[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772560: marked as done (debsources: please add a CA-signed SSL setup)

Your message dated Tue, 23 Dec 2014 17:22:21 +0100
with message-id <20141223162221.GA10979@upsilon.cc>
and subject line Re: Bug#772560: debsources: please add a CA-signed SSL setup
has caused the Debian Bug report #772560,
regarding debsources: please add a CA-signed SSL setup
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772560
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: qa.debian.org
Severity: normal
User: qa.debian.org@packages.debian.org
Usertags: debsources

Please add an SSL certificate signed by the CAs so that users visiting
the site over SSL don't get warnings from their browsers. There are 3
CAs offering gratis certs, GlobalSign's offer seems the best for now:

https://www.globalsign.com/ssl/ssl-open-source/

You will need to adjust the following instructions depending on
requirements from GlobalSign but a basic rundown:

Create a private key and .csr (cert signing request) on the server:

openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sources.debian.net.key -out sources.debian.net.csr -subj '/O=Debian/OU=QA/CN=sources.debian.net/emailAddress=debian-qa@lists.debian.org'

Save the .key to this path on the server, chmod 600: 

/etc/ssl/private/sources.debian.net.key

Upload the .csr to the GlobalSign website and save the .crt file here:

/etc/ssl/debian/certs/sources.debian.net.crt

There will also be an CA issuer chain involved, save that here:

/etc/ssl/debian/certs/sources.debian.net.crt-chain

If you would like to have the same level of SSL setup as debian.org
hosts, you can install libapache2-mod-macro and drop the two config
files below into your apache2 setup, then use the macros like this:

Use common-debian-service-https-redirect * sources.debian.net
<VirtualHost *:443>
  ServerName sources.debian.net
  Use common-debian-service-ssl sources.debian.net
  Use common-ssl-HSTS
</VirtualHost>

https://anonscm.debian.org/cgit/mirror/dsa-puppet.git/tree/modules/apache2/files/puppet-config
https://anonscm.debian.org/cgit/mirror/dsa-puppet.git/tree/modules/apache2/files/puppet-ssl-macros

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
On Mon, Dec 08, 2014 at 11:42:40PM +0800, Paul Wise wrote:
> Please add an SSL certificate signed by the CAs so that users visiting
> the site over SSL don't get warnings from their browsers.

This has now been done.

There are still some links pointing from https:// to http://, which
makes browsers not 100% happy, but the identify is verified at least.
Patches (and/or separate bug reports) welcome to fix the https -> http
links.

> There are 3 CAs offering gratis certs, GlobalSign's offer seems the
> best for now:
> 
> https://www.globalsign.com/ssl/ssl-open-source/

FWIW, I've applied for and obtained a 1-year certificate from GlobalSign
thanks to the above FOSS-friendly program. I hereby thank GlobalSign for
their support to Debian via the certificate they've given me.

Cheers.
-- 
Stefano Zacchiroli  . . . . . . .  zack@upsilon.cc . . . . o . . . o . o
Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o
Former Debian Project Leader  . . @zack on identi.ca . . o o o . . . o .
« the first rule of tautology club is the first rule of tautology club »

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: