Re: certficate on wocommunity.org
Re: certficate on wocommunity.org
- Subject: Re: certficate on wocommunity.org
- From: Maik Musall <email@hidden>
- Date: Fri, 23 Feb 2018 09:28:49 +0100
Hi Samuel,
thanks for noticing. I had set up the scripting to upload the entire chain to
the load balancer, but apparently it ignores the intermediate in that process.
So I now set the intermediate in it's intermediate store, and it seems it's
working now.
I also noticed ssllabs complaining about weak DH parameters. Unfortunately I
can't set those per service, and globally setting DH keys longer than 1024
would break some sites that rely on connectivity with older clients. But I
changed the ciphersuites set in favor of ECDHE instead of DHE, which also
solves this. Java 6 could have a problem with this, but I guess (and hope)
nobody's still using that to run Eclipse or something.
I also set a CAA DNS record, and now we've got an A rating :)
Can you please check if you can access without problems now?
Thanks
Maik
> Am 23.02.2018 um 01:38 schrieb Samuel Pelletier <email@hidden>:
>
> Hi Maik,
>
> I think there is a missing chain cert on the server.
>
> At least Eclipse update refuse to connect to the update site with this error:
> Unable to read repository at
> https://jenkins.wocommunity.org/job/WOLips47/lastSuccessfulBuild/artifact/temp/dist/content.xml
>
> <https://jenkins.wocommunity.org/job/WOLips47/lastSuccessfulBuild/artifact/temp/dist/content.xml>.
> Unable to read repository at
> https://jenkins.wocommunity.org/job/WOLips47/lastSuccessfulBuild/artifact/temp/dist/content.xml
>
> <https://jenkins.wocommunity.org/job/WOLips47/lastSuccessfulBuild/artifact/temp/dist/content.xml>.
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> Checking the ssl config with
> https://www.ssllabs.com/ssltest/analyze.html?d=jenkins.wocommunity.org
> <https://www.ssllabs.com/ssltest/analyze.html?d=jenkins.wocommunity.org>
> reveals that the certificate chain is incomplete.
>
> I do not have problems with browser that either already have it or download
> it silently but Java does not seem to like this.
>
> With apache, the chain is added with a config like this:
> SSLCertificateChainFile "/[...]/letsencrypt/live/[...]/chain.pem"
>
> Samuel
>
>
>
>> Le 21 févr. 2018 à 11:34, Maik Musall <email@hidden
>> <mailto:email@hidden>> a écrit :
>>
>> Done.
>>
>> Sorry for the delay, it took a while to figure out how to automate this with
>> our load balancers in front of everything terminating the TLS connections ;-)
>>
>> Maik
>>
>>
>>> Am 21.02.2018 um 08:23 schrieb Maik Musall <email@hidden
>>> <mailto:email@hidden>>:
>>>
>>> Hi all,
>>>
>>> I just noticed that the TLS certificate on wocommunity.org
>>> <http://wocommunity.org/> has expired, and I thought I already had set up
>>> letsencrypt so I ignored the warning emails from Comodo. Turns out I had
>>> not. So hang on, I will fix this today.
>>>
>>> Maik
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Webobjects-dev mailing list (email@hidden
>>> <mailto:email@hidden>)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>>
>>> This email sent to email@hidden <mailto:email@hidden>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Webobjects-dev mailing list (email@hidden
>> <mailto:email@hidden>)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden