https access broken

[graybeal]

I can't access COR on https://cor.esipfed.org, connection is refused.

[carueda]

AFAIK HTTPS access hasn't been set up at all, so I wouldn't consider this a bug (but an enhancement). But let's tag @abburgess here as an opportunity to push/learn about the plans for HTTPS access.

[graybeal]

The reason this is critical is that the entire web is moving to secure protocols for web browsing, as http access is increasingly insecure and un-private. For example see https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl, which indicates any http site will be marked as not secure with a banner in Google Chrome starting in July 2018.

[fgayanilo]

All Symantec PKIs are affected (e.g., digicert, geotrust, rapidssl,thawte, verisign, equifax); see https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

[carueda]

@lewismc Did you move this to some other tracker?

[brandonnodnarb]

AFAICT, this also affects SWEET. I'm not sure what this entails, specifically, as it is unclear at present if it's a host/provider issue or can be toggled via DNS (or both)?

Could this be a bullet point at the next COR meeting? :)

[carueda]

@brandonnodnarb I think it is a matter of getting a certificate and install it for cor.esipfed.org in the appropriate apache config file. Likewise, a separate certificate would be needed for sweetontology.net.

[graybeal]

I think I will need to get some support from ESIP so I can make appropriate changes in the AWS environment, but not 100% sure of that. I haven't pursued getting a better role on the AWS environment (my current role/authority is very limited) because they were so swamped for the summer meeting, but it's on my list.

[fgayanilo]

If you go for LE, see https://dev.to/greenteabiscuit/using-let-s-encrypt-on-aws-ec2-instance-2aca

[graybeal]

Thanks Nonong! So far I've enabled port 443 and basic handling of it, but not the SSL/TSA certs and all. (At least people don't get a dead site when they do an HTTPS request now. Yay.) This week for the certs and redirects, I hope. And I'm hooked up with ESIP support for it so that's progressing. More soon.

[fgayanilo]

Good to know -- thanks

[graybeal]

Used https://docs.aws.amazon.com/linux/al1/ug/SSL-on-amazon-linux-ami.html to implement port 443 handling. https://cor.esipfed.org now gets forwarded to http://cor.esipfed.org; other paths do not get forwarded yet.

I had to stop/restart httpd twice, but looks like everything is behaving.

Now I just need to figure out the magic so that the ont paths are properly served through https even though they are http IRIs. Raining all weekend here, looks like an opportunity!

[fgayanilo]

I am still using LE and instructions from this https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-20-04 for SSL

[carueda]

My 0.02 is to not worry about redirections, but instead have a proper cert

[graybeal]

Yes, I get that we want the cert, but the problem I'm having is setting up certificate issuance on the AWS platform.

Let's Encrypt wants an Acme server and recommends certbot, the certbot instructions here (closest I can find for this old Amazon LInux 1 system) work fine until the venv module installation

$ sudo yum update
$ sudo yum remove certbot
$ sudo yum install python38 augeas-libs
$ sudo python3 -m venv /opt/certbot/

at which point I get Error: Command '['/opt/certbot/bin/python3', '-Im', 'ensurepip', '--upgrade', '--default-pip']' returned non-zero exit status 1.

When I run python3 I can confirm it's version 3.8.5, but when I try the install upgrade step there's no pip:

  $ sudo /opt/certbot/bin/pip install --upgrade pip
  sudo: /opt/certbot/bin/pip: command not found

The only things in /opt/certbot/bin are python and python3, both of which are 3.8.5. There is a pip on the system but it's from the 2.7 python:

  $  pip -V
  pip 20.1 from /usr/local/lib/python2.7/site-packages/pip (python 2.7)

I'm in an /opt/certbot directory but there's no pip there, although I see the dependency was installed in the previous step:

Dependency Installed:
  python38-libs.x86_64 0:3.8.5-1.11.amzn1              python38-pip.noarch 0:9.0.3-1.28.amzn1      
  python38-setuptools.noarch 0:36.2.7-1.35.amzn1      

Complete!

So I'm not entirely sure why the python38 package didn't seem to install cleanly, or at least why I'm not properly entering the venv. There is no 'activate' or activation script in /opt/certbot.

I found there is a pip-3.8 package in /usr/bin, so I attempted to pick up the thread from the pip update step. Unfortunately this apparently resulted in an incompatible version of pip.

$ sudo /usr/bin/pip-3.8 install --upgrade pip
Collecting pip
  Downloading https://files.pythonhosted.org/packages/85/8a/1ddf40be20103bcc605db840e9ade09c8e8c9f920a03e9cfe88eae97a058/pip-25.0-py3-none-any.whl (1.8MB)
    100% || 1.8MB 687kB/s 
Installing collected packages: pip
  Found existing installation: pip 9.0.3
    Uninstalling pip-9.0.3:
      Successfully uninstalled pip-9.0.3
Successfully installed pip-25.0
$ sudo /usr/bin/pip-3.8 install certbot
Traceback (most recent call last):
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 658, in _build_master
    ws.require(__requires__)
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 972, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 863, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.VersionConflict: (pip 25.0 (/usr/local/lib/python3.8/site-packages), Requirement.parse('pip==9.0.3'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/pip-3.8", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 3050, in <module>
    def _initialize_master_working_set():
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 3033, in _call_aside
    f(*args, **kwargs)
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 3062, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 660, in _build_master
    return cls._build_from_requirements(__requires__)
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 673, in _build_from_requirements
    dists = ws.resolve(reqs, Environment())
  File "/usr/lib/python3.8/dist-packages/pkg_resources/__init__.py", line 858, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'pip==9.0.3' distribution was not found and is required by the application
[ec2-user@ip-172-31-44-124 certbot]$ 

At this point I plan to reinstall python38 and augeas-libs with 'sudo yum reinstall python38 augeas-libs', then proceed directly to sudo /usr/bin/pip-3.8 install certbot. The certbot won't be in a virtual environment but that should not pose an obstacle.