Opened 3 years ago

Last modified 2 years ago

#2820 new enhancement

SSL is the future!

Reported by: dustin Owned by:
Priority: major Milestone: sys - other
Version: 0.8.7p1 Keywords:
Cc: verm

Description (last modified by sa2ajj)

https://www.globalsign.com/ssl/ssl-open-source/

Currently we support no HTTPS at all on any of the buildbot.net properties. It would be awesome if we could get SSL enabled for https://trac.buildbot.net, at least since the logins are emabrassingly cleartext.

Beyond that, in the spirit of resetting the web, it'd be great to have buildbot.net, docs.buildbot.net, buildbot.buildbot.net, and lists.buildbot.net (and, well, every vhost we run) using SSL, too.

If GlobalSign will give us a *.buildbot.net, that'd be awesome. If they're willing to give us a few certs, that's awesome too. If they'll only give us one, and we use another free service for the others, that's OK too.

Change History (22)

comment:1 Changed 3 years ago by dustin

  • Milestone changed from systems to sys - other

Milestone renamed

comment:2 Changed 3 years ago by jollyroger

I am running startssl.com certificates on my company's services and pretty much satisfied with them. One of the key differences that make them interesting to me is that they charge you during validation. This means you could actually pass validation once and then issue as many certificates as you need. One important note here is that you'll be charged $25 if you send a revocation request. But there is no limitations on the number of domains or certificates, only that CN should be unique.

To actually be able to get wildcard certificates(issued only to the organization) you pass Personal Validation (see http://www.startssl.com/?app=34) and Organiztion Validation (see http://www.startssl.com/?app=35). Both cost $60 but since I already have an account there, I could get a $30 discount that'll beat most CAs on price. This gives you a possibility to issue any number of the certificates you could ever need. Also, such certificates are valid for 3 years, not 1 year as usual. I could also ask support if there could be a discount for an open source project.

Since our clients are financial organizations I can tell these guys will remove most CAs they haven't heard personally, so only some major market players are available for them (corporate software setup in financial organizations is something that makes me feel very bad). Haven't seen any problems with generic Windows, Linux, MacOS, Android and iOS devices though. Please consider this fact as it can scare newcomers upon entering the site.

Last edited 3 years ago by jollyroger (previous) (diff)

comment:3 Changed 3 years ago by sa2ajj

GlobalSign needs to be contacted.

Who is in the position to do that?

comment:4 Changed 3 years ago by sa2ajj

  • Description modified (diff)

comment:5 Changed 3 years ago by sa2ajj

OK, I felt courageous:

Hi Mikhail,

Thank you for applying for a free GlobalSign SSL Certificate for your Open Source Project. 

What happens next?

1. GlobalSign will check if your project is licensed and approved by the Open Source Initiative.

2. Once approved, you will receive an email from GlobalSign containing a campaign code to order your free SSL Certificate.

Please allow up to one week to receive an email confirmation from GlobalSign. If you have any questions in the interim, please contact GlobalSign at sales-us@globalsign.com (mailto:sales-us@globalsign.com)

GMO GlobalSign
  2 International Drive
 
 Portsmouth,
 NH
  03801
  United States

(Side note: I used to live in Portsmouth, UK :))

comment:6 Changed 3 years ago by dustin

<3 do-ocracy!

Since globalsign is in progress, let's go with that for the moment. If that doesn't work out, startssl looks great too. Prices in the $10's are no problem for Buildbot.

comment:7 Changed 3 years ago by sa2ajj

Finally an update:

Hi Mikhail,

Thank you for submitting an application to receive a free SSL Certificate for your Open Source Project. Your open source project has been approved. To order your SSL Certificate please use the following campaign code during the ordering process: XXXXXXXXXXXXX. This code is valid for a Domain Validated SSL Certificate (link), you may begin the ordering process  here (link).

If you have any questions during the ordering process please don't hesitate to contact me directly or use the live chat feature on globalsign.com

Sincerely,

Chris Algiere

GlobalSign Marketing Team

comment:8 Changed 3 years ago by sa2ajj

This is the information that is required for the certificate (new order):

Organization Name:
First Name:
Last Name:
Telephone (Include dialling code):
Email Address:
Country:

comment:9 Changed 3 years ago by dustin

(details supplied via email)

comment:10 Changed 3 years ago by sa2ajj

I tried to go through their process, however they require something beside what's listed above.

I contacted Chris (see above) if he's has a "checklist/preparation sheet" so all this information could be prepared offline and then the submission process could be completed without wondering "what would be the right information for this bit?"...

comment:11 Changed 3 years ago by dustin

Mikhail, how's this going? #2847's done, but https://ftp.buildbot.net still has an unrecognized cert, so it'd be cool to fix that.

comment:12 follow-up: Changed 3 years ago by jollyroger

The error in HTTPS connection is caused in the certificate chain not included into web server configuration. This link could help you fix the issue: https://support.globalsign.com/customer/portal/articles/1225234-install-certificate---apache-openssl

comment:13 Changed 3 years ago by jollyroger

My bad, I hadn't looked at the exact certificate issuer. Here are instructions for CACert: http://wiki.cacert.org/SimpleApacheCert

comment:14 in reply to: ↑ 12 Changed 3 years ago by verm

Replying to jollyroger:

The error in HTTPS connection is caused in the certificate chain not included into web server configuration. This link could help you fix the issue: https://support.globalsign.com/customer/portal/articles/1225234-install-certificate---apache-openssl

This has been fixed, I forgot to set this up! I didn't check whether the certificate I created was chained or not. If not I will fix it in the morning not in a position to fix the cert now.

I any case this will be fixed once we have a cert from a 'authenticated' CA.

comment:15 Changed 3 years ago by dustin

This just got a lot easier with https://letsencrypt.org/ :)

IMHO we shouldn't have *any* web presences on the new infra that don't use SSL (Trac being grandfathered in until it's under Ansible). This is particularly easy for us since each site has its own IP -- no need to depend on SNI.

comment:16 follow-up: Changed 3 years ago by sa2ajj

It just creates a headache of managing many certificates, otherwise it looks good.

(I've been reading a long discussion at HN :))

comment:17 in reply to: ↑ 16 Changed 3 years ago by verm

Replying to sa2ajj:

It just creates a headache of managing many certificates, otherwise it looks good.

I try to measure the 'headaches' as an overall metric. :) At the end of the day doing it this way will be less work maintaining. Some things will always be annoying no matter how you do it all you can do is shift it around but not get rid of it.

comment:18 follow-up: Changed 3 years ago by dustin

We have a cert:

-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgISESHHWRfG2n57+bBIJufaI68OMA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTUwMjI2MjEwMTQzWhcNMTYwMjI3MjEwMTQzWjA8MSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFzAVBgNVBAMMDiouYnVpbGRib3QubmV0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsLDCKRr3lWj/4L4HCcRU
ijZp4wgRGhB+hkcZMO0Z3VnSC5DHYiEB92i5FhZCUo17BVm6/eGqaJArP8tw7vll
Rm2lF4nhvU3gjqJrl/cG4jp7eJyExRg0MHnYTrV1ptxNfoLTeFGmDQzOUCHLy3Hb
LdvdJx2M6s/kapzZMU4LpDsxPHHl6gcqWrqo2DRUoUHW6iwJSkGBLOAgK9bKzVAX
tlL3B8yBaOSmIFfQqqZ0PQMaRY1GhVSmf3uYz1UjZUvaxg+rrmZ3ZO4ZdXUG0AVR
qEKKKxtYWQZpzg5HukD2HqMiMbsb0yOlBk9562spetYLeBEWQebcM4swJnC3AQ5b
XQIDAQABo4IBzjCCAcowDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYGZ4EM
AQIBMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3Jl
cG9zaXRvcnkvMCcGA1UdEQQgMB6CDiouYnVpbGRib3QubmV0ggxidWlsZGJvdC5u
ZXQwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQwYD
VR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2Rv
bWFpbnZhbHNoYTJnMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUFBzAC
hjtodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZh
bHNoYTJnMnIxLmNydDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2JhbHNp
Z24uY29tL2dzZG9tYWludmFsc2hhMmcyMB0GA1UdDgQWBBTWZkabqJsnF1MfG70B
8mPTubMcsjAfBgNVHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzANBgkqhkiG
9w0BAQsFAAOCAQEASzjQTKr97aP9gYZJZ8Bp4mTOa45PJYH5xTeboamyRnbb8XdG
Zs6vBe+dDKNEVNnd9c3ITwU8lducbszTmcx1OaBr18diNR0YA0mp3YiPwyedS8kX
FpYu0hPXxvBaV3UA7d0Z8zPAKOWSH9jm5+FagMfuMZSMWq09pjmHw73RrrWfkxAM
/v0FS3zHKcW0Rq3y3VYSb/Bk7fHkJoXYAkug4TsJs0cW6kscfly65rv6VTFmzFwV
/4OEbpJ3UN2ucJP4/jX5cS1VFP6bYmxThkVMLpraGa4HWBZkv0gyuMZ2+GjCHCzR
GJ7kQK/vzTSUIGi1bs1KOKdmgShEdLPK52rhyQ==
-----END CERTIFICATE-----

and a corresponding key in service2:~amar/cert. It's a wildcard cert for *.buildbot.net.

However, we need to set things up with a self-signed certificate first and pass most of the globalsign checks before deploying the real key (though I don't really understand why).

comment:19 in reply to: ↑ 18 Changed 3 years ago by verm

Replying to dustin:

However, we need to set things up with a self-signed certificate first and pass most of the globalsign checks before deploying the real key (though I don't really understand why).

Just good policy, once we harden the setup there will be no chance of us leaking our key somehow. I don't know what the state on every machine is currently it's just a precaution.

comment:20 Changed 3 years ago by verm

The procedure I followed for RTEMS was:

  • Updated all systems / jails to the latest version (10.1) of FreeBSD.
  • Setup a single webserver until it passed all ssllabs/globalsign checks.
  • Copied the setup to all systems.
  • Installed Globalsign certificate.

The only check that will 'fail' is using a self signed certificate. Using this method we passed with 99%+ once the real cert was installed.

comment:21 Changed 2 years ago by skelly

This happened a little while ago, but TLS is enabled on static sites but isn't the default. I have no verified if all of the sites work 100% using TLS.

The proxy setups (buildbot.buildbot.net and nine) and trac still need to be converted. Converting trac will be the hardest because it is not controlled by ansible.

comment:22 Changed 2 years ago by skelly

Things proxied by nginx now have SSL enabled. Things I can think of right now that still need SSL support:

  • trac because it uses Apache.
  • postfix for when the mailing lists migrate.
Note: See TracTickets for help on using tickets.