Closed RequestForCoffee closed 4 years ago
@RequestForCoffee For some reason, aslweb*
didn't have the shared directory mounted, so I wasn't able to test just now. But the nginx setup should work.
@RequestForCoffee For some reason,
aslweb*
didn't have the shared directory mounted, so I wasn't able to test just now. But the nginx setup should work.
Normal hosts never used a shared folder until now, why would you need one?
I'll soon add the code to install the intermediate certificate in the web servers root of trust. Just testing it works on a new instance.
I built a new env on this branch with my changes. After building the web and cert server from source, certificate issuing works out-of-the-box.
But I still see "The SSL Certificate Error" when I use the certificate to connect to the website.
But I still see "The SSL Certificate Error" when I use the certificate to connect to the website.
Can you tell me if you can connect to http://aslweb01/crl/revoked.crl
without being redirected to HTTPS? Also, does nginx complain?
Normal hosts never used a shared folder until now, why would you need one?
Oh, well then I was confused about this. Thanks!
But I still see "The SSL Certificate Error" when I use the certificate to connect to the website.
Can you tell me if you can connect to
http://aslweb01/crl/revoked.crl
without being redirected to HTTPS? Also, does nginx complain?
I'm redirected to HTTPS
I'm redirected to HTTPS
I rebuilt this from scratch and I'm not redirected to HTTPS. Are you sure this is the case? How did you access the file?
I've used curl -L http://aslans01/crl/revoked.crl
, but the server gives an empty response with Content-Length: 0
. I assume the CRL is empty at this point?
It seems that HTTP/2 is not commonly supported without HTTPS, so I will remove that option for the CRL list. This may give better compatibility.
But I still see "The SSL Certificate Error" when I use the certificate to connect to the website.
Could you re-test this with the updated configuration?
I'm redirected to HTTPS
I rebuilt this from scratch and I'm not redirected to HTTPS. Are you sure this is the case? How did you access the file?
I've used
curl -L http://aslans01/crl/revoked.crl
, but the server gives an empty response withContent-Length: 0
. I assume the CRL is empty at this point?
I just accessed it directly in the browser
I just accessed it directly in the browser
Then this was probably due to HSTS. Please use curl
for testing.
You're right, with curl
it does something (I haven't rebuilt the environment yet though). But what I get is not a valid crl.
You're right, with
curl
it does something (I haven't rebuilt the environment yet though). But what I get is not a valid crl.
Apply the latest patch (which removes HTTP/2 for HTTP, rerunning Ansible is enough), and we should be able to merge this ;-)
You're right, with
curl
it does something (I haven't rebuilt the environment yet though). But what I get is not a valid crl.Apply the latest patch (which removes HTTP/2 for HTTP, rerunning Ansible is enough), and we should be able to merge this ;-)
Hm, I pulled the newest changes, ran ansible, ran both cert and webserver from the latest sources but I still see the SSL error and the broken CRL from above. I will build a new infrastructure, maybe I broke something earlier.
The error message still appears, yes, but the CRL can be downloaded correctly over HTTP using curl. I'm currently trying to get the CRLs chained and feed them to nginx.
The error message still appears, yes, but the CRL can be downloaded correctly over HTTP using curl. I'm currently trying to get the CRLs chained and feed them to nginx.
I can confirm this. CRL works now, the error is still there.
I've tested this with 5f8fe0b and it seemed to work. Please use a new environment and make sure to use the local builds (a pull request for making this more convenient is pending at #60).
The SSL error is now finally gone for me too, but I'm not logged in when I provide the certificate. Is this expected?
The SSL error is now finally gone for me too, but I'm not logged in when I provide the certificate. Is this expected?
I think @RequestForCoffee is already aware of that. Can we merge this and open an issue for authentication?
Fixes #44.