Opened 8 years ago

Last modified 6 years ago

#3663 assigned Bug/Something is broken

setting up https via control panel should be simplified

Reported by: https://id.mayfirst.org/dkg Owned by: https://id.mayfirst.org/dkg
Priority: Medium Component: Tech
Keywords: red https Cc:
Sensitive: no

Description

I'm trying to add https coverage for a web site already served by mfpl over http, through the control panel.

The steps i took were:

  • generate key and CSR
  • get my CA to sign the CSR (i used gandi)
  • go to the control panel, choose "web configuration"
  • add new item
  • copy existing config tweaks from http configuration into the new field.
  • select https
  • manually tweak the apache config with the requisite directives (SSLEngine On, SSLCertificateFile, SSLCertificateKeyFile)
  • enter the IP address of the shared host, because i figure we're not using a version of apache capable of SNI at the moment.
  • click "submit"

at this point, i get an error message:

Please use the wild card (*) instead of the shared IP for your host.

So i switch the IP address back to *, click submit, and get:

Wild card (*) is not allowed for https sites. Please open a ticket and request a dedicated IP address.

heh. hence #3662.

But what i'd really like in the longer term is to be able to click a "offer this web site via https" option, and be prompted to supply a path to the key and the certificate. The per-member steps listed on setup_dedicated_ip (which seems maybe mistitled for the task of enabling https) seem to be mostly intricate/brittle busywork that the computers involved should be doing, not the fallible/easily-bored humans :)

Change History (8)

comment:1 Changed 8 years ago by https://id.mayfirst.org/dkg

note that the underlying database for red might end up being the same as it currently is -- that part doesn't need to change if we don't want it to. I'm asking primarily for a user-interface change to make it easier to just "turn on https" for folks who have already jumped through whatever hoops it takes to get a certificate.

comment:2 Changed 8 years ago by https://id.mayfirst.org/jamie

Yes - I've recently added the check to prevent you from using the server IP address because it results in Apache errors.

And I agree about the complexity - you really might get the impression that we don't want you to use https given how many hoops we push you through.

I think the solution is going to have to happen in stages because it will require some fundamental changes, starting with how we allocate IP addresses.

I think we need to add an IP allocation service in the control panel and get rid of the wiki page. First, adding it as a stand-alone service, then adding to the web config service so that when you setup an https site it doesn't ask you for the IP address - instead, it creates one automatically.

Let's take that as the first step.

jamie

comment:3 Changed 8 years ago by https://id.mayfirst.org/dkg

that sounds like a reasonable step to me. we might also want to clean up the error messages to make the process less like whack-a-mole (i've just pushed r2067 to address that, but i haven't tested it -- please test!)

comment:4 Changed 8 years ago by https://id.mayfirst.org/jamie

Those changes are tested and pushed. Thanks dkg.

jamie

comment:5 Changed 6 years ago by https://id.mayfirst.org/ross

  • Status changed from new to assigned

comment:6 Changed 6 years ago by https://id.mayfirst.org/jamie

  • Priority changed from Medium to Low

comment:7 Changed 6 years ago by https://id.mayfirst.org/dkg

  • Priority changed from Low to Medium

I'm taking this on as part of my push to improve https options for our members.

comment:8 Changed 6 years ago by https://id.mayfirst.org/jamie

  • Owner changed from https://id.mayfirst.org/jamie to https://id.mayfirst.org/dkg

Thanks dkg! I think you may have meant to re-assign it to yourself, but it's still assigned to me.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.