[Buildroot] [psa] various server software upgrades
Mike Frysinger
vapier at gentoo.org
Mon Dec 7 18:51:06 UTC 2015
On 07 Dec 2015 07:34, Peter Korsgaard wrote:
> >>>>> "Mike" == Mike Frysinger <vapier at gentoo.org> writes:
>
> >> > Unfortunately, we do have subdomains that are not https-enabled, and are
> >> > on another machine:
> >> > http://autobuild.buildroot.org/
> >>
> >> sources.buildroot.{org,net} is another example (even though that it
> >> normally only accessed from wget, so less critical).
>
> > there's really no reason you can't generate a cert for those domains using
> > let's encrypt. let's encrypt doesn't require you to own the root domain,
> > just be in control of the web server the domain resolves to.
>
> Ok, but for sources.buildroot.net I wouldn't want to enforce TLS as
> E.G. wget on ancient enterprice dists wont recognize the CA and fail.
are you sure about that ? LE's CA is cross-signed and has pretty good support:
https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394
> >> We have the same problem for lists.{buildroot,busybox,uclibc}.*, as that
> >> ends up serving an osuosl certificate.
>
> > those aren't a new issue ... they've always used osuosl certs. those are
> > out of my control.
>
> Yes, but with the HSTS headers we now force people to access it through
> https, and atleast my browser won't allow it because the certificate
> doesn't match.
so click through the warning message. firefox/chrome/etc... have no problem
here.
> >> Then we might
> >> consider if we could HTTPS enable some of these subdomains, but they are
> >> on different hosts, which complicates stuff (E.G. we presumably need to
> >> distribute the buildroot.org private keys and update everywhere every 90
> >> days).
>
> > there is no need to distribute the same keys here. just generate ones
> > for the domains in question using let's encrypt.
>
> I'll have a look at generating letsencrypt keys for nightly.* and
> patchwork.*.
>
> Any specific hints about it?
$ letsencrypt certonly --webroot --webroot-path /path/to/your/webserver/ \
-d main-dns-name -d an-alias-if-you-have-one -d more...
so for bugzilla i used:
$ letsencrypt certonly --webroot \
--webroot-path /var/www/bugstest.busybox.net/htdocs/ \
-d bugstest.busybox.net -d bugstest.uclibc.org -d bugstest.buildroot.net \
-d bugstest.buildroot.org
-mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20151207/b2df0a80/attachment.asc>
More information about the buildroot
mailing list