| Time |
Nick |
Message |
| 12:53 |
|
eglogbot joined #evergreen |
| 12:53 |
|
Topic for #evergreen is now Welcome to #evergreen (https://evergreen-ils.org). This channel is publicly logged. Logs for today: http://irc.evergreen-ils.org/evergreen/today |
| 12:53 |
Bmagic |
cool, be back in a bit |
| 12:53 |
Bmagic |
csharp_++ |
| 13:00 |
jmurray-isl |
Getting an SSL Bad Cert Domain error from https://evergreen-ils.org. Cert only valid for *.georgialibraries.org. |
| 13:07 |
jmurray-isl |
Also, the Windows Hatch download link is showing a 404. |
| 13:24 |
csharp_ |
yeah - sorry |
| 13:24 |
csharp_ |
it should be working now jmurray-isl |
| 13:24 |
csharp_ |
working on getting the wiki certs copied over |
| 13:25 |
jmurray-isl |
csharp_++ |
| 13:37 |
csharp_ |
Bmagic: wiki cert is broken because of nginx/anubis/multiple vhosts |
| 13:47 |
|
Dyrcona joined #evergreen |
| 13:53 |
|
Dyrcona joined #evergreen |
| 13:55 |
csharp_ |
if we can get letsencrypt wildcard certs going, this won't be an issue |
| 13:55 |
Dyrcona |
csharp_++ Bmagic++ |
| 13:55 |
csharp_ |
probably just a matter of coordination with gmcharlt or someone else with DNS access |
| 13:55 |
csharp_ |
I used to have it but I don't think I do anymore |
| 13:55 |
Dyrcona |
Does name.com have an API? |
| 13:56 |
Dyrcona |
Is that our registrar? |
| 13:58 |
csharp_ |
I think so? |
| 14:06 |
Bmagic |
csharp_: did you get the bash script to work? |
| 14:06 |
csharp_ |
I started by copying certs - hadn't gotten to the bash script |
| 14:06 |
Bmagic |
word |
| 14:07 |
Bmagic |
the issue is likely the nginx .well-known clause |
| 14:07 |
csharp_ |
we don't have anything running on port 80 at the moment |
| 14:08 |
Bmagic |
nginx is |
| 14:08 |
Bmagic |
http://wiki.evergreen-ils.org/.well-known/acme-challenge/hi.html |
| 14:09 |
Bmagic |
maybe outter firewall is blocking UK? |
| 14:09 |
csharp_ |
it may be blocking port 80 |
| 14:10 |
Bmagic |
that would do it, though I'm connected on port 80 |
| 14:10 |
csharp_ |
oh, right |
| 14:10 |
csharp_ |
then I guess it's open :-) |
| 14:11 |
Bmagic |
my theory is not for the world |
| 14:11 |
Bmagic |
I'm about to test that, I'll VPN over to UK and try it |
| 14:12 |
csharp_ |
it's a "smart" firewall too and might not like the nature of the incoming packets |
| 14:12 |
csharp_ |
(Palo Alto) |
| 14:12 |
csharp_ |
if we determine it's probably the firewall, we may want to re-revert since that can take a while for approval |
| 14:14 |
csharp_ |
orrrr, we could futz with nginx/anubis and vhosts running on multiple ports |
| 14:14 |
csharp_ |
at least just one for the wiki |
| 14:14 |
Bmagic |
it works from UK |
| 14:14 |
csharp_ |
ok |
| 14:15 |
Bmagic |
I don't think we want to revert |
| 14:15 |
Bmagic |
it's just the certs at this point, and letsencrypt fiddly business, I'll dig in |
| 14:15 |
csharp_ |
btw, I manually copied the certs into /etc/apache2/ssl and /etc/apache2/ssl/wiki |
| 14:15 |
csharp_ |
so our configs will need to be updated with the right locations |
| 14:16 |
Bmagic |
I was about to ask |
| 14:16 |
csharp_ |
I installed certbot from APT, so if your process needs that gone, I can remove them |
| 14:16 |
Bmagic |
my thing uses acme.sh |
| 14:16 |
csharp_ |
ok, I'll remove those so there's not any sort of competition |
| 14:17 |
Bmagic |
I think they both can live happily together on disk, it's the cert generation that we'll need to decide which one wins |
| 14:17 |
Bmagic |
did you get cerbot to generate? |
| 14:17 |
csharp_ |
removed - we can reinstall if needed |
| 14:17 |
csharp_ |
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80. |
| 14:18 |
csharp_ |
that was where I stopped and started copying over certs from lupin |
| 14:18 |
Bmagic |
there should be a way to tell certbot to ignore the current web engine and just put files in a specified path for verification |
| 14:19 |
csharp_ |
I didn't get that far |
| 14:19 |
Bmagic |
I'm digging in |
| 14:19 |
csharp_ |
k - I'm going to take a break for a bit |
| 14:21 |
Bmagic |
it's the firewall |
| 14:21 |
csharp_ |
meh |
| 14:21 |
Bmagic |
I can tell, because during the verification process, neither nginx nor apache received a request to .well-known. and the error message is "Connection reset by peer" |
| 14:22 |
csharp_ |
yeah... |
| 14:22 |
csharp_ |
ok, really taking a break now |
| 14:22 |
Bmagic |
ok, no rush on this, certs are good till August |
| 15:13 |
Bmagic |
irc.evergreen-ils.org has a bad cert though. If we can get the firewall figured out, we should be able to solve |
| 15:23 |
Dyrcona |
I was going to mention the irc.evergreen-ils.org cert., but with the other discussion going on I thought it might have been a known thing. |
| 15:23 |
csharp_ |
wiki has a bad cert too |
| 15:24 |
csharp_ |
nginx can do multiple server confs: https://stackoverflow.com/questions/17568981/nginx-two-subdomain-configuration |
| 15:24 |
csharp_ |
I was playing around with that but my attempts weren't successful |
| 15:41 |
Bmagic |
I make multi domain certs all the time with letsencrypt, that's not an issue |
| 15:42 |
Bmagic |
the network just needs to allow the letsencrypt probe in |
| 15:42 |
Bmagic |
in other words: a single file that covers all of the names, so that nginx just needs to link to a single file in the config |
| 15:43 |
Bmagic |
I have one that covers over 80 domain names and renews every 60 days, no problem |
| 15:45 |
Bmagic |
take a look at this bad boy https://ncccevergreen.org for example |
| 15:45 |
Bmagic |
tell that Palo Alto to knock it off |
| 16:21 |
csharp_ |
submitted a ticket - I expect that to take several business days so it may still be worth it to try to get the wiki.evergreen-ils.org cert to work in the meantime |
| 16:27 |
Bmagic |
csharp_++ |
| 16:27 |
Bmagic |
How much does a wildcard cert cost these days? |
| 16:28 |
Bmagic |
maybe we could just buy it, I have a feeling it's not much |
| 16:31 |
csharp_ |
probably not much - not sure who to ask on the board or whoever |
| 16:31 |
Bmagic |
$39/year for a wildcard from namecheap |
| 16:31 |
Bmagic |
https://www.namecheap.com/security/ssl-certificates/compare/?cert-1=7&cert-2=11&cert-3=13 |
| 16:35 |
Dyrcona |
FWIW, I used to make multidomain wildcard certs with letsencrypt also. |
| 16:36 |
Bmagic |
yeah, that too. If we can get the firewall fixed, we'd be alright |
| 16:37 |
Bmagic |
the weird thing is: csharp_ letsencrypt was verifying the domain on the old OS? |
| 16:50 |
jmurray-isl |
From what I recall, certbot uses AWS for verification from multiple locations. |
| 16:50 |
Bmagic |
csharp_: we might be chaging files at the same time |
| 16:51 |
Bmagic |
I see the apache wiki config is getting it's port changed to 7444 and 7081, I was changing that back until I realized that was probably on purpose? |
| 16:51 |
Bmagic |
jmurray-isl: yeah, lately from the UK |
| 16:52 |
jmurray-isl |
We block the UK, but we allow Canonical IP ranges. |
| 16:53 |
jmurray-isl |
(At least whatever Sonicwall's Geo-IP filter thinks is the UK.) |
| 16:56 |
jmurray-isl |
I do allow Australia, New Zealand, Canada, and Ireland, however... |
| 16:56 |
jmurray-isl |
(And Sweden.) |
| 17:00 |
csharp_ |
Bmagic: feel free to change it - I was just experimenting |
| 17:01 |
Bmagic |
csharp_: I was having a "misdirect... SNI" issue with wiki. That's resolved |
| 17:02 |
Bmagic |
We're just down to bad certs for wiki and irc. root is working |
| 17:11 |
Bmagic |
csharp_: I think nginx could* work with different domain names and different certs for each one, as long as they were all subdomains. Setting up a block with plain old evergreen-ils.org catches all subdomains too, according to that stackoverflow article |
| 17:15 |
Bmagic |
nope, I got it working |
| 17:16 |
Bmagic |
wiki cert is working, as well as wordpress site! Yay! irc never had a cert, so we don't have one to give it. It's just borrowing the root cert for now (which isn't valid, so we still have a browser error, until we can either buy a cert or get the firewall worked out) |
| 17:53 |
csharp_ |
Bmagic++ |
| 17:54 |
Bmagic |
csharp_++ |
| 17:55 |
Bmagic |
hey, did you see my quandary about it working before? |
| 17:59 |
csharp_ |
I may have missed it |
| 17:59 |
csharp_ |
btw, ITS staff are already looking at the ticket, but it probably has to go up an approval chain |
| 18:05 |
Bmagic |
sweet |
| 23:33 |
* jeff |
blinks |
| 23:36 |
|
book` joined #evergreen |
