Opened 9 years ago

Closed 8 years ago

Last modified 4 years ago

#3540 closed defect (fixed)

Enable https for winnie/debbie

Reported by: strk Owned by: robe
Priority: medium Milestone: Website Management, Bots
Component: QA/buildbots Version: 2.2.x
Keywords: Cc:

Description

Or web browsers show warning icon when using trac.osgeo.org/postgis due to the winnie/debbie bedges coming from HTTP rather than HTTPS.

See letsencrypt for free and automated SSL certs: https://letsencrypt.org/

Change History (9)

comment:1 by strk, 8 years ago

I've enabled HTTPS for debbie, using letsencrypt (but did not prepare any provision for renewing the certs, so will need to check it again when that happens).

For winnie, it would be easy if "winnie.postgis.net" pointed to debbie's IP, so I could use it as a proxy for the real winnie. Is that possible ?

comment:2 by strk, 8 years ago

Or I wonder if you could turn "winnie" into a slave-only instance, reporting to debbie, so to centralize reporting (badges etc.) some more.

comment:3 by robe, 8 years ago

Yah I was thinking about that. Never got that far in my study on Jenkins before I got distracted by something else.

I fear it may be more of a hassle than its worth since I suspect I'd need to copy all the jobs she does right now to debbie to make that work and she does a lot of packaging for windows -- so I've got postgis, geos, pgrouting, sfcgal, pgpointcloud etc. Vicky (pgRouting) triggers jobs as needed to test things and pgrouting has a ci folder for winnie (similar to what we have for postgis).

Though I guess I could just copy over the postgis jobs but even that seems like a bit of a pain.

If the only purpose is for https, much easier to just enable it on her for jenkins and download website. I suspect I can use the same key for jenkins and IIS if they are on different ports which they will be.

comment:4 by strk, 8 years ago

I guess a single master would simplify things, in general. For example there could need to be a single webhook to trigger all builds.

And it would be a way to get used to the "slave" concept to open up the possibility for other PostGIS users to provide their own slave for testing those architectures that are currently untested.

comment:5 by robe, 8 years ago

well doesn't look like letsencyrpt works for windows, so I guess I'd have to buy an ssl for winnie or you can maybe proxy through on another port on debbie for https for winnie.

I did get https self-signed to work but that gives a this is self-signed certs.

https://winnie.postgis.net:1501

Cert for a year is only $10 so I could just buy one for winnie and call it a day.

Last edited 8 years ago by robe (previous) (diff)

comment:6 by robe, 8 years ago

Regarding slaves. In theory sounds nice. Not sure how it would be in execution.

Really what I'd like more than slaves is repos that people can have experimental builds of PostGIS to test out. We've got some of that going already with OSGeo-Live, apt-postgresql, yum.postgresql.org but more would be nice and even more experimental would be nicer. Then people could be testing real workloads without hassle of gtting all teh bits.

comment:7 by strk, 8 years ago

There, winnie proxied by debbie (certified by letsencrypt):

https://debbie.postgis.net:444

The proxy will use https to connect to winnie, so encryption chain is not broken. Only, debbie will not check winnie's certificate for being trusted (I guess we could tech debbie to trust winnie certificate but I wouldn't trust a proprietary server myself so won't teach debbie to do that :)

So, if you can keep that 1501 port on we can switch all winnie links to debbie:444. Actually, I'm doing that now for trac.

comment:8 by strk, 8 years ago

Resolution: fixed
Status: newclosed

There, WikiStart page is green-locked for me now: https://trac.osgeo.org/postgis/wiki/WikiStart

Will close this, and we can use a different ticket for slaves (which I still think are the direction we should take)

comment:9 by robe, 4 years ago

Milestone: Management 2.0Website Management, Bots

Milestone renamed

Note: See TracTickets for help on using tickets.