http://localhost:8080/trac/ticket/540 <p> Currently the <a class="wiki" href="http://localhost:8080/trac/wiki/WordPress">wiki:WordPress</a> sites have have the following SSL certificates: </p> <ul><li><a class="ext-link" href="https://www.intransitionmovie.com/"><span class="icon">​</span>https://www.intransitionmovie.com/</a> -- Gandi commercial certificate and dedicated IP address </li><li><a class="ext-link" href="https://www.reconomy.org/"><span class="icon">​</span>https://www.reconomy.org/</a> -- CAcert non-commercial certificate and shared IP address (SNI) </li><li><a class="ext-link" href="https://www.earthinheritors.net/"><span class="icon">​</span>https://www.earthinheritors.net/</a> -- CAcert non-commercial certificate and shared IP address (SNI) </li><li><a class="ext-link" href="https://parrot.transitionnetwork.org/"><span class="icon">​</span>https://parrot.transitionnetwork.org/</a> -- Gandi TN wild card cert and shared IP address (SNI) </li><li><a class="ext-link" href="https://parrot.webarch.net/"><span class="icon">​</span>https://parrot.webarch.net/</a> -- CAcert non-commercial certificate, this is the default site for clients without SNI support </li></ul><p> None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com </p> <p> I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO: </p> <h2 id="SNIandSeperateCertsandSharedIP">SNI and Seperate Certs and Shared IP</h2> <p> Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each. </p> <p> The clients that don't work with SNI are listed here: <a class="ext-link" href="https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side"><span class="icon">​</span>https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side</a> </p> <h2 id="Multi-domainCertandSharedIP">Multi-domain Cert and Shared IP</h2> <p> Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI). </p> <h2 id="SeperateCertsandDedicatedIPs">Seperate Certs and Dedicated IPs</h2> <p> Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option. </p> <h2 id="Non-commercialCAcertCert">Non-commercial CAcert Cert</h2> <p> This is the cheapest, it's fine if people are able to install the <a class="ext-link" href="http://cacert.org/"><span class="icon">​</span>http://cacert.org/</a> root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option. </p> en-us /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/540 Trac 0.12.5 chris Thu, 02 May 2013 08:45:11 GMT http://localhost:8080/trac/ticket/540#comment:1 http://localhost:8080/trac/ticket/540#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.1</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>0.1</em> </li> </ul> <p> The certificate from <a class="ext-link" href="http://cacert.org/"><span class="icon">​</span>http://cacert.org/</a> was generated using the csr script from <a class="ext-link" href="http://wiki.cacert.org/CSRGenerator"><span class="icon">​</span>http://wiki.cacert.org/CSRGenerator</a> and the domains it contains follow: </p> <pre class="wiki">csr Private Key and Certificate Signing Request Generator This script was designed to suit the request format needed by the CAcert Certificate Authority. www.CAcert.org Short Hostname (ie. imap big_srv www2): parrot FQDN/CommonName (ie. www.example.com) : parrot.webarch.net Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish SubjectAltName: DNS:parrot.webarch.net SubjectAltName: DNS:*.parrot.webarch.net SubjectAltName: DNS:parrot.transitionnetwork.org SubjectAltName: DNS:*.parrot.transitionnetwork.org SubjectAltName: DNS:reconomy.org SubjectAltName: DNS:www.reconomy.org SubjectAltName: DNS:reconomyproject.org SubjectAltName: DNS:www.reconomyproject.org SubjectAltName: DNS:intransitionmovie.com SubjectAltName: DNS:www.intransitionmovie.com SubjectAltName: DNS:intransitionmovie.org SubjectAltName: DNS:www.intransitionmovie.org SubjectAltName: DNS:transitionmovie.org SubjectAltName: DNS:www.transitionmovie.org SubjectAltName: DNS:earthinheritors.net SubjectAltName: DNS:www.earthinheritors.net SubjectAltName: DNS: </pre> Ticket ed Wed, 08 May 2013 16:47:56 GMT http://localhost:8080/trac/ticket/540#comment:2 http://localhost:8080/trac/ticket/540#comment:2 <ul> <li><strong>milestone</strong> set to <em>Maintenance</em> </li> </ul> Ticket chris Wed, 02 Apr 2014 10:21:17 GMT http://localhost:8080/trac/ticket/540#comment:3 http://localhost:8080/trac/ticket/540#comment:3 <p> There are now only 3 active sites (sites that admins are updating) on this server (Transition Culture is an archive): </p> <ul><li><a class="ext-link" href="http://www.reconomy.org/"><span class="icon">​</span>http://www.reconomy.org/</a> </li><li><a class="ext-link" href="http://www.transitionstreets.org.uk/"><span class="icon">​</span>http://www.transitionstreets.org.uk/</a> </li><li><a class="ext-link" href="http://www.transitiontowntotnes.org/"><span class="icon">​</span>http://www.transitiontowntotnes.org/</a> </li></ul><p> It would cost £30+VAT to get SSL certs for all the sites and it would take perhaps an hour to set up a Nginx reverse proxy for HTTPS and add Apache redirects. </p> <p> Ed -- is this something that can be considered this financial year? </p> Ticket ed Wed, 02 Apr 2014 19:47:23 GMT http://localhost:8080/trac/ticket/540#comment:4 http://localhost:8080/trac/ticket/540#comment:4 <p> something to consider. along with the actual value of the Parrot server, I think. If there aren't any more sites running, it may be more suitable for TN to re-consider the Parrot experiment. So stand by. </p> Ticket