| [11:36:42] | * jerryitt has quit (Quit: Connection closed for inactivity) |
| [12:57:44] | * roycroft has quit (Ping timeout: 260 seconds) |
| [12:57:50] | * roycroft has joined #aegir |
| [17:26:06] | * ybabel has joined #aegir |
| [17:30:40] | * Linux_VT has quit (Ping timeout: 240 seconds) |
| [17:31:05] | * Linux_VT has joined #aegir |
| [18:42:12] | * cambridgeuis has joined #aegir |
| [18:46:01] | * gitterbot[m] has quit (Remote host closed the connection) |
| [18:46:03] | * ergonlogic[m] has quit (Remote host closed the connection) |
| [18:46:05] | * colan[m] has quit (Read error: Connection reset by peer) |
| [18:46:09] | * helmo42[m] has quit (Remote host closed the connection) |
| [18:46:11] | * Github[m] has quit (Remote host closed the connection) |
| [18:46:13] | * Github[jonpughma has quit (Read error: Connection reset by peer) |
| [18:46:14] | * jonpugh[m] has quit (Read error: Connection reset by peer) |
| [18:50:11] | * Github[m] has joined #aegir |
| [19:03:45] | * gitterbot[m] has joined #aegir |
| [19:03:52] | * colan[m] has joined #aegir |
| [19:03:52] | * helmo42[m] has joined #aegir |
| [19:03:53] | * jonpugh[m] has joined #aegir |
| [19:03:53] | * ergonlogic[m] has joined #aegir |
| [19:03:54] | * Github[jonpughma has joined #aegir |
| [22:09:16] | * Github[m] has quit (Remote host closed the connection) |
| [22:09:18] | * helmo42[m] has quit (Remote host closed the connection) |
| [22:09:18] | * Github[jonpughma has quit (Read error: Connection reset by peer) |
| [22:09:25] | * jonpugh[m] has quit (Read error: Connection reset by peer) |
| [22:09:25] | * ergonlogic[m] has quit (Remote host closed the connection) |
| [22:09:26] | * gitterbot[m] has quit (Read error: Connection reset by peer) |
| [22:09:28] | * colan[m] has quit (Read error: Connection reset by peer) |
| [22:14:39] | * Github[m] has joined #aegir |
| [22:20:09] | * v20th has joined #aegir |
| [22:25:11] | * gitterbot[m] has joined #aegir |
| [22:25:18] | * Github[jonpughma has joined #aegir |
| [22:25:18] | * ergonlogic[m] has joined #aegir |
| [22:25:18] | * colan[m] has joined #aegir |
| [22:25:19] | * jonpugh[m] has joined #aegir |
| [22:25:19] | * helmo42[m] has joined #aegir |
| [22:29:58] | * drakythe is now known as zz_drakythe |
| [22:44:10] | * zz_drakythe is now known as drakythe |
| [00:29:06] | * jerryitt has joined #aegir |
| [01:24:27] | * Linux_VT has quit (Quit: Leaving) |
| [01:53:49] | <jonpugh[m]> | hey colan, you around? I have a quick question... |
| [01:54:43] | <colan[m]> | jonpugh: shoot |
| [01:55:19] | <jonpugh[m]> | Client wants to register their own certs, but I want to use letsencrypt for other sites on that server |
| [01:55:48] | <jonpugh[m]> | would I just generate a CSR and key an cert and replace it in ~/config/server_master/ssl.d? |
| [01:56:05] | <jonpugh[m]> | ~/config/server_master/ssl.d/sitename.com i mean |
| [01:57:24] | <colan[m]> | jonpugh I don't think that's going to work currently, can only do one type per server: https://gitlab.com/aegir/hosting_https/issues/6 |
| [01:58:00] | <jonpugh[m]> | Ok. |
| [01:58:06] | <jonpugh[m]> | All the more reason to add a second server ;) |
| [01:59:38] | <jonpugh[m]> | So one follow up, colan :) |
| [02:00:04] | <jonpugh[m]> | I should use self_signed to do this then? |
| [02:00:31] | <jonpugh[m]> | Let it generate then replace it with my certificate? |
| [02:01:15] | <roycroft> | i find SSL certificate mangement on aegir-managed sites to be quite frustrating |
| [02:01:41] | <jonpugh[m]> | Yeah, well, that's why we are working so hard to improve it with Aegir HTTPS. |
| [02:01:46] | <roycroft> | our solution, for now, is to spawn a virtual machine for each ssl-enabled site and configure it as an http and mysql server in aegir |
| [02:01:50] | <jonpugh[m]> | Working for free, I might add. |
| [02:02:08] | <roycroft> | frustration does not equal blame :) |
| [02:02:18] | <roycroft> | i appreciate all the work that the aegir developers do |
| [02:02:32] | <roycroft> | but i'm just pointing out that this is an area where the software is seriously lacking |
| [02:02:41] | <roycroft> | and bringing up our work-around |
| [02:03:15] | <roycroft> | it's really meant as "this needs work, and here's what we've done in the meantime" |
| [02:03:21] | <roycroft> | and not "aegir sucks" |
| [02:04:49] | <colan[m]> | jonpugh: that sounds about right. haven't tried that submodule myself so no idea where it's at. definitely the manual method needs work though (purchasing one & adding it). |
| [02:05:16] | <jonpugh[m]> | yeah... |
| [02:05:25] | <jonpugh[m]> | That's the part ergonlogic mentioned in the past, about having a textfield to paste the cert into? |
| [02:05:51] | <colan[m]> | correct. ergonlogic may have got self-signed working a while ago though, not sure. |
| [02:05:59] | <jonpugh[m]> | It does work :) |
| [02:06:11] | <jonpugh[m]> | Except for that whole giant red warning screen thing |
| [02:06:26] | <jonpugh[m]> | I'll be getting a cert for it today, I'll let you know... |
| [02:06:26] | <colan[m]> | I can't remember what we did in montreal, so that's good news then. :) |
| [02:06:44] | <colan[m]> | ok, cool. |
| [02:06:45] | <jonpugh[m]> | You are right about needing a better UI for "official" certs |
| [02:07:12] | <jonpugh[m]> | self signed scares me, like it might overwrite my real cert |
| [02:07:30] | <colan[m]> | The primary goal was LE, so everything else probably NW. |
| [02:07:50] | <colan[m]> | Try it then, but not on Prod. :P |
| [02:07:57] | <jonpugh[m]> | Some docs maybe would help me understand when my cert is at risk of being regenerated |
| [02:08:12] | <jonpugh[m]> | does self signed regen when the csr is deleted, or the cert itself? |
| [02:08:33] | <colan[m]> | No idea, but if you figure it out, please add some docs. :) |
| [02:08:44] | <jonpugh[m]> | lol ok |
| [02:09:01] | <colan[m]> | I mostly just worked on the LE stuff. |
| [02:09:36] | <jonpugh[m]> | ok |
| [02:09:41] | <colan[m]> | We put the framework in for everything else in MTL, but really don't remember how far everything else got, and haven't looked at that stuff since then. |
| [02:13:43] | <jonpugh[m]> | I just read through it, it's just a series of calls to openssl, it generates the key/csr and then self-signs it in the same php method |
| [02:24:52] | <ergonlogic[m]> | I think we'd just need to add a check in `Provision_Service_Certificate_SelfSigned::generate_certificates()`, since in `Provision_Service_Certificate::get_certificates()` we state: "Always attempt to generate new certificates. The upstream script should recognize non-expired ones, and leave them in place. So it checks for us. We don't need to check which ones are still valid." |
| [02:26:16] | <jonpugh[m]> | So if I really need to use CA generated Certs I should stick with hosting_ssl? |
| [02:28:47] | <ergonlogic[m]> | well, I think the only thing missing for parity b/w hosting_https and hosting_ssl would be that check to see whether to re-generate the cert |
| [02:29:13] | <ergonlogic[m]> | which itself is a ridiculously clunky way to deploy a custom cert imo |
| [02:30:15] | <jonpugh[m]> | So self=signed should act the same way hosting_ssl, where I would put my own csr, key and crt in ~/config/ssl.d/site.com and then verify, and it will copy to the server_%/ssl.d folder? |
| [02:30:32] | <ergonlogic[m]> | but, short of time and effort to do https://gitlab.com/aegir/hosting_https/issues/10, I'd prefer to see hosting_https fixed |
| [02:30:47] | <ergonlogic[m]> | more or less, yes |
| [02:31:22] | <jonpugh[m]> | ok thanks |
| [02:33:54] | <ergonlogic[m]> | The paths have changed, obviously. But I'm not certain whether it'll pick up intermediate certs |
| [02:34:44] | <ergonlogic[m]> | so you may have to concatenate them, or whatever the workaround is for that |
| [02:35:17] | <viashimo> | jonpugh[m]: using hosting_https I put template overrides for hook in 3rd party SSL certs, since it's not supported |
| [02:35:35] | <jonpugh[m]> | do self-signed certs expire at all? as long as the keys/csr are there, it shouldn't regenerate everything, right? |
| [02:35:39] | <viashimo> | jonpugh[m]: it's in french a bit, but the docs I use are here: https://wiki.koumbit.net/AegirService/LetsEncrypt#Utiliser_un_cert_custo... |
| [02:36:03] | <ergonlogic[m]> | I think they default to 1-year |
| [02:37:20] | <jonpugh[m]> | viashimo: now that's clever :) |
| [02:38:51] | <viashimo> | jonpugh[m]: it gets the job done, but rickety - any future template / variable changes in hosting_https could break the sites when they are verified |
| [02:41:19] | <jonpugh[m]> | We should record your use case in an issue in https://gitlab.com/aegir/hosting_https |
| [02:42:02] | <viashimo> | I think there one already, let me find it |
| [02:42:34] | <viashimo> | jonpugh[m]: https://gitlab.com/aegir/hosting_https/issues/6 |
| [02:43:25] | <viashimo> | I will document the work-around in that issue |
| [02:44:02] | <ergonlogic[m]> | A first pass at a "manual" certificate method could easily forgo the UI, and just copy from a set directory per site |
| [02:45:30] | <ergonlogic[m]> | it could diff the deployed cert and the canonical one, and re-deploy if there were any changes |
| [02:45:31] | * v20th has quit (Ping timeout: 272 seconds) |
| [02:46:09] | <ergonlogic[m]> | on the front-end, we could just document the need to drop the cert at a specific path |
| [02:47:03] | <ergonlogic[m]> | it'd pretty much be a copy/rename of self-signed, with only a couple methods changed |
| [02:47:49] | <jonpugh[m]> | maybe the self-signing part just becomes an option? |
| [02:48:17] | <ergonlogic[m]> | a second phase could then focus on the enhancements to the UI |
| [02:49:19] | <ergonlogic[m]> | I think mixing self-signed and manual would just complicate things, personally. |
| [04:05:24] | * gusaus has joined #aegir |
| [05:56:03] | * jerryitt has quit (Quit: Connection closed for inactivity) |
| [06:17:16] | * ouelmart has joined #aegir |
| [06:25:37] | <ouelmart> | hello, i'm scripting the creation of platform for ease of use with git. i found usefull information here http://community.aegirproject.org/content/manage-your-aegir-system-comma... in short drush --root="/var/aegir/platforms/${name}/web" provision-save "@${name}" --context_type='platform' |
| [06:25:37] | <ouelmart> | ; drush @${name} provision-verify |
| [06:25:37] | <ouelmart> | ; drush @hostmaster hosting-import @${name} |
| [06:25:37] | <ouelmart> | but after step2; it create a file in (/var/aegir/config/server_master/apache/platform.d : name.conf) witch is duplicated by step 3 with a file name platform_name.conf and when you want to delete that particular platform it works but leave the name.conf file and apache has problems restarting because the file should be there. any hints, ideas? thanks |
| [06:28:56] | <jonpugh[m]> | Delete the bad name.conf file? Apache loads all files in those directories |
| [07:29:30] | * hestenet has joined #aegir |
| [07:32:21] | * hestenet has quit (Client Quit) |
| [07:43:26] | * theMusician_ has joined #aegir |
| [07:43:27] | * theMusician has quit (Ping timeout: 240 seconds) |
| [07:43:28] | * theMusician_ is now known as theMusician |
| [08:06:54] | * theMusician has quit (Quit: theMusician) |
| [08:24:42] | * jerryitt has joined #aegir |
| [08:44:37] | * ybabel has quit (Quit: ybabel) |
| [08:59:30] | * mstenta has quit (Quit: Leaving) |
| [08:59:57] | * mstenta has joined #aegir |
| [09:00:08] | * kvanderw is now known as zz_kvanderw |
| [09:13:03] | * theMusician has joined #aegir |
| [09:54:25] | * theMusician has quit (Quit: theMusician) |
| [09:55:00] | * theMusician has joined #aegir |
