Task #4243
closed
Migrate SSL certificate from GARR/TERENA to Let's Encrypt
Added by Tommaso Piccioli almost 9 years ago.
Updated over 6 years ago.
Assignee:
_InfraScience Systems Engineer
Estimated time:
(Total: 0.00 h)
Infrastructure:
Production
Description
These are the expiration dates of current TERENA SSL certificate
May 28 23:59:59 2016 GMT cert-4781-www.i-marine.d4science.org.pem
Jun 20 23:59:59 2016 GMT cert-4915-www.d4science.org.pem
Jun 20 23:59:59 2016 GMT cert-4916-www.eubrazilopenbio.d4science.org.pem
Sep 2 23:59:59 2016 GMT cert-5264-support.d4science.org.pem
Feb 18 23:59:59 2017 GMT cert-6287-sp.d4science.org.pem
Feb 18 23:59:59 2017 GMT cert-6288-social.isti.cnr.it.pem
Mar 10 23:59:59 2017 GMT cert-6402-support.social.isti.cnr.it.pem
Mar 17 23:59:59 2017 GMT cert-6456-cotrix.d4science.org.pem
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem
Apr 29 23:59:59 2017 GMT cert-7006-dev2.d4science.org.pem
Apr 29 23:59:59 2017 GMT cert-7007-bionym.d4science.org.pem
Jun 10 23:59:59 2017 GMT cert-7258-cotrix-dev.d4science.org.pem
Jun 30 23:59:59 2017 GMT cert-7369-egip.d4science.org.pem
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem
Aug 7 23:59:59 2017 GMT cert-7556-geothermcatalog.d4science.org.pem
Jan 20 23:59:59 2018 GMT cert-8523-smartforms.d4science.org.pem
Feb 18 23:59:59 2018 GMT cert-8733-vre.d4science.org.pem
Feb 19 23:59:59 2018 GMT cert-8742-services.d4science.org.pem
Mar 1 23:59:59 2018 GMT cert-8823-chimaera.d4science.org.pem
Mar 17 23:59:59 2018 GMT cert-8942-www.gcube-system.org.pem
Mar 31 23:59:59 2018 GMT cert-9008-support.gcube-system.org.pem
Apr 9 23:59:59 2018 GMT cert-9055-wiki.d4science.org.pem
Apr 9 23:59:59 2018 GMT cert-9056-wiki.gcube-system.org.pem
Apr 9 23:59:59 2018 GMT cert-9057-svn.research-infrastructures.eu.pem
Jun 15 23:59:59 2018 GMT cert-9899-descramble.d4science.org.pem
Jun 18 23:59:59 2018 GMT cert-9919-workspace-repository-dev.research-infrastructures.eu.pem
Jun 24 23:59:59 2018 GMT cert-9974-workspace-repository.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9981-bluebridge.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9982-accounting-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9983-couchdb-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9991-ci.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9992-nexus.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9993-ci.research-infrastructures.eu.pem
- Status changed from New to In Progress
I generated with letsencrypt:
portal.d4science.org
www.d4science.org
www.gcube-system.org
They are on the same host (www.d4science.org and www.gcube-system.org also have different IPs, but it seems that they are not needed?)
- Related to Task #4765: Renew the wiki certificates added
Today status:
Feb 18 23:59:59 2017 GMT cert-6287-sp.d4science.org.pem
Feb 18 23:59:59 2017 GMT cert-6288-social.isti.cnr.it.pem
Mar 10 23:59:59 2017 GMT cert-6402-support.social.isti.cnr.it.pem
Mar 17 23:59:59 2017 GMT cert-6456-cotrix.d4science.org.pem
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem
Jun 10 23:59:59 2017 GMT cert-7258-cotrix-dev.d4science.org.pem
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem
Aug 7 23:59:59 2017 GMT cert-7556-geothermcatalog.d4science.org.pem
Mar 1 23:59:59 2018 GMT cert-8823-chimaera.d4science.org.pem
Apr 9 23:59:59 2018 GMT cert-9057-svn.research-infrastructures.eu.pem
Jun 18 23:59:59 2018 GMT cert-9919-workspace-repository-dev.research-infrastructures.eu.pem
Jun 24 23:59:59 2018 GMT cert-9974-workspace-repository.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9982-accounting-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9983-couchdb-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9991-ci.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9992-nexus.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9993-ci.research-infrastructures.eu.pem
- ci.research-infrastructures.eu and ci.d4science.org are the same host
- chimaera and smartfish are the same host
- on couchdb and nexus/maven we never used SSL
- geothermcatalog.d4science.org is on al IGG host
- virtuoso.i-marine.d4science.org is on a nkua host and it seems to not use SSL, probably an old alias
INFN
Mar 10 13:59:07 2017 GMT gitorious.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=gitorious.research-infrastructures.eu
Apr 26 13:41:47 2017 GMT manage.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=manage.research-infrastructures.eu
GARR
Mar 10 23:59:59 2017 GMT cert-6402-support.social.isti.cnr.it.pem
Mar 17 23:59:59 2017 GMT cert-6456-cotrix.d4science.org.pem
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem
Jun 10 23:59:59 2017 GMT cert-7258-cotrix-dev.d4science.org.pem
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem
Aug 7 23:59:59 2017 GMT cert-7556-geothermcatalog.d4science.org.pem
Mar 1 23:59:59 2018 GMT cert-8823-chimaera.d4science.org.pem
Apr 9 23:59:59 2018 GMT cert-9057-svn.research-infrastructures.eu.pem
Jun 18 23:59:59 2018 GMT cert-9919-workspace-repository-dev.research-infrastructures.eu.pem
Jun 24 23:59:59 2018 GMT cert-9974-workspace-repository.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9982-accounting-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9983-couchdb-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9991-ci.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9992-nexus.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9993-ci.research-infrastructures.eu.pem
INFN
Mar 10 13:59:07 2017 GMT gitorious.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=gitorious.research-infrastructures.eu (!!! already out of time, still needed?)
Apr 26 13:41:47 2017 GMT manage.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=manage.research-infrastructures.eu
GARR
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem (!!! already out of time)
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem (still needed?)
Aug 7 23:59:59 2017 GMT cert-7556-geothermcatalog.d4science.org.pem
Mar 1 23:59:59 2018 GMT cert-8823-chimaera.d4science.org.pem
Apr 9 23:59:59 2018 GMT cert-9057-svn.research-infrastructures.eu.pem
Jun 24 23:59:59 2018 GMT cert-9974-workspace-repository.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9982-accounting-d4s.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9983-couchdb-d4s.d4science.org.pem (to be dismissed)
Jun 25 23:59:59 2018 GMT cert-9991-ci.d4science.org.pem
Jun 25 23:59:59 2018 GMT cert-9992-nexus.d4science.org.pem (not used at the moment)
Jun 25 23:59:59 2018 GMT cert-9993-ci.research-infrastructures.eu.pem
Tommaso Piccioli wrote:
INFN
Mar 10 13:59:07 2017 GMT gitorious.research-infrastructures.eu /C=IT/O=INFN/OU=Host/L=NMIS-ISTI/CN=gitorious.research-infrastructures.eu (!!! already out of time, still needed?)
Yes but it's internal only. We can live with it until we can kill that service.
GARR
Mar 25 23:59:59 2017 GMT cert-6510-smartfish.d4science.org.pem (!!! already out of time)
Jul 22 23:59:59 2017 GMT cert-7467-virtuoso.i-marine.d4science.org.pem (still needed?)
I don't know anything about these ones. The second one is even outside our network:
host virtuoso.i-marine.d4science.org
virtuoso.i-marine.d4science.org is an alias for dl048.madgik.di.uoa.gr.
dl048.madgik.di.uoa.gr has address 88.197.53.48
dl048.madgik.di.uoa.gr has IPv6 address 64:ff9b::58c5:3530
@pasquale.pagano@isti.cnr.it any hints?
smartfish.d4science.org and chimaera.d4science.org are the same host/service.
Both have the same service on port 80, while on the port 443 (SSL) the portal does not end a "portal loading" phase.
It is long time we have lost control on this host, we only provided the SSL keys (that apparently they never use it).
virtuoso.i-marine.d4science.org is a service that we exploit. It is located on the University of Athens site. What else I should report? We would continue to host it in that site.
Pasquale Pagano wrote:
virtuoso.i-marine.d4science.org is a service that we exploit. It is located on the University of Athens site. What else I should report? We would continue to host it in that site.
OK. So we need to ask UoA if they are able to start using letsencrypt to manage that certificate. Otherwise we will need to find a responsive certificate provider. @roberto.cirillo@isti.cnr.it is Kostas still the contact there?
About smartfish.d4science.org. Is it still in use? If so we will have to provision at least the letsencrypt/apache part.
Andrea Dell'Amico wrote:
Pasquale Pagano wrote:
virtuoso.i-marine.d4science.org is a service that we exploit. It is located on the University of Athens site. What else I should report? We would continue to host it in that site.
OK. So we need to ask UoA if they are able to start using letsencrypt to manage that certificate. Otherwise we will need to find a responsive certificate provider. @roberto.cirillo@isti.cnr.it is Kostas still the contact there?
Yes, as far as i know.
About smartfish.d4science.org. Is it still in use? If so we will have to provision at least the letsencrypt/apache part.
Yes, it is still in use. Please start of provisioning of the certificate for it.
I was not able to make letsencrypt work on manage.d4science.org. The distribution is too old, even after having gathered all the missing CA certificates the procedure still fails. I can only think of moving all those services behind a reverse proxy that lives on a different host.
Or we can go on with the INFN certificate for the services on manage.
Tommaso Piccioli wrote:
Or we can go on with the INFN certificate for the services on manage.
Yes. Better, maybe.
From that list the only missing host seems to be svn.research-infrastructures.eu. Another reason to move the service on a new host (and rename it, but I guess that the current name is going to stay for a while).
- Blocks Task #11394: Dismiss certs.research-infrastructures.eu added
Andrea Dell'Amico wrote:
From that list the only missing host seems to be svn.research-infrastructures.eu. Another reason to move the service on a new host (and rename it, but I guess that the current name is going to stay for a while).
Waiting for #2661, new certificate for svn.research-infrastructures.eu from TERENA, "Validity not after: Jul 8 00:00:00 2020 GMT"
I get a message regarding problems with the certificate on the svn server:
alessia@nb-bardi:~/workspace45/dnet-download-service$ svn info
Path: .
Working Copy Root Path: /Users/alessia/workspace45/dnet-download-service
URL: https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-download-service/trunk
Relative URL: ^/dnet45/modules/dnet-download-service/trunk
Repository Root: https://svn.driver.research-infrastructures.eu/driver
[. . .]
alessia@nb-bardi:~/workspace45/dnet-download-service$ svn up
Updating '.':
Error validating server certificate for 'https://svn.driver.research-infrastructures.eu:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate hostname does not match.
Certificate information:
- Hostname: svn.research-infrastructures.eu
- Valid: from Apr 5 00:00:00 2018 GMT until Jul 8 00:00:00 2020 GMT
- Issuer: TERENA SSL CA 3, TERENA, Amsterdam, Noord-Holland, NL
- Fingerprint: D2:A1:5C:48:5A:A4:1D:D2:91:D5:68:A4:5F:71:E6:55:21:63:F1:47
Note the line " - The certificate hostname does not match.". I have accepted the certificate anyway, but you may want to do something to solve it.
- Status changed from In Progress to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
