The SSL certificate on lsst-demo is set to expire on 2020-01-27; this ticket reminds us of the need to renew it, retire the server, or find some other solution by then.
Traditionally this task has been done by IPAC; we also need to decide whether that's the right longer-term model.
- is triggered by
DM-22005 Renew lsst-demo SSL certificate - Fall 2019
system is at NCSA. lsst-demo. Bill Glick [X] is the owner. I have no idea about the previous payment. We do want to move this to a different server in the next year... but I don't know the IPAC plans for firefly.
To clarify, the current certificate is actually part of a web proxy Docker container 'ipac/proxy' that IPAC runs on the server. IPAC is using a free certificate from Let's Encrypt that they are manually having to renew approximately every 3 months. I've never been asked to manage the web proxy or certificate on this server.
If you are not ready to move Firefly from this 'temporary' server yet, we could replace IPAC's proxy container with a managed web proxy that NCSA could get a no-cost real certificate for that would be valid for 2 years.
Or we could probably just proxy it from the existing lsst-web.ncsa.illinois.edu server, so that it would be accessible via https://lsst-web.ncsa.illinois.edu/firefly .
For the time being, I have setup a CRON entry on the lsst-demo server to run the following on the 10th and 25th of each month to automatically renew the certificate from Let's Encrypt:
/bin/docker exec -it proxy /usr/bin/certbot renew --renew-hook 'service apache2 reload' --quiet
I can't test the renewal till the certificate is ~30 days old, but it should work as soon as the certificate is due for renewal.
This work was done when it was needed, but the ticket was inadvertently left open.
Closing now, with the additional note that, of course, with the transition to the USDF, the lsst-demo service is now retired altogether.
Where is the server hosted? Who is the owner of the server? What account has been paying for it previously? How long should the cert be for, 2 or 3 is typical but can do 1yr?