Apache Ignite Developers - Legacy Mail Archive

SSL certificate for the CI server

Classic

List

Threaded

9 messages Options

Konstantin Boudnik-2

SSL certificate for the CI server

Hey guys.

I've noticed that https://ci.ignite.apache.org/ has two issues:
- it has the invalid certificate
- the CI server isn't responding on the https port (there's only ngnix)

I don't about the rest of the group here, but all my browsers are enforcing
HTTPS connections for the obvious reasons. I have to add an exception
for the CI server to get in, which is a minor inconvenience compared to the
security risks. I suggest we fix both issues.
1. Getting a valid certificate is easy and doesn't cost a dime nowadays.
Here's the very details set of instructions on how we do it for Apache
Bigtop. They are easily applicable in Ignite CI's case [1]. I'd be happy to
help with this.
2. Reconfiguring the server to respond only on HTTPS port. That's another easy
thing to do for anyone with the access to the box. I don't have this, so
it'd be someone else.

Thoughts?
Cos

[1] https://cwiki.apache.org/confluence/display/BIGTOP/Bigtop+CI+Setup+Guide#BigtopCISetupGuide-Advancedpart:SetupaSSLsecuredJenkinsmaster

signature.asc (237 bytes) Download Attachment

dmagda

Re: SSL certificate for the CI server

Hi Cos,

Alexey Chetaev, please join the conversation and share your thoughts on this.

—
Denis

> On Jul 19, 2017, at 9:44 AM, Konstantin Boudnik <[hidden email]> wrote:
>
> Hey guys.
>
> I've noticed that https://ci.ignite.apache.org/ has two issues:
> - it has the invalid certificate
> - the CI server isn't responding on the https port (there's only ngnix)
>
> I don't about the rest of the group here, but all my browsers are enforcing
> HTTPS connections for the obvious reasons. I have to add an exception
> for the CI server to get in, which is a minor inconvenience compared to the
> security risks. I suggest we fix both issues.
> 1. Getting a valid certificate is easy and doesn't cost a dime nowadays.
> Here's the very details set of instructions on how we do it for Apache
> Bigtop. They are easily applicable in Ignite CI's case [1]. I'd be happy to
> help with this.
> 2. Reconfiguring the server to respond only on HTTPS port. That's another easy
> thing to do for anyone with the access to the box. I don't have this, so
> it'd be someone else.
>
> Thoughts?
> Cos
>
> [1] https://cwiki.apache.org/confluence/display/BIGTOP/Bigtop+CI+Setup+Guide#BigtopCISetupGuide-Advancedpart:SetupaSSLsecuredJenkinsmaster
>

Aleksey Chetaev

Re: SSL certificate for the CI server

Hi,

A know GlobalSing support open source projects for free(https://www.globalsign.com/en/ssl/ssl-open-source/).
We can request certificates from them, it will be more easy for me. Any objection?

Denis Magda-2 wrote

Hi Cos,

Alexey Chetaev, please join the conversation and share your thoughts on this.

—
Denis

> On Jul 19, 2017, at 9:44 AM, Konstantin Boudnik <[hidden email]> wrote:
>
> Hey guys.
>
> I've noticed that https://ci.ignite.apache.org/ has two issues:
> - it has the invalid certificate
> - the CI server isn't responding on the https port (there's only ngnix)
>
> I don't about the rest of the group here, but all my browsers are enforcing
> HTTPS connections for the obvious reasons. I have to add an exception
> for the CI server to get in, which is a minor inconvenience compared to the
> security risks. I suggest we fix both issues.
> 1. Getting a valid certificate is easy and doesn't cost a dime nowadays.
> Here's the very details set of instructions on how we do it for Apache
> Bigtop. They are easily applicable in Ignite CI's case [1]. I'd be happy to
> help with this.
> 2. Reconfiguring the server to respond only on HTTPS port. That's another easy
> thing to do for anyone with the access to the box. I don't have this, so
> it'd be someone else.
>
> Thoughts?
> Cos
>
> [1] https://cwiki.apache.org/confluence/display/BIGTOP/Bigtop+CI+Setup+Guide#BigtopCISetupGuide-Advancedpart:SetupaSSLsecuredJenkinsmaster
>

Konstantin Boudnik-2

Re: SSL certificate for the CI server

I have never heard about this provider, and it is great they are donating
their resources to the FOSS. I quick glance on their site has reveiled a
couple of issues:
- the page for the "Standard Agreement" returns 404 [1]. I won't be willing to
agree to something I cannot read upfront.
- the process seems to be manual.

The reason I like [2] is because it's backed by EFF and has a huge user base
(over 100 millions certificates to date) [3]

The process has been debugged already for other Apache projects, so I don't
really see why we need to go to someone else?

[1] https://www.globalsign.com/en/repository/globalsign-subscriber-agreement-digital-certificates-and-services.pdf
[2] https://letsencrypt.org/
[3] https://www.eff.org/deeplinks/2017/06/lets-encrypt-has-issued-100-million-certificates

Thanks,
Cos

On Wed, Jul 19, 2017 at 09:41PM, Aleksey Chetaev wrote:

> Hi,
>
> A know GlobalSing support open source projects for
> free(https://www.globalsign.com/en/ssl/ssl-open-source/).
> We can request certificates from them, it will be more easy for me. Any
> objection?
>
>
> Denis Magda-2 wrote
> > Hi Cos,
> >
> > Alexey Chetaev, please join the conversation and share your thoughts on
> > this.
> >
> > —
> > Denis
> >
> >> On Jul 19, 2017, at 9:44 AM, Konstantin Boudnik <
>
> > cos@
>
> > > wrote:
> >>
> >> Hey guys.
> >>
> >> I've noticed that https://ci.ignite.apache.org/ has two issues:
> >> - it has the invalid certificate
> >> - the CI server isn't responding on the https port (there's only ngnix)
> >>
> >> I don't about the rest of the group here, but all my browsers are
> >> enforcing
> >> HTTPS connections for the obvious reasons. I have to add an exception
> >> for the CI server to get in, which is a minor inconvenience compared to
> >> the
> >> security risks. I suggest we fix both issues.
> >> 1. Getting a valid certificate is easy and doesn't cost a dime nowadays.
> >> Here's the very details set of instructions on how we do it for Apache
> >> Bigtop. They are easily applicable in Ignite CI's case [1]. I'd be
> >> happy to
> >> help with this.
> >> 2. Reconfiguring the server to respond only on HTTPS port. That's another
> >> easy
> >> thing to do for anyone with the access to the box. I don't have this,
> >> so
> >> it'd be someone else.
> >>
> >> Thoughts?
> >> Cos
> >>
> >> [1]
> >> https://cwiki.apache.org/confluence/display/BIGTOP/Bigtop+CI+Setup+Guide#BigtopCISetupGuide-Advancedpart:SetupaSSLsecuredJenkinsmaster
> >>
>
>
>
>
>
> --
> View this message in context: http://apache-ignite-developers.2346864.n4.nabble.com/SSL-certificate-for-the-CI-server-tp19830p19840.html
> Sent from the Apache Ignite Developers mailing list archive at Nabble.com.

signature.asc (237 bytes) Download Attachment

Aleksey Chetaev

Re: SSL certificate for the CI server

Konstantin,
Ok, no objections from my side. I need some times for read documentation. I hope we will finished in two weeks.

http://reviews.ignite.apache.org - will setup for ssl using too.

Konstantin Boudnik-2 wrote

I have never heard about this provider, and it is great they are donating
their resources to the FOSS. I quick glance on their site has reveiled a
couple of issues:
- the page for the "Standard Agreement" returns 404 [1]. I won't be willing to
agree to something I cannot read upfront.
- the process seems to be manual.

The reason I like [2] is because it's backed by EFF and has a huge user base
(over 100 millions certificates to date) [3]

The process has been debugged already for other Apache projects, so I don't
really see why we need to go to someone else?

[1] https://www.globalsign.com/en/repository/globalsign-subscriber-agreement-digital-certificates-and-services.pdf
[2] https://letsencrypt.org/
[3] https://www.eff.org/deeplinks/2017/06/lets-encrypt-has-issued-100-million-certificates

Thanks,
Cos

On Wed, Jul 19, 2017 at 09:41PM, Aleksey Chetaev wrote:
> Hi,
>
> A know GlobalSing support open source projects for
> free(https://www.globalsign.com/en/ssl/ssl-open-source/).
> We can request certificates from them, it will be more easy for me. Any
> objection?
>
>
> Denis Magda-2 wrote
> > Hi Cos,
> >
> > Alexey Chetaev, please join the conversation and share your thoughts on
> > this.
> >
> > —
> > Denis
> >
> >> On Jul 19, 2017, at 9:44 AM, Konstantin Boudnik <
>
> > cos@
>
> > > wrote:
> >>
> >> Hey guys.
> >>
> >> I've noticed that https://ci.ignite.apache.org/ has two issues:
> >> - it has the invalid certificate
> >> - the CI server isn't responding on the https port (there's only ngnix)
> >>
> >> I don't about the rest of the group here, but all my browsers are
> >> enforcing
> >> HTTPS connections for the obvious reasons. I have to add an exception
> >> for the CI server to get in, which is a minor inconvenience compared to
> >> the
> >> security risks. I suggest we fix both issues.
> >> 1. Getting a valid certificate is easy and doesn't cost a dime nowadays.
> >> Here's the very details set of instructions on how we do it for Apache
> >> Bigtop. They are easily applicable in Ignite CI's case [1]. I'd be
> >> happy to
> >> help with this.
> >> 2. Reconfiguring the server to respond only on HTTPS port. That's another
> >> easy
> >> thing to do for anyone with the access to the box. I don't have this,
> >> so
> >> it'd be someone else.
> >>
> >> Thoughts?
> >> Cos
> >>
> >> [1]
> >> https://cwiki.apache.org/confluence/display/BIGTOP/Bigtop+CI+Setup+Guide#BigtopCISetupGuide-Advancedpart:SetupaSSLsecuredJenkinsmaster
> >>
>
>
>
>
>
> --
> View this message in context: http://apache-ignite-developers.2346864.n4.nabble.com/SSL-certificate-for-the-CI-server-tp19830p19840.html
> Sent from the Apache Ignite Developers mailing list archive at Nabble.com.

signature.asc (237 bytes) <http://apache-ignite-developers.2346864.n4.nabble.com/attachment/19933/0/signature.asc>

Konstantin Boudnik-2

Re: SSL certificate for the CI server

Good point! Thanks! Please let me know if you need any assistance from me
--
With regards,
Konstantin (Cos) Boudnik
2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622

Disclaimer: Opinions expressed in this email are those of the author,
and do not necessarily represent the views of any company the author
might be affiliated with at the moment of writing.

On Wed, Jul 26, 2017 at 2:29 AM, Aleksey Chetaev <[hidden email]> wrote:

> Konstantin,
> Ok, no objections from my side. I need some times for read documentation. I
> hope we will finished in two weeks.
>
> http://reviews.ignite.apache.org - will setup for ssl using too.
>
>
>
> Konstantin Boudnik-2 wrote
>> I have never heard about this provider, and it is great they are donating
>> their resources to the FOSS. I quick glance on their site has reveiled a
>> couple of issues:
>> - the page for the "Standard Agreement" returns 404 [1]. I won't be
>> willing to
>> agree to something I cannot read upfront.
>> - the process seems to be manual.
>>
>> The reason I like [2] is because it's backed by EFF and has a huge user
>> base
>> (over 100 millions certificates to date) [3]
>>
>> The process has been debugged already for other Apache projects, so I
>> don't
>> really see why we need to go to someone else?
>>
>> [1]
>> https://www.globalsign.com/en/repository/globalsign-subscriber-agreement-digital-certificates-and-services.pdf
>> [2] https://letsencrypt.org/
>> [3]
>> https://www.eff.org/deeplinks/2017/06/lets-encrypt-has-issued-100-million-certificates
>>
>> Thanks,
>> Cos
>>
>> On Wed, Jul 19, 2017 at 09:41PM, Aleksey Chetaev wrote:
>>> Hi,
>>>
>>> A know GlobalSing support open source projects for
>>> free(https://www.globalsign.com/en/ssl/ssl-open-source/).
>>> We can request certificates from them, it will be more easy for me. Any
>>> objection?
>>>
>>>
>>> Denis Magda-2 wrote
>>> > Hi Cos,
>>> >
>>> > Alexey Chetaev, please join the conversation and share your thoughts on
>>> > this.
>>> >
>>> > —
>>> > Denis
>>> >
>>> >> On Jul 19, 2017, at 9:44 AM, Konstantin Boudnik <
>>>
>>> > cos@
>>>
>>> > > wrote:
>>> >>
>>> >> Hey guys.
>>> >>
>>> >> I've noticed that https://ci.ignite.apache.org/ has two issues:
>>> >> - it has the invalid certificate
>>> >> - the CI server isn't responding on the https port (there's only
>>> ngnix)
>>> >>
>>> >> I don't about the rest of the group here, but all my browsers are
>>> >> enforcing
>>> >> HTTPS connections for the obvious reasons. I have to add an exception
>>> >> for the CI server to get in, which is a minor inconvenience compared
>>> to
>>> >> the
>>> >> security risks. I suggest we fix both issues.
>>> >> 1. Getting a valid certificate is easy and doesn't cost a dime
>>> nowadays.
>>> >> Here's the very details set of instructions on how we do it for
>>> Apache
>>> >> Bigtop. They are easily applicable in Ignite CI's case [1]. I'd be
>>> >> happy to
>>> >> help with this.
>>> >> 2. Reconfiguring the server to respond only on HTTPS port. That's
>>> another
>>> >> easy
>>> >> thing to do for anyone with the access to the box. I don't have
>>> this,
>>> >> so
>>> >> it'd be someone else.
>>> >>
>>> >> Thoughts?
>>> >> Cos
>>> >>
>>> >> [1]
>>> >>
>>> https://cwiki.apache.org/confluence/display/BIGTOP/Bigtop+CI+Setup+Guide#BigtopCISetupGuide-Advancedpart:SetupaSSLsecuredJenkinsmaster
>>> >>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://apache-ignite-developers.2346864.n4.nabble.com/SSL-certificate-for-the-CI-server-tp19830p19840.html
>>> Sent from the Apache Ignite Developers mailing list archive at
>>> Nabble.com.
>>
>>
>> signature.asc (237 bytes)
>> <http://apache-ignite-developers.2346864.n4.nabble.com/attachment/19933/0/signature.asc>
>
>
>
>
>
> --
> View this message in context: http://apache-ignite-developers.2346864.n4.nabble.com/SSL-certificate-for-the-CI-server-tp19830p20066.html
> Sent from the Apache Ignite Developers mailing list archive at Nabble.com.

Aleksey Chetaev

Re: SSL certificate for the CI server

If anyone can’t sleep at night
If anyone sleep very bad
If you afraid that your password
Can evil hacker steal right now

For they we worked day and night
Don’t slept and worked fully days
And finish with https
Teamcity for, Igniters for.

https://ci.ignite.apache.org

dsetrakyan

Re: SSL certificate for the CI server

I was asleep and woke up in cold sweat realizing that I don't have the
login to TC. How do I get one?

On Fri, Aug 4, 2017 at 10:53 PM, Aleksey Chetaev <[hidden email]>
wrote:

> If anyone can’t sleep at night
> If anyone sleep very bad
> If you afraid that your password
> Can evil hacker steal right now
>
> For they we worked day and night
> Don’t slept and worked fully days
> And finish with https
> Teamcity for, Igniters for.
>
> https://ci.ignite.apache.org
>
>
>
> --
> View this message in context: http://apache-ignite-
> developers.2346864.n4.nabble.com/SSL-certificate-for-the-
> CI-server-tp19830p20532.html
> Sent from the Apache Ignite Developers mailing list archive at Nabble.com.
>

Dmitriy Pavlov

Re: SSL certificate for the CI server

Hi Dmitriy,

I can see your user in user list. Moreover according to recent discussion
http://apache-ignite-developers.2346864.n4.nabble.com/CI-Server-permissions-changed-td18500.html
you have admin rigths.

It is possible to 'Reset Password' using link on login page and passoword
reset link will be sent to your email.

Sincerely,
Dmitriy Pavlov

сб, 5 авг. 2017 г. в 1:07, Dmitriy Setrakyan <[hidden email]>:

> I was asleep and woke up in cold sweat realizing that I don't have the
> login to TC. How do I get one?
>
> On Fri, Aug 4, 2017 at 10:53 PM, Aleksey Chetaev <[hidden email]>
> wrote:
>
> > If anyone can’t sleep at night
> > If anyone sleep very bad
> > If you afraid that your password
> > Can evil hacker steal right now
> >
> > For they we worked day and night
> > Don’t slept and worked fully days
> > And finish with https
> > Teamcity for, Igniters for.
> >
> > https://ci.ignite.apache.org
> >
> >
> >
> > --
> > View this message in context: http://apache-ignite-
> > developers.2346864.n4.nabble.com/SSL-certificate-for-the-
> > CI-server-tp19830p20532.html
> > Sent from the Apache Ignite Developers mailing list archive at
> Nabble.com.
> >
>