Let's plan out what SSL certs we need and I will draft a proposal for the board. Here is what I can think of: *.gentoo.org for warbler *.gentoo.org for nuthatch forums.gentoo.org for dove dev.gentoo.org (imap/ssl on toucan) Add any more I missed to this list in the next couple of days and I'll tally a total. -C
I'm guessing that any of our internal sites that won't get included in this is fine for self-signed certs? Things like where nagios is at, ldap certs, stunnel certs, etc. I really don't see a problem with having self-signed certs for that, but anything that is considered a public service should have something better. The www nodes shouldn't need any ssl certs. Outside of that, I can't think of any site that needs ssl. Its only if we get another website class server like nuthatch/warbler that we may need one.
Okay, wildcard certs are $199.95 each (for 1 yr), and the individual certs are 29.95 each. Going with what I layed out, that will be 2 wildcard and 2 individual certs, totalling $459.80 I think this is a very justifiable purchase. The wildcard certs will allow us to expand on those 2 hosts and add whatever.gentoo.org with SSL (and not have to purchase additional certs). Now, to do this, the cert supplier will verify the request by sending a message to GENTOO.ORG@domainsbyproxy.com. I assume you have that account, Lance? -C
Another point: Do we want to push this as a seperate purchase proposal, or push for the $1,500 infra budget and pay for it out of that? -C
please sse bug 89803.. just get a few certs from CaCert..
*** Bug 89803 has been marked as a duplicate of this bug. ***
godaddy offers free certs for open source projects. I doubt they're wildcard ones, but at least for the non wildcard ones it seems like that would be a good purchase.
CaCert is not browser supported by default, that is why. Caleb has a good point in that we can get one from godaddy (I did it for OSL but then we ended up buying a wildcard cert anyway) but we can do that for forums. -C
Is it a no-go running two different servers with the same server key? This would prevent the need of buying two wildcard certificates..
You can do that, but browsers will complain that the certificate (even a wildcard cert) does not match the IP address that the CRL was generated with. Such complaints and uncertainties about the authenticity of the cert is the reason why we are moving away from self-signed certs.
Are you sure about this? No server with dynamic IP could then ever run SSL without prompts upon a changed IP (and I am running such servers with no hickups). I believe it is technically possible. Maybe the CA's policy denies it though.
Yes. for example, try https://staff.osuosl.org/~cshields and then try https://www.osuosl.org (both using the same wildcard cert but on different IP addresses)
So, what's delaying this?
*** Bug 137335 has been marked as a duplicate of this bug. ***
Ok, wildcard certs are a mess. I've included the above link, where CACert performed testing of every different method they could find. Notice that the CN+subjAltNames works, but we have to include all names each time the certificate is generated, and regenerate it if the list of names changes. No existing CA organization (incl CACert) supports doing this yet. For this reason, we'd need our own CA. I did originally create a Gentoo CA way back in July 2003 (the code is still locked away in my homedir on lark even), when we were experimenting with LDAP on eagle and peregrine. I still have the files, so we can re-use them. Any specific objections to this? If not, I'll update my stuff on lark for the new style, and start firing out certs.
cshields: from your comment #11, your second link is broken because your website redirects http://www.osuosl.org/ to http://osuosl.org/, and http://osuosl.org/ does NOT match the wildcard. Could you change that on your site, and see if various things start to accept your cert?
There is not alternative to using an "official" CA if you want a "trusted" certificate. A certificate of a (self-signed) Gentoo CA would first be untrusted. What's speaking against using the free one from Godaddy?
tobias: not all of the discussion is on here, we are talking a lot about it in #gentoo-infra.
*** Bug 166254 has been marked as a duplicate of this bug. ***
*** Bug 147596 has been marked as a duplicate of this bug. ***
Let me sum up some discussions we had in #gentoo-infra some time (January 2007) ago. CACert might work, as we can use both wildcards and/or CN+subjAltNames. We are also in control to recreate our CACert-certificate for further subjAltNames. The document http://wiki.cacert.org/wiki/OrganisationEntities describes how to request a CACert-certificate for an organisation. I already requested a certificate for a non-profit organisation over here in Germany, so I know this step, although it is easier in Germany, as there is an Organisation-assurer (who I know personally for a couple of years and who I can ask for further help). What we need first is an admin for the certificates. robbat2 or I can do that job, as we both have full CACert-points and we both know the CACert-system and the handling of certificates in common. Then we need a copy of the Certificate of Incorporation from the Foundation. I'm not sure if the State of New Mexico provides an online-database where they approve the existance of the Foundation, but that should fit as well. As the Certificate of Incorporation does not contain any name of the requester on it, the Trustees have to send an additional letter where they request the certificate and who should be the admin. An example is given in the URL above. Once done, sent in and approved by CACert we can implement the certificates on our servers.
(In reply to comment #20) > Then we need a copy of the Certificate of Incorporation from the Foundation. > I'm not sure if the State of New Mexico provides an online-database where they > approve the existance of the Foundation, but that should fit as well. As the > Certificate of Incorporation does not contain any name of the requester on it, > the Trustees have to send an additional letter where they request the > certificate and who should be the admin. An example is given in the URL above. If it will suffice, g2boojum has scanned copies of the filing for incorporation, stamped by the county they were filed in. This is (or was at least) in his devspace somewhere, but I'm sorry I don't recall the URL. Don't ever recall a certificate, but what he had should be official enough. Hope that helps some, -Corey
http://dev.gentoo.org/~g2boojum/articles/p5.png That's our certificate of incorporation. I can't seem to get to wiki.cacert.org, but if somebody will send me the necessary form, I'll fill it out.
(In reply to comment #22) > http://dev.gentoo.org/~g2boojum/articles/p5.png > > That's our certificate of incorporation. > > I can't seem to get to wiki.cacert.org, but if somebody will send me > the necessary form, I'll fill it out. > I can "get" there, but I'm served a null page.
(In reply to comment #22) > http://dev.gentoo.org/~g2boojum/articles/p5.png > > That's our certificate of incorporation. Thanks Grant! This scan should suffice the requirements, but I'll write an email to support (at) cacert.org if they are in need for further attestions. > I can't seem to get to wiki.cacert.org, but if somebody will send me > the necessary form, I'll fill it out. Unfortunately the main DNS-Server for CACert went down today (which is out of responsibility for CACert). But it's up again and most other DNS-Servers should be in sync already. But let me add the example letter here, so that you know about what I am talking: Example of letter from the executive/owner of the organisation Required if the name of the requester does not appear on the Certificate of Incorporation. Scan and email the letter to support at cacert.org The letter is written and signed by the person in charge of the organisation (replace company with association in your case) Dear Sir, I am requesting that an organisational account be created for my company, /Company Name/. This organisational account is associated to the following domains /domain name list/. The technical contact for these Internet domains and the administrator for the CAcert organisation account is /Admin Name/, /Admin title/ who is holding an assured CAcert account /mail address/. I have attached /Company Name/'s Certificate of Incorporation. *Optionally* The following business register will show /Company Name/'s active filing: /web address of register/ *Add any extra information if needed* Sincerely, ...
pylon: what was blocking in this bug?
Just updating per a direct mail from Pylon. The only thing remaining here is the trustees doing the letter to CACert.
Does the foundation status make any difference wrt to moving forward with CACert? If they just need a letter and the previously sent information on the foundation is enough. We can have someone draft something up ASAP.
If you still choosing CA you might want to have a look at http://www.startssl.com/ Almost all browsers have their ROOT cert by default: http://cert.startcom.org/?app=140 They have class2 (*.gentoo.org) certs and support open source.
wltjr: what's the status on that letter? anton.bugs: "support open source"? I know about their StartCom Linux, but are you implying they offer free certs to open source groups? I don't find any such mentions on their site.
> "support open source"? I know about their StartCom Linux, but are you implying > they offer free certs to open source groups? I don't find any such mentions on > their site. Correct me if I'm wrong, I thing they offer free certs for everyone, but you just have to pay US$24.90 once for the validation: <quote> http://www.startssl.com/?app=2 -StartSSL™ Verified has various advantages over the free, low-assurance (Class 1) certificates. - StartSSL™ identity and organization validation are available for only US $ 24.90 each, where organization validation implies prior identity validation. Once validated, certificates are freely available through the advanced bulk purchase. If you need to have your organization validated, prepare also such supporting documents like company license, company registry, ownership confirmation etc. </quote> By "support open source" I mean they also have their own StartCom Linux Operating Systems, and should be friendly to other distributions. I suggest to try talk with them and they might give us some discounts if it's really necessary.
As pylon has resigned, is there anyone managing the cacert-orgaassurance for gentoo? I'd volunteer for that if neccessary (and I'd strongly oppose to any »xy offers free / more or less free certs with certain limitations«, as I don't like this whole ssl-authority-structures and cacert is the only alternative that really qualifies as free in a similar sense than free software).
hanno: I'm an assurer with CACert already, and both pylon and myself were going to be in there originally. If you're an assurer with them as well, it would be good to have a backup for me.
robbat2: yeah, I am an assurer, 150 points and cats-tested, so I volunteer to be your backup :-)
(In reply to comment #31) > and I'd strongly oppose to any > »xy offers free / more or less free certs with certain limitations«, as I > don't like this whole ssl-authority-structures and cacert is the only > alternative that really qualifies as free in a similar sense than free > software). > http://cert.startcom.org/policy.pdf: <quote> Philosophy ...StartCom Ltd. is also active in the Open Source Movement and a believer in the free flow of information and ideas over the Internet. StartCom Ltd. believes in the right to protect and secure information between two entities without discrimination of race , origin or religion. StartCom further believes that this right should not be bound to the financial capabilities of individuals, institutions, companies, or organizations. StartCom Ltd. aims to provide during its operation of SFSCA a free and viable alternative to commercial certification authorities and providers, without discrimination, limits or reduced values at any given time. Fees SFSCA does not charge any fees for its basic Class 1 certificates and services. This is the purpose of SFSCA and cannot be changed. StartCom Ltd. However reserves the right to offer additional fee based products and/or services through SFSCA at any given time and to impose a fee for other certificates, such as Class 2 and 3 certificates in order to finance its operation. </quote> I have nothing against Cacert and just wanted to check if are any alternative ways. It's your call anyway. </End of spam>
(In reply to comment #14) > For this reason, we'd need our own CA. I did originally create a Gentoo CA way > back in July 2003 (the code is still locked away in my homedir on lark even), > when we were experimenting with LDAP on eagle and peregrine. I still have the > files, so we can re-use them. btw, the same http://cert.startcom.org/policy.pdf says: Intermediate CA: The following organizations can request to run an intermediate certification authority, which allows a limited role as intermediate CA: <..> −Established and well known Open Source or Open Standards foundations/projects/vendors which have at least a one year record of active operation. The project should be of major importance to the open source community and show an obvious need for running an intermediate certification authority
Ok I am ready to act on this. Just need to know the extent of what infra needs me to do. I realize I need to draft said letter. Does it need be to signed? Do you want me to attach it here, or fax it in? If no sig, I can draft letter and attach here. Not sure I am comfortable with my signature being on it, attached here. If that matters, but might prefer to fax a signed letter in. Versus attaching to bug. Unless infra was planning on doing the interaction with CACert. Just need to know how infra wants me to proceed from here. I assume we are sticking with CACert on this. Everything on file with NM is current. Which we can send in an updated version of that along with the letter. Please advise so I can act on this ASAP. Thanks
(In reply to comment #36) > Ok I am ready to act on this. Just need to know the extent of what infra needs > me to do.[snip] you'll need to wait for robbat2 to return from his holiday for exact instructions. He should be back sometime this week. It's probably best to catch him on IRC to work out the exact details.
Thanks and I will be in touch with robbat2 ASAP once he returns.
Created attachment 154023 [details] Foundation letter to CACert
Ok I have drafted the requested letter to CACert. Attached in bug as pdf. Please let me know if I need to make any changes there. Here is a link, also included i the document to our current filing and records with New Mexico. http://www.nmprc.state.nm.us/cgi-bin/prcdtl.cgi?2055978+GENTOO+TECHNOLOGIES+INC
Created attachment 154029 [details] Foundation letter to CACert
Created attachment 154031 [details] GPG signature to accompany letter_2_cacert.pdf
Correct link to New Mexico Corp registry: http://www.nmprc.state.nm.us/cgi-bin/prcdtl.cgi?2463313+GENTOO+FOUNDATION+INC
Created attachment 154033 [details] Certificate of Incorporation Adding copy of the certificate of incorporation to show CACert.
Comment on attachment 154033 [details] Certificate of Incorporation Fix filetype
I've created the cacert@gentoo.org mail alias for CACert to have an official contact point for us, as well as place all the suitable details (primarily the attachments in this bug) in an email to them that I have just sent to them. Other main block from the email: Organisation Title : Gentoo Foundation, Inc. Contact Email : cacert@gentoo.org : (mail alias that reachs sysadmins for CACert matters) Registration organisation address => Town/Suburb : Albuquerque State/Province : New Mexico Country : US Used domains are : gentoo.org Admins are : robbat2@orbis-terrarum.net (also robbat2@gentoo.org)
CACert has now approved the documents and enabled my account for generating the certificates. Since this bug is crowded already, I've created new bug 223347 to handle actual requests for certificates.
still running bugs.g.o with selfsigned ssl certs ?, if not possible to resolve it should be possible to show the public key atleast
(In reply to comment #48) > still running bugs.g.o with selfsigned ssl certs ?, if not possible to > resolve it should be possible to show the public key atleast no, it's signed by CAcert Class 3 Root certificate. Now, stop complaining. Go and install.
FYI, there were some news where few trusted CA would provide a cert for free to the opensource projects. For example, https://www.globalsign.com/en-sg/company/press/061913-globalsign-offers-free-ssl-certificates-open-source-projects/ This could be an alternative way.
@Anton: If you actually checked, you'll see we're using certs from Digicert now. My whiteboard amendment was as part of the process to audit all possible expenses that I can find for accounting purposes.
