Details
-
Task
-
Status: Closed
-
Major
-
Resolution: Implemented
-
None
-
None
-
None
Description
This is a transtion from INFRA-11960
After some tries, I have finally decided to adapt and use http://blog.ivantichy.cz/blogpost/view/74 which is the most convenient way for OFBiz
Since we need to use SANs (for demo-trunk-ofbiz.apache.org, demo-stable-ofbiz.apache.org and demo-old-ofbiz.apache.org which are actually OFBiz instances using different set of ports), I will try to use "-d ofbiz-vm.apache.org" as 1st "-d" argument and if that does not work I'll simply use the "-d" parameter with the other sub-domains only. What I actually need is a renewable certificate in the OFBiz Java keystore (ofbiz.jks) with the SANs present. From my experiences, the (adapted) script above should provide me that.
Maybe another possibility would be to install our own HTTPS and use the instructions provided by Sam Ruby in INFRA-11960. I have to balance the work with adapting the script I refered to above.
The EFF has published new instructions: https://certbot.eff.org/#ubuntutrusty-apache
FWIW, I had no problem moving from whimy-vm2 to whimsy-vm3. I've now got certs for a second machine (ghmon-vm). Here's the puppet instructions to download certbot, create a cronjob, and add use the certificates with Apache httpd:
Once this is deployed, all that is left is running a single command: certbot-auto -d host1.apache.org -d host2.apache.org... and answering two prompts (you need to provide an email address and to indicate that you have read the terms of service).
Attachments
Issue Links
- relates to
-
OFBIZ-1525 Issue to group security concerns
-
- Open
-