----------------------------+---------------------
Reporter: Bas Couwenberg | Owner: robe
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
----------------------------+---------------------
Comment (by martin):
Just to be safe, I'll add one to my business calendar 
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115#comment:7>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2115: Make download.osgeo.org also available via HTTPS
----------------------------+---------------------
Reporter: Bas Couwenberg | Owner: robe
Type: task | Status: closed
Priority: normal | Milestone:
Component: Systems Admin | Resolution: fixed
Keywords: |
----------------------------+---------------------
Comment (by robe):
The wildcard ssl is expiring May 1st, 2019. I don't think we have plans
to renew.
We'll probably have all switched to letsencrypt by that time. I didn't
since it was too much hassle for this old hardware/OS.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2115#comment:8>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.