| [11:11:46] | * hefring has joined #aegir |
| [20:14:30] | * ybabel has joined #aegir |
| [20:20:54] | * ybabel has quit (Ping timeout: 255 seconds) |
| [20:30:59] | * ybabel has joined #aegir |
| [20:44:09] | * ybabel has quit (Quit: ybabel) |
| [23:18:49] | * shaneonabike1 has joined #aegir |
| [23:43:09] | * drakythe is now known as zz_drakythe |
| [00:09:29] | * zz_drakythe is now known as drakythe |
| [01:44:44] | * shaneonabike1 has left #aegir ("PART #drupal-commerce :PING 1525880683") |
| [04:29:46] | <roycroft> | hello, folks |
| [04:30:19] | <roycroft> | i just migrated a drupal 7 site from an aegir2 master to an aegir3 master, and from debian wheezy to debian jessie |
| [04:30:33] | <roycroft> | php7 is too problematic for me to use stretch for this site |
| [04:30:42] | <roycroft> | in a test environment all went well |
| [04:31:29] | <roycroft> | but in production, when i install the site and install the ssl certificate from the aegir2/wheezy setup, it does not see the chain certificate - i get a warning from browsers that the certificate uses a self-signed root |
| [04:31:51] | <roycroft> | what i did was migrate the site, and generate a new certificate with the domain name in aegir |
| [04:31:57] | <roycroft> | i installed it on the production machine |
| [04:32:24] | <roycroft> | then i extracted a tarball of the commercial certificate on top of the domain.com directory in ssl.d on both the aegir master and the production machine |
| [04:32:46] | <roycroft> | and it is now looking at the correct certificate - the certificate itself is fine |
| [04:32:54] | <roycroft> | it's the chain file that it is ignoring |
| [04:33:25] | <roycroft> | i see on the aegir2 master that there's a SSLCertificateChainFile in vhost.d/domain.com and in aegir.conf |
| [04:33:33] | <roycroft> | er, apache.conf |
| [04:33:49] | <roycroft> | that is not there on the aegir3 master or on the new virtual production machine |
| [04:34:00] | <roycroft> | and when i add it and reverify the site, it gets nuked |
| [04:34:31] | <roycroft> | i don't see anything in the aegir documentation that discusses this other than "stick the chain file in ssl.d/domain.com with the name openssl_chain.crt" |
| [04:34:58] | <roycroft> | so what am i missing? |
| [04:35:21] | <roycroft> | the site is down right now, and i can't keep it down much longer |
| [04:35:34] | <roycroft> | i'll have to revert to the old host if i don't sort this out quickly |
| [04:36:20] | <roycroft> | i thought that by staging everything and testing ahead of time with a self-signed certificate downtime would be minimal as i move the site, and it was, up until the certificate issue |
| [05:06:00] | <colan1> | roycroft: if you're using the core ssl stuff, https://www.drupal.org/project/hosting_https is the newer/better way to do that with Let's Encrypt certificates. and they're free. |
| [05:10:25] | <roycroft> | we don't use let's encrypt certificates |
| [05:10:39] | <roycroft> | some of our sites need business verification and not just domain validation |
| [05:11:54] | <roycroft> | i'll look into the module though - it seems that let's encyrpt is one of its supported certificates, and not necessarily the only one |
| [05:12:36] | <roycroft> | i managed to muddle through this problem somehow but multiple rounds of extracting tarballs with the correct certificates, verifying the site, back to extracting tarballs, etc. |
| [05:12:52] | <roycroft> | i just got it back online, seconds before i was going to give up and revert to the old aegir master |
| [05:13:09] | <roycroft> | i do like aegir a lot, but it is still seriously lacking in decent ssl support |
| [05:13:18] | <roycroft> | that's its biggest drawback for me |
| [05:16:45] | <colan1> | roycroft: the LE stuff is well supported as that's what most of us are using. the other isn't, because just about everyone's cool with just DV. anyway, this is the issue to work on; nobody's picked it up yet. https://www.drupal.org/project/hosting_https/issues/2936037 |
| [05:16:45] | <hefring> | https://www.drupal.org/project/hosting_https/issues/2936037 => Add a 'manual' Certificate implementation [#2936037] => 2 comments, 3 IRC mentions |
| [05:17:46] | <roycroft> | also, gluing a site to an ip address would be good |
| [05:18:49] | <roycroft> | i.e. when dedicating an ip address to a single site, and having multiple sites hosted on the same machine (which has multiple ip addresses), i need to say domain.com gets installed with ip address x.x.x.x |
| [05:18:56] | <roycroft> | because that's how my dns needs to be set, of course |
| [05:19:20] | <roycroft> | aegir just picks an ip address out of the "pool" of avaliable ip addresses on a machine for that |
| [05:19:50] | <roycroft> | so currently, for sites that need a dedicated ip, i build a vm for each site, which is tremendously wasteful in every way one can think of |
| [05:20:03] | <colan1> | never had to worry about IPs for my stuff so not sure how aegir handles that. |
| [05:20:12] | <roycroft> | horribly :) |
| [05:20:14] | * anto has quit (Quit: leaving) |
| [05:20:32] | <roycroft> | that issue linked to above is great |
| [05:20:35] | <roycroft> | i'm not a developer |
| [05:20:46] | <roycroft> | i'd volunteer my time to work on it if i were qualified to do so |
| [05:20:53] | <roycroft> | all i'm qualified to do about it now is complain :) |
| [05:21:15] | <roycroft> | it's been a problem for many years, and i'm not holding my breath waiting for a fix |
| [05:21:32] | <colan1> | all i know is that nobody's supporting it anymore because everyone's moved on to hosting_https, which doesn't need it, i think. but could be wrong. |
| [05:21:43] | <roycroft> | i'm just trying to do reliable workarounds |
| [05:21:44] | <colan1> | roycroft: can you get funding to pay an aegir dev to work on that issue? |
| [05:22:07] | <roycroft> | i can ask, but there's a 99% probability that the answer will be "no" |
| [05:22:20] | <roycroft> | i'm happy to ask anyway |
| [05:23:02] | <roycroft> | i have no equity stake in my company, so i really don't have any incentive to fund it personally |
| [05:23:24] | <roycroft> | but i'll talk to the money people |
| [05:23:38] | <colan1> | roycroft: your boss would save $$ by paying someone else to fix that quicly, rather than wasting your time coming up with workarounds. you'd be free to get other more important stuff done. |
| [05:23:40] | <roycroft> | their idea of funding, if it happens at all, would be more like $100 |
| [05:23:49] | <roycroft> | of course, colan1 |
| [05:23:59] | <roycroft> | but he's a phb |
| [05:24:01] | <roycroft> | and i'm on salary |
| [05:24:07] | <roycroft> | so he thinks that he is paying me anyway |
| [05:24:29] | <roycroft> | easier for him to just complain when i don't get things done because i'm tied up doing other things than to pay somoeone to fix the stuff that i should not be wasting my time on |
| [05:25:17] | <roycroft> | anyway, i hope nobody here thinks that i'm ranting about aegir |
| [05:25:27] | <colan1> | phb? it would probably be more than 1 hour of work though :) i'd guess a day or 2 at the most. |
| [05:25:40] | <roycroft> | the ssl issue came up again today, and i was not able to resolve it in real time |
| [05:25:44] | <roycroft> | so i mentioned it again |
| [05:25:50] | <colan1> | isn't that what this channel is for? :) |
| [05:26:01] | <roycroft> | irc is for venting, sure |
| [05:26:14] | <roycroft> | but i think one needs to still be somewhat respectful and reasonable about the venting |
| [05:26:48] | <roycroft> | i still don't know why this site works now |
| [05:26:55] | <roycroft> | but i don't plan on touching it again for a while |
| [05:27:03] | <roycroft> | so i'll just let it be a mystery |
| [05:29:34] | <colan1> | gremlins. |
