# Renew lsst-demo SSL certificate - Winter 2020

XMLWordPrintable

#### Details

• Type: Story
• Status: Done
• Resolution: Done
• Fix Version/s: None
• Component/s:
• Labels:
• Story Points:
1
• Team:
Data Facility

#### Description

The SSL certificate on lsst-demo is set to expire on 2020-01-27; this ticket reminds us of the need to renew it, retire the server, or find some other solution by then.

Traditionally this task has been done by IPAC; we also need to decide whether that's the right longer-term model.

#### Activity

Hide
Iain Goodenow added a comment -

Where is the server hosted? Who is the owner of the server? What account has been paying for it previously? How long should the cert be for, 2 or 3 is typical but can do 1yr?

Show
Iain Goodenow added a comment - Where is the server hosted? Who is the owner of the server? What account has been paying for it previously? How long should the cert be for, 2 or 3 is typical but can do 1yr?
Hide
Michelle Butler [X] (Inactive) added a comment -

system is at NCSA.   lsst-demo.  Bill Glick [X] is the owner.   I have no idea about the previous payment.   We do want to move this to a different server in the next year...   but I don't know the IPAC plans for firefly.

Show
Michelle Butler [X] (Inactive) added a comment - system is at NCSA.   lsst-demo.  Bill Glick [X] is the owner.   I have no idea about the previous payment.   We do want to move this to a different server in the next year...   but I don't know the IPAC plans for firefly.
Hide
Bill Glick [X] (Inactive) added a comment -

To clarify, the current certificate is actually part of a web proxy Docker container 'ipac/proxy' that IPAC runs on the server. IPAC is using a free certificate from Let's Encrypt that they are manually having to renew approximately every 3 months. I've never been asked to manage the web proxy or certificate on this server.

If you are not ready to move Firefly from this 'temporary' server yet, we could replace IPAC's proxy container with a managed web proxy that NCSA could get a no-cost real certificate for that would be valid for 2 years.

Or we could probably just proxy it from the existing lsst-web.ncsa.illinois.edu server, so that it would be accessible via https://lsst-web.ncsa.illinois.edu/firefly .

Show
Bill Glick [X] (Inactive) added a comment - To clarify, the current certificate is actually part of a web proxy Docker container 'ipac/proxy' that IPAC runs on the server. IPAC is using a free certificate from Let's Encrypt that they are manually having to renew approximately every 3 months. I've never been asked to manage the web proxy or certificate on this server. If you are not ready to move Firefly from this 'temporary' server yet, we could replace IPAC's proxy container with a managed web proxy that NCSA could get a no-cost real certificate for that would be valid for 2 years. Or we could probably just proxy it from the existing lsst-web.ncsa.illinois.edu server, so that it would be accessible via https://lsst-web.ncsa.illinois.edu/firefly  .
Hide
Bill Glick [X] (Inactive) added a comment - - edited

For the time being, I have setup a CRON entry on the lsst-demo server to run the following on the 10th and 25th of each month to automatically renew the certificate from Let's Encrypt:

 /bin/docker exec -it proxy /usr/bin/certbot renew --renew-hook 'service apache2 reload' --quiet 

I can't test the renewal till the certificate is ~30 days old, but it should work as soon as the certificate is due for renewal.

Show
Bill Glick [X] (Inactive) added a comment - - edited For the time being, I have setup a CRON entry on the lsst-demo server to run the following on the 10th and 25th of each month to automatically renew the certificate from Let's Encrypt: /bin/docker exec -it proxy /usr/bin/certbot renew --renew-hook 'service apache2 reload' --quiet I can't test the renewal till the certificate is ~30 days old, but it should work as soon as the certificate is due for renewal.
Hide
Gregory Dubois-Felsmann added a comment -

This work was done when it was needed, but the ticket was inadvertently left open.

Closing now, with the additional note that, of course, with the transition to the USDF, the lsst-demo service is now retired altogether.

Show
Gregory Dubois-Felsmann added a comment - This work was done when it was needed, but the ticket was inadvertently left open. Closing now, with the additional note that, of course, with the transition to the USDF, the lsst-demo service is now retired altogether.

#### People

Assignee:
Unassigned
Reporter:
Gregory Dubois-Felsmann
Watchers:
Bill Glick [X] (Inactive), Frossie Economou, Gregory Dubois-Felsmann, Iain Goodenow, Loi Ly, Michelle Butler [X] (Inactive)
0 Vote for this issue
Watchers:
6 Start watching this issue

#### Dates

Due:
Created:
Updated:
Resolved:

#### Jenkins

No builds found.