Your message dated Tue, 23 Dec 2014 17:22:21 +0100 with message-id <20141223162221.GA10979@upsilon.cc> and subject line Re: Bug#772560: debsources: please add a CA-signed SSL setup has caused the Debian Bug report #772560, regarding debsources: please add a CA-signed SSL setup to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 772560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772560 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: bts <submit@bugs.debian.org>
- Subject: debsources: please add a CA-signed SSL setup
- From: Paul Wise <pabs@debian.org>
- Date: Mon, 08 Dec 2014 23:42:40 +0800
- Message-id: <[🔎] 1418053360.8517.40.camel@debian.org>
Package: qa.debian.org Severity: normal User: qa.debian.org@packages.debian.org Usertags: debsources Please add an SSL certificate signed by the CAs so that users visiting the site over SSL don't get warnings from their browsers. There are 3 CAs offering gratis certs, GlobalSign's offer seems the best for now: https://www.globalsign.com/ssl/ssl-open-source/ You will need to adjust the following instructions depending on requirements from GlobalSign but a basic rundown: Create a private key and .csr (cert signing request) on the server: openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sources.debian.net.key -out sources.debian.net.csr -subj '/O=Debian/OU=QA/CN=sources.debian.net/emailAddress=debian-qa@lists.debian.org' Save the .key to this path on the server, chmod 600: /etc/ssl/private/sources.debian.net.key Upload the .csr to the GlobalSign website and save the .crt file here: /etc/ssl/debian/certs/sources.debian.net.crt There will also be an CA issuer chain involved, save that here: /etc/ssl/debian/certs/sources.debian.net.crt-chain If you would like to have the same level of SSL setup as debian.org hosts, you can install libapache2-mod-macro and drop the two config files below into your apache2 setup, then use the macros like this: Use common-debian-service-https-redirect * sources.debian.net <VirtualHost *:443> ServerName sources.debian.net Use common-debian-service-ssl sources.debian.net Use common-ssl-HSTS </VirtualHost> https://anonscm.debian.org/cgit/mirror/dsa-puppet.git/tree/modules/apache2/files/puppet-config https://anonscm.debian.org/cgit/mirror/dsa-puppet.git/tree/modules/apache2/files/puppet-ssl-macros -- bye, pabs https://wiki.debian.org/PaulWiseAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: Paul Wise <pabs@debian.org>
- Cc: 772560-done@bugs.debian.org
- Subject: Re: Bug#772560: debsources: please add a CA-signed SSL setup
- From: Stefano Zacchiroli <zack@debian.org>
- Date: Tue, 23 Dec 2014 17:22:21 +0100
- Message-id: <20141223162221.GA10979@upsilon.cc>
- In-reply-to: <[🔎] 1418053360.8517.40.camel@debian.org>
- References: <[🔎] 1418053360.8517.40.camel@debian.org>
On Mon, Dec 08, 2014 at 11:42:40PM +0800, Paul Wise wrote: > Please add an SSL certificate signed by the CAs so that users visiting > the site over SSL don't get warnings from their browsers. This has now been done. There are still some links pointing from https:// to http://, which makes browsers not 100% happy, but the identify is verified at least. Patches (and/or separate bug reports) welcome to fix the https -> http links. > There are 3 CAs offering gratis certs, GlobalSign's offer seems the > best for now: > > https://www.globalsign.com/ssl/ssl-open-source/ FWIW, I've applied for and obtained a 1-year certificate from GlobalSign thanks to the above FOSS-friendly program. I hereby thank GlobalSign for their support to Debian via the certificate they've given me. Cheers. -- Stefano Zacchiroli . . . . . . . zack@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club »Attachment: signature.asc
Description: Digital signature
--- End Message ---