[SAC] [OSGeo] #2256: Migrate All HTTPS Certs to Lets Encrypt

OSGeoTrac · March 4, 2019, 8:57pm

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+-------------------
Reporter: wildintellect | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords:
---------------------------+-------------------
The *.osgeo.org cert expires May 1, 2019.
We should find an move all remaining domains that are still using it to
Let's Encrypt.

1. Inventory of osgeo.org domains and which cert they use.
2. Plan on how to convert each of those over.

Related Ticket #2143

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · March 14, 2019, 8:48pm

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+---------------------------------------
Reporter: wildintellect | Owner: robe
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------
Changes (by robe):

* owner: sac@… => robe
* milestone: => Sysadmin Contract 2019-I

Comment:

Ones that need to be migrated

These uses SSL.com *.osgeo.org cert which expires May 1st, 2019

download.osgeo.org
trac.osgeo.org
svn.osgeo.org
wiki.osgeo.org

------

openlayers.org (uses Comodo SSL June 16,2019 -- do we manage this or is
the openlayers group?

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · March 30, 2019, 7:21am

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+---------------------------------------
Reporter: wildintellect | Owner: robe
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------

Comment (by robe):

Added letsencrupt cert to the following websites on webextra (I did not
bother with the old archived foss4g sites)

Note for webextra it's important to use the --no-self-upgrade when doing
this since the server is so ancient and can't support the new let's
encrypt

{{{
/usr/src/letsencrypt/certbot/certbot-auto --no-self-upgrade
}}}

#these got new ssl (didn't have any before)
{{{
foss4g.org
www.foss4g.org
webextra.osgeo.osuosl.org
video.foss4g.org (there are some unsecure logos so https gives warnings)

}}}

#replaces the ssl.com with Letsencrypt
{{{
live.osgeo.org
journal.osgeo.org
planet.osgeo.org
}}}

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · March 30, 2019, 4:36pm

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+---------------------------------------
Reporter: wildintellect | Owner: robe
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------

Comment (by robe):

osgeo6 had the old certbot and it's running Debian 8. Certbot recommends
using the certbot-auto for debian8 (and not the one from repo which is too
old).

So first had to remove the old certbot and install new one
I assumed martin used aptitude here since I know he prefers that so I used
that

{{{
aptitude remove certbot #was at 0.11
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
mv certbot-auto /bin/
certbot-auto --apache
}}}

Some domains were live in here but they are not hosted here or seem dead
so left them alone or disabled the site

{{{
featureserver.org (this is running on projects.osgeo.osuosl.org)
ol3js.org (was showing foss4g2018 community review - I didn't renew or
kill but should be killed probably. I'll send a note about this one
www.openlayers.org, blog.openlayers.org (Are hosted at 104.211.15.*
however dev,docs (which points at OL2 docs is still here) - can we kill
this (they are all in the openlayer.conf along with the live sites so I
didn't disable them)

projects.osgeo.osuosl.org is not on this server #looks like maybe Martin
started moving everything to osgeo6 from that server as all left there
appears to be community-rewiew.foss4g.org.conf and featureserver.org.conf
and sr.org.conf (so nixed this)

remotesensing.org, www.remotesensing.org - just got a WIX flash page so
disabled it
www.tilecache.org -- is this project still alive? I didn't renew but
didn't disabled the site either
ol3js.org - pointing to projects but it's mixed in with everything else

}}}

Then then certs I renewed with certbot-auto

#these were already using it, but needed to be renewed with new TLS
{{{
drone.osgeo.org
gdal.org, www.gdal.org #was using certbot, was expiring 4/24
grass.osgeo.org
grasswiki.osgeo.org
lists.osgeo.org
mapserver.osgeo.org

}}}

These had no cert so added letsencrypt

{{{
geotools.org, www.geotools.org
docs.geotools.org
mapserver.gis.umn.edu
}}}

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · March 30, 2019, 11:00pm

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+---------------------------------------
Reporter: wildintellect | Owner: robe
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------

Comment (by wildintellect):

We have a report that gdal.org and mapserver.org certs are not working.
Ticket #2270

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256#comment:4>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 24, 2019, 7:43am

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+---------------------------------------
Reporter: wildintellect | Owner: robe
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------

Comment (by robe):

Moved trac.osgeo.org, svn.osgeo.org, git.osgeo.org to LetsEncrypt.

Note I had to copy the certbot-auto from webextra because the one you pull
from letsencrypt doesn't work with Debian Wheezy which is running on trac
and set to not auto-upgrade. Added to crontab to auto renew

Installed the new certs with these commands
{{{
certbot-auto -d svn.osgeo.org --no-self-upgrade
certbot-auto -d trac.osgeo.org --no-self-upgrade
certbot-auto -d git.osgeo.org --no-self-upgrade
}}}

I did not both with I also had to bundle the trac.openlayers.org,
svn.openlayers.org but those will need to be bundled. Not sure they are
even still in use..

I think we will be coming close to our cap of renewals - as it's 5 every 7
days.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256#comment:5>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 24, 2019, 7:51am

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+---------------------------------------
Reporter: wildintellect | Owner: robe
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------

Comment (by robe):

nevermind about the limit -- I think we are okay -
https://letsencrypt.org/docs/rate-limits/

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256#comment:6>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 24, 2019, 10:10am

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+---------------------------------------
Reporter: wildintellect | Owner: robe
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+---------------------------------------

Comment (by robe):

I couldn't get letsencrypt to install on web.osgeo.osuosl.org so I
reimaged it as a lxd container called old-web.

Then I repointed fdo.osgeo.org, id.osgeo.org to new container proxying
thru nginx.

I did discover that even with the redirects, I could proxy (old or new)
using https:/140.211.15.66:443 (I think it ends up using an eventually
expired cert).

Rather than fiddling with the redirect and having it go straight http, I
decided to do

https://old-web.lxd (it shows it's using letsencrypt, but since it relies
on the ssl wild card about to expire, it may not hold - we'll see).

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256#comment:7>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · April 29, 2019, 9:49pm

#2256: Migrate All HTTPS Certs to Lets Encrypt
---------------------------+---------------------------------------
Reporter: wildintellect | Owner: robe
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2019-I
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+---------------------------------------
Changes (by robe):

* status: new => closed
* resolution: => fixed

Comment:

I think I got all the sites. Will reopen if I missed any.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2256#comment:8>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.