Task #4243
closed
Migrate SSL certificate from GARR/TERENA to Let's Encrypt
100%
Description
These are the expiration dates of current TERENA SSL certificate
May 28 23:59:59 2016 GMT cert-4781-www.i-marine.d4science.org.pem
Jun 20 23:59:59 2016 GMT cert-4915-www.d4science.org.pem
Jun 20 23:59:59 2016 GMT cert-4916-www.eubrazilopenbio.d4science.org.pem
Sep 2 23:59:59 2016 GMT cert-5264-support.d4science.org.pem
Feb 18 23:59:59 2017 GMT cert-6287-sp.d4science.org.pem
Feb 18 23:59:59 2017 GMT cert-6288-social.isti.cnr.it.pem
Mar 10 23:59:59 2017 GMT cert-6402-support.social.isti.cnr.it.pem
Mar 17 23:59:59 2017 GMT cert-6456-cotrix.d4science.org.pem
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem
Apr 29 23:59:59 2017 GMT cert-7006-dev2.d4science.org.pem
Apr 29 23:59:59 2017 GMT cert-7007-bionym.d4science.org.pem
Jun 10 23:59:59 2017 GMT cert-7258-cotrix-dev.d4science.org.pem
Jun 30 23:59:59 2017 GMT cert-7369-egip.d4science.org.pem
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem
Aug 7 23:59:59 2017 GMT cert-7556-geothermcatalog.d4science.org.pem
Jan 20 23:59:59 2018 GMT cert-8523-smartforms.d4science.org.pem
Feb 18 23:59:59 2018 GMT cert-8733-vre.d4science.org.pem
Feb 19 23:59:59 2018 GMT cert-8742-services.d4science.org.pem
Mar 1 23:59:59 2018 GMT cert-8823-chimaera.d4science.org.pem
Mar 17 23:59:59 2018 GMT cert-8942-www.gcube-system.org.pem
Mar 31 23:59:59 2018 GMT cert-9008-support.gcube-system.org.pem
Apr 9 23:59:59 2018 GMT cert-9055-wiki.d4science.org.pem
Apr 9 23:59:59 2018 GMT cert-9056-wiki.gcube-system.org.pem
Apr 9 23:59:59 2018 GMT cert-9057-svn.research-infrastructures.eu.pem
Jun 15 23:59:59 2018 GMT cert-9899-descramble.d4science.org.pem
Jun 18 23:59:59 2018 GMT cert-9919-workspace-repository-dev.research-infrastructures.eu.pem
Jun 24 23:59:59 2018 GMT cert-9974-workspace-repository.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9981-bluebridge.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9982-accounting-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9983-couchdb-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9991-ci.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9992-nexus.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9993-ci.research-infrastructures.eu.pem
Related issues
Updated by Tommaso Piccioli almost 9 years ago
www.i-marine.d4science.org already migrated to Let's Encrypt
www.eubrazilopenbio.d4science.org no more used
www.d4science.org is very close to the expiring date (Jun 20 23:59:59 2016 GMT)
support.d4science.org will be the next this year (Sep 2 23:59:59 2016 GMT)
Updated by Andrea Dell'Amico almost 9 years ago
- Status changed from New to In Progress
I generated with letsencrypt:
portal.d4science.org www.d4science.org www.gcube-system.org
They are on the same host (www.d4science.org and www.gcube-system.org also have different IPs, but it seems that they are not needed?)
Updated by Andrea Dell'Amico over 8 years ago
- Related to Task #4765: Renew the wiki certificates added
Updated by Tommaso Piccioli about 8 years ago
Today status:
Feb 18 23:59:59 2017 GMT cert-6287-sp.d4science.org.pem
Feb 18 23:59:59 2017 GMT cert-6288-social.isti.cnr.it.pem
Mar 10 23:59:59 2017 GMT cert-6402-support.social.isti.cnr.it.pem
Mar 17 23:59:59 2017 GMT cert-6456-cotrix.d4science.org.pem
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem
Jun 10 23:59:59 2017 GMT cert-7258-cotrix-dev.d4science.org.pem
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem
Aug 7 23:59:59 2017 GMT cert-7556-geothermcatalog.d4science.org.pem
Mar 1 23:59:59 2018 GMT cert-8823-chimaera.d4science.org.pem
Apr 9 23:59:59 2018 GMT cert-9057-svn.research-infrastructures.eu.pem
Jun 18 23:59:59 2018 GMT cert-9919-workspace-repository-dev.research-infrastructures.eu.pem
Jun 24 23:59:59 2018 GMT cert-9974-workspace-repository.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9982-accounting-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9983-couchdb-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9991-ci.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9992-nexus.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9993-ci.research-infrastructures.eu.pem
- ci.research-infrastructures.eu and ci.d4science.org are the same host
- chimaera and smartfish are the same host
- on couchdb and nexus/maven we never used SSL
- geothermcatalog.d4science.org is on al IGG host
- virtuoso.i-marine.d4science.org is on a nkua host and it seems to not use SSL, probably an old alias
Updated by Tommaso Piccioli about 8 years ago
INFN
Mar 10 13:59:07 2017 GMT gitorious.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=gitorious.research-infrastructures.eu
Apr 26 13:41:47 2017 GMT manage.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=manage.research-infrastructures.eu
GARR
Mar 10 23:59:59 2017 GMT cert-6402-support.social.isti.cnr.it.pem
Mar 17 23:59:59 2017 GMT cert-6456-cotrix.d4science.org.pem
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem
Jun 10 23:59:59 2017 GMT cert-7258-cotrix-dev.d4science.org.pem
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem
Aug 7 23:59:59 2017 GMT cert-7556-geothermcatalog.d4science.org.pem
Mar 1 23:59:59 2018 GMT cert-8823-chimaera.d4science.org.pem
Apr 9 23:59:59 2018 GMT cert-9057-svn.research-infrastructures.eu.pem
Jun 18 23:59:59 2018 GMT cert-9919-workspace-repository-dev.research-infrastructures.eu.pem
Jun 24 23:59:59 2018 GMT cert-9974-workspace-repository.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9982-accounting-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9983-couchdb-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9991-ci.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9992-nexus.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9993-ci.research-infrastructures.eu.pem
Updated by Tommaso Piccioli about 8 years ago
INFN
Mar 10 13:59:07 2017 GMT gitorious.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=gitorious.research-infrastructures.eu (!!! already out of time, still needed?)
Apr 26 13:41:47 2017 GMT manage.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=manage.research-infrastructures.eu
GARR
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem (!!! already out of time)
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem (still needed?)
Aug 7 23:59:59 2017 GMT cert-7556-geothermcatalog.d4science.org.pem
Mar 1 23:59:59 2018 GMT cert-8823-chimaera.d4science.org.pem
Apr 9 23:59:59 2018 GMT cert-9057-svn.research-infrastructures.eu.pem
Jun 24 23:59:59 2018 GMT cert-9974-workspace-repository.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9982-accounting-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9983-couchdb-d4s.d4science.org.pem (to be dismissed)
Jun 25 23:59:59 2018 GMT cert-9991-ci.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9992-nexus.d4science.org.pem (not used at the moment)
Jun 25 23:59:59 2018 GMT cert-9993-ci.research-infrastructures.eu.pem
Updated by Andrea Dell'Amico about 8 years ago
Tommaso Piccioli wrote:
INFN
Mar 10 13:59:07 2017 GMT gitorious.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=gitorious.research-infrastructures.eu (!!! already out of time, still needed?)
Yes but it's internal only. We can live with it until we can kill that service.
GARR
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem (!!! already out of time)
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem (still needed?)
I don't know anything about these ones. The second one is even outside our network:
host virtuoso.i-marine.d4science.org virtuoso.i-marine.d4science.org is an alias for dl048.madgik.di.uoa.gr. dl048.madgik.di.uoa.gr has address 88.197.53.48 dl048.madgik.di.uoa.gr has IPv6 address 64:ff9b::58c5:3530
@pasquale.pagano@isti.cnr.it any hints?
Updated by Tommaso Piccioli about 8 years ago
smartfish.d4science.org and chimaera.d4science.org are the same host/service.
Both have the same service on port 80, while on the port 443 (SSL) the portal does not end a "portal loading" phase.
It is long time we have lost control on this host, we only provided the SSL keys (that apparently they never use it).
Updated by Pasquale Pagano about 8 years ago
virtuoso.i-marine.d4science.org is a service that we exploit. It is located on the University of Athens site. What else I should report? We would continue to host it in that site.
Updated by Andrea Dell'Amico about 8 years ago
Pasquale Pagano wrote:
virtuoso.i-marine.d4science.org is a service that we exploit. It is located on the University of Athens site. What else I should report? We would continue to host it in that site.
OK. So we need to ask UoA if they are able to start using letsencrypt to manage that certificate. Otherwise we will need to find a responsive certificate provider. @roberto.cirillo@isti.cnr.it is Kostas still the contact there?
About smartfish.d4science.org. Is it still in use? If so we will have to provision at least the letsencrypt/apache part.
Updated by Pasquale Pagano about 8 years ago
Andrea Dell'Amico wrote:
Pasquale Pagano wrote:
virtuoso.i-marine.d4science.org is a service that we exploit. It is located on the University of Athens site. What else I should report? We would continue to host it in that site.
OK. So we need to ask UoA if they are able to start using letsencrypt to manage that certificate. Otherwise we will need to find a responsive certificate provider. @roberto.cirillo@isti.cnr.it is Kostas still the contact there?
Yes, as far as i know.
About smartfish.d4science.org. Is it still in use? If so we will have to provision at least the letsencrypt/apache part.
Yes, it is still in use. Please start of provisioning of the certificate for it.
Updated by Andrea Dell'Amico about 8 years ago
I was not able to make letsencrypt work on manage.d4science.org. The distribution is too old, even after having gathered all the missing CA certificates the procedure still fails. I can only think of moving all those services behind a reverse proxy that lives on a different host.
Updated by Tommaso Piccioli about 8 years ago
Or we can go on with the INFN certificate for the services on manage.
Updated by Andrea Dell'Amico about 8 years ago
Tommaso Piccioli wrote:
Or we can go on with the INFN certificate for the services on manage.
Yes. Better, maybe.
Updated by Andrea Dell'Amico about 7 years ago
From that list the only missing host seems to be svn.research-infrastructures.eu. Another reason to move the service on a new host (and rename it, but I guess that the current name is going to stay for a while).
Updated by Andrea Dell'Amico about 7 years ago
- Blocks Task #11394: Dismiss certs.research-infrastructures.eu added
Updated by Tommaso Piccioli about 7 years ago
Andrea Dell'Amico wrote:
From that list the only missing host seems to be svn.research-infrastructures.eu. Another reason to move the service on a new host (and rename it, but I guess that the current name is going to stay for a while).
Waiting for #2661, new certificate for svn.research-infrastructures.eu from TERENA, "Validity not after: Jul 8 00:00:00 2020 GMT"
Updated by Alessia Bardi about 7 years ago
I get a message regarding problems with the certificate on the svn server:
alessia@nb-bardi:~/workspace45/dnet-download-service$ svn info Path: . Working Copy Root Path: /Users/alessia/workspace45/dnet-download-service URL: https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-download-service/trunk Relative URL: ^/dnet45/modules/dnet-download-service/trunk Repository Root: https://svn.driver.research-infrastructures.eu/driver [. . .] alessia@nb-bardi:~/workspace45/dnet-download-service$ svn up Updating '.': Error validating server certificate for 'https://svn.driver.research-infrastructures.eu:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! - The certificate hostname does not match. Certificate information: - Hostname: svn.research-infrastructures.eu - Valid: from Apr 5 00:00:00 2018 GMT until Jul 8 00:00:00 2020 GMT - Issuer: TERENA SSL CA 3, TERENA, Amsterdam, Noord-Holland, NL - Fingerprint: D2:A1:5C:48:5A:A4:1D:D2:91:D5:68:A4:5F:71:E6:55:21:63:F1:47
Note the line " - The certificate hostname does not match.". I have accepted the certificate anyway, but you may want to do something to solve it.
Updated by Andrea Dell'Amico over 6 years ago
- Status changed from In Progress to Closed
We can close this one.
