Discussion:
Let's Encrypt cert and mantis.freepascal.org
(too old to reply)
Dimitrios Chr. Ioannidis via fpc-devel
2017-05-02 08:45:48 UTC
Permalink
Raw Message
Hi,

is it possible to add the domain mantis.freepascal.org in the let's
encrypt cert or change the subversion bugtrack:url property from
mantis.freepascal.org to bugs.freepascal.org ?

I use a lot the svn log and when I'm clicking the bug id I get a
SSL_ERROR_BAD_CERT_DOMAIN which is a little bit annoying .

regards,
--
Dimitrios Chr. Ioannidis
_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listin
Michael Van Canneyt
2017-05-02 17:20:09 UTC
Permalink
Raw Message
Post by Dimitrios Chr. Ioannidis via fpc-devel
Hi,
is it possible to add the domain mantis.freepascal.org in the let's
encrypt cert or change the subversion bugtrack:url property from
mantis.freepascal.org to bugs.freepascal.org ?
Changed the bugtraq:url. Revision 36062.

Michael.
_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-bin
Tomas Hajny
2017-05-02 20:52:08 UTC
Permalink
Raw Message
Hi Michael,
Post by Michael Van Canneyt
Post by Dimitrios Chr. Ioannidis via fpc-devel
is it possible to add the domain mantis.freepascal.org in the let's
encrypt cert or change the subversion bugtrack:url property from
mantis.freepascal.org to bugs.freepascal.org ?
Changed the bugtraq:url. Revision 36062.
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.

Tomas


_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-deve
Michael Van Canneyt
2017-05-02 21:59:59 UTC
Permalink
Raw Message
Post by Tomas Hajny
Hi Michael,
Post by Michael Van Canneyt
Post by Dimitrios Chr. Ioannidis via fpc-devel
is it possible to add the domain mantis.freepascal.org in the let's
encrypt cert or change the subversion bugtrack:url property from
mantis.freepascal.org to bugs.freepascal.org ?
Changed the bugtraq:url. Revision 36062.
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.

Michael.
_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman
Martin
2017-05-02 22:17:39 UTC
Permalink
Raw Message
Post by Michael Van Canneyt
Post by Tomas Hajny
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.
I would think you need 2 individual certs.

Since both domains are on the same IP, the server must support SNI (but
most servers do).

Then have 2 virtual hosts, one for each domain. Each using the correct
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or including
the same include file)
_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-b
Michael Van Canneyt
2017-05-02 22:33:15 UTC
Permalink
Raw Message
Post by Martin
Post by Michael Van Canneyt
Post by Tomas Hajny
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.
I would think you need 2 individual certs.
Since both domains are on the same IP, the server must support SNI (but
most servers do).
Then have 2 virtual hosts, one for each domain. Each using the correct
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or including
the same include file)
I will see if this is a possibility.

Michael.
_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-b
Tomas Hajny
2017-05-02 22:52:58 UTC
Permalink
Raw Message
Post by Michael Van Canneyt
Post by Martin
Post by Michael Van Canneyt
Post by Tomas Hajny
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.
I would think you need 2 individual certs.
Since both domains are on the same IP, the server must support SNI (but
most servers do).
Then have 2 virtual hosts, one for each domain. Each using the correct
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or including
the same include file)
I will see if this is a possibility.
As far as I can see, having a certificate for multiple domain names seems
perfectly possible with Let's Encrypt - see
https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04,
or
https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2
- there's no need for wildcards, just for the complete list of valid
domain names you want to cover.

BTW, the certificate used for www.freepascal.org should include plain
freepascal.org, because an access to http://freepascal.org results in a
security complaint from the browser now.

Tomas


_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
Michael Van Canneyt
2017-05-03 07:06:42 UTC
Permalink
Raw Message
Post by Tomas Hajny
Post by Michael Van Canneyt
Post by Martin
Post by Michael Van Canneyt
Post by Tomas Hajny
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.
I would think you need 2 individual certs.
Since both domains are on the same IP, the server must support SNI (but
most servers do).
Then have 2 virtual hosts, one for each domain. Each using the correct
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or including
the same include file)
I will see if this is a possibility.
As far as I can see, having a certificate for multiple domain names seems
perfectly possible with Let's Encrypt - see
https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04,
or
https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2
- there's no need for wildcards, just for the complete list of valid
domain names you want to cover.
I'll try this for mantis/bugs first.

Michael.
_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://li
Sven Barth via fpc-devel
2017-05-04 17:57:21 UTC
Permalink
Raw Message
Post by Michael Van Canneyt
Post by Tomas Hajny
Post by Michael Van Canneyt
Post by Martin
Post by Michael Van Canneyt
Post by Tomas Hajny
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.
I would think you need 2 individual certs.
Since both domains are on the same IP, the server must support SNI (but
most servers do).
Then have 2 virtual hosts, one for each domain. Each using the correct
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or including
the same include file)
I will see if this is a possibility.
As far as I can see, having a certificate for multiple domain names seems
perfectly possible with Let's Encrypt - see
https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-16-04,
or
https://community.letsencrypt.org/t/host-multiple-domains-with-a-single-certificate/20917/2
- there's no need for wildcards, just for the complete list of valid
domain names you want to cover.
I'll try this for mantis/bugs first.
Maybe you'll also want to do this for svn.freepascal.org (and
svn2.freepascal.org?) as at least my PowerBook complained about the
mismatched URL (aside from the root certificate not being trusted :P )

Regards,
Sven

_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman

David Copeland
2017-05-03 11:35:11 UTC
Permalink
Raw Message
Another alternative I have used is to get a new certificate that
includes all the subdomains.

Dave Copeland.
Post by Martin
Post by Michael Van Canneyt
Post by Tomas Hajny
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.
I would think you need 2 individual certs.
Since both domains are on the same IP, the server must support SNI
(but most servers do).
Then have 2 virtual hosts, one for each domain. Each using the correct
cert for its domain.
The rest of the virtualhosts will be a copy of each other (or
including the same include file)
_______________________________________________
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-devel
--
David Copeland
JSI Data Systems Limited
613-727-9353
www.jsidata.ca

_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.fr
Luca Olivetti
2017-05-02 22:47:33 UTC
Permalink
Raw Message
Post by Michael Van Canneyt
Post by Tomas Hajny
Hi Michael,
Post by Michael Van Canneyt
Post by Dimitrios Chr. Ioannidis via fpc-devel
is it possible to add the domain mantis.freepascal.org in the let's
encrypt cert or change the subversion bugtrack:url property from
mantis.freepascal.org to bugs.freepascal.org ?
Changed the bugtraq:url. Revision 36062.
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
As far as I know, lets encrypt does not support wildcard certificates.
But it supports more than one name in the same certificate.
I'm using dehydrated[1] and it's just a matter of specifying all the
domains in the same line in domains.txt.
Other acme clients should support it as well.

[1]https://github.com/lukas2511/dehydrated

Bye
--
Luca

_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-b
silvioprog
2017-05-02 23:30:39 UTC
Permalink
Raw Message
Post by Dimitrios Chr. Ioannidis via fpc-devel
Post by Tomas Hajny
Hi Michael,
Hello dudes,
Post by Dimitrios Chr. Ioannidis via fpc-devel
is it possible to add the domain mantis.freepascal.org in the let's
Post by Tomas Hajny
Post by Michael Van Canneyt
Post by Dimitrios Chr. Ioannidis via fpc-devel
encrypt cert or change the subversion bugtrack:url property from
mantis.freepascal.org to bugs.freepascal.org ?
Changed the bugtraq:url. Revision 36062.
That's probably good as the fastest / short-term solution, but as long as
both DNS records are valid and point to the same IP address (and http
access to both is redirected to the https version), the certificate should
cover both domain names as well.
That mayb be so, but I have no idea how to do this.
Which client was used in the challenge, certbot? It allows to specify many
domains (however, I'm using acme-client today, but some time ago I used
certbot and got success with sub-domains too, eg: www.mydomain.com,
smtp.mydomain.com, docs.mydomain.com etc.).

As far as I know, lets encrypt does not support wildcard certificates.
Post by Dimitrios Chr. Ioannidis via fpc-devel
Michael.
I have some knowledge about this issue and I would be glad to help on that.

I've replaced certbot with acme-client because it have just some KBs
against many MB of certbot and its dependencies. Acme-client was written in
C, and its dependencies are just libbsd and libressl.

I did some changes in my copy to make it working in my Ubuntu Server
16.04, and I created a cron job that checks twice a day (time recommended
by certbot/acme-client team) if the certificate is still valid.
--
Silvio Clécio
Ondrej Pokorny
2017-05-03 10:17:36 UTC
Permalink
Raw Message
Post by Michael Van Canneyt
Changed the bugtraq:url. Revision 36062.
Off-topic:

I now switched from mantis.freepascal.org to bugs.freepascal.org and had
to block the running cheetah icon again.

Remember the good webpage designer (generally speaking UI designer)
rule: Don't play endless animations. Never.

Ondrej
_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.
Michael Van Canneyt
2017-05-03 10:47:29 UTC
Permalink
Raw Message
Post by Ondrej Pokorny
Post by Michael Van Canneyt
Changed the bugtraq:url. Revision 36062.
I now switched from mantis.freepascal.org to bugs.freepascal.org and had
to block the running cheetah icon again.
Remember the good webpage designer (generally speaking UI designer)
rule: Don't play endless animations. Never.
Considering that we're probably living in a simulation,
we can stop living right now ?

Michael.
_______________________________________________
fpc-devel maillist - fpc-***@lists.freepascal.org
http://lists.freepascal.org/cgi-
Loading...