Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-22010

Renew lsst-demo SSL certificate - Winter 2020

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Done
    • Resolution: Done
    • Fix Version/s: None
    • Component/s: Firefly, SUIT
    • Labels:
    • Story Points:
      1
    • Team:
      Data Facility

      Description

      The SSL certificate on lsst-demo is set to expire on 2020-01-27; this ticket reminds us of the need to renew it, retire the server, or find some other solution by then.

      Traditionally this task has been done by IPAC; we also need to decide whether that's the right longer-term model.

        Attachments

          Issue Links

            Activity

            Hide
            igoodenow Iain Goodenow added a comment -

            Where is the server hosted? Who is the owner of the server? What account has been paying for it previously? How long should the cert be for, 2 or 3 is typical but can do 1yr?

            Show
            igoodenow Iain Goodenow added a comment - Where is the server hosted? Who is the owner of the server? What account has been paying for it previously? How long should the cert be for, 2 or 3 is typical but can do 1yr?
            Hide
            mbutler Michelle Butler [X] (Inactive) added a comment -

            system is at NCSA.   lsst-demo.  Bill Glick [X] is the owner.   I have no idea about the previous payment.   We do want to move this to a different server in the next year...   but I don't know the IPAC plans for firefly. 

             

            Show
            mbutler Michelle Butler [X] (Inactive) added a comment - system is at NCSA.   lsst-demo.  Bill Glick [X] is the owner.   I have no idea about the previous payment.   We do want to move this to a different server in the next year...   but I don't know the IPAC plans for firefly.   
            Hide
            bglick Bill Glick [X] (Inactive) added a comment -

            To clarify, the current certificate is actually part of a web proxy Docker container 'ipac/proxy' that IPAC runs on the server. IPAC is using a free certificate from Let's Encrypt that they are manually having to renew approximately every 3 months. I've never been asked to manage the web proxy or certificate on this server.

            If you are not ready to move Firefly from this 'temporary' server yet, we could replace IPAC's proxy container with a managed web proxy that NCSA could get a no-cost real certificate for that would be valid for 2 years.

            Or we could probably just proxy it from the existing lsst-web.ncsa.illinois.edu server, so that it would be accessible via https://lsst-web.ncsa.illinois.edu/firefly .

            Show
            bglick Bill Glick [X] (Inactive) added a comment - To clarify, the current certificate is actually part of a web proxy Docker container 'ipac/proxy' that IPAC runs on the server. IPAC is using a free certificate from Let's Encrypt that they are manually having to renew approximately every 3 months. I've never been asked to manage the web proxy or certificate on this server. If you are not ready to move Firefly from this 'temporary' server yet, we could replace IPAC's proxy container with a managed web proxy that NCSA could get a no-cost real certificate for that would be valid for 2 years. Or we could probably just proxy it from the existing lsst-web.ncsa.illinois.edu server, so that it would be accessible via https://lsst-web.ncsa.illinois.edu/firefly  .
            Hide
            bglick Bill Glick [X] (Inactive) added a comment - - edited

            For the time being, I have setup a CRON entry on the lsst-demo server to run the following on the 10th and 25th of each month to automatically renew the certificate from Let's Encrypt:

            /bin/docker exec -it proxy /usr/bin/certbot renew --renew-hook 'service apache2 reload' --quiet
            

            I can't test the renewal till the certificate is ~30 days old, but it should work as soon as the certificate is due for renewal.

            Show
            bglick Bill Glick [X] (Inactive) added a comment - - edited For the time being, I have setup a CRON entry on the lsst-demo server to run the following on the 10th and 25th of each month to automatically renew the certificate from Let's Encrypt: /bin/docker exec -it proxy /usr/bin/certbot renew --renew-hook 'service apache2 reload' --quiet I can't test the renewal till the certificate is ~30 days old, but it should work as soon as the certificate is due for renewal.
            Hide
            gpdf Gregory Dubois-Felsmann added a comment -

            This work was done when it was needed, but the ticket was inadvertently left open.

            Closing now, with the additional note that, of course, with the transition to the USDF, the lsst-demo service is now retired altogether.

            Show
            gpdf Gregory Dubois-Felsmann added a comment - This work was done when it was needed, but the ticket was inadvertently left open. Closing now, with the additional note that, of course, with the transition to the USDF, the lsst-demo service is now retired altogether.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              gpdf Gregory Dubois-Felsmann
              Watchers:
              Bill Glick [X] (Inactive), Frossie Economou, Gregory Dubois-Felsmann, Iain Goodenow, Loi Ly, Michelle Butler [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved:

                  Jenkins Builds

                  No builds found.