configure SSL

[chadwhitacre]

Reticketing from #52.

[elia]

:+1:

Eg. https://img.shields.io/gittip/activeadmin.png

uses vanilla herokuapp.com certificate

[nathany]

I suspect we'll want SSL not only for serving up images (to avoid GitHub's caching), but also for any sort of Rails backend for statistics, etc. if that requires authentication?

[chadwhitacre]

@nathany Indeed. With StartSSL we get unlimited certs, so that shouldn't be a problem.

[nathany]

Firefox can be a little more picky than Chrome, as discovered recently here. So we'll have to double check it.

https://sslcheck.globalsign.com looks like a useful tool.

[nathany]

Considering the issues seen without using SSL https://github.com/badges/buckler/issues/27, it would be great to be able to offer piggybacking on our (wildcard) HTTPS cert to badge services like @fjcaetano's cocoapod-badges and @kura's pypipins.

What still needs to be done to get this setup? @whit537 @seanlinsley

[nathany]

Another tool to ensure SSL is setup correctly https://www.ssllabs.com/ssltest/.

[seanlinsley]

Yes @whit537, what does need to be done? :cat:

[kura]

My service is thankfully covered by a free SSL certificate from GlobalSign for being an open source project so SSL is a non-issue to me. I would suggest you guys contact them thought, they offer free wildcard certs for open source projects.

[chadwhitacre]

I have an account at https://www.startssl.com/ and am planning to get a cert from there (they're free once you're verified, which Gittip is). Unfortunately their site is down right now. :-/

[chadwhitacre]

That is, I'm getting a connection timeout.

[chadwhitacre]

Blech. Their site is still down, no answer on Twitter. Starting to feel like StartSSL is dead in the water. :-(

[nathany]

https://www.globalsign.com/ssl/ssl-open-source/

[olivierlacan]

@nathany Looks like our Public Domain license is not a license after all: http://opensource.org/faq#public-domain

I'm ok to switch to an MIT license in order to be able to apply for this. Should I put my name on the copyright since we don't really have an organization at this time?

[chadwhitacre]

+1 MIT and GlobalSign. Perhaps "(c) Olivier Lacan and Contributors"?

[espadrine]

Did you try CC0?

(Should I have a LICENSE file in the project?)

[chadwhitacre]

Option 1: StartSSL is working again, but in order to validate the domain with them we need one of these email addresses configured:

• postmaster@shields.io
• hostmaster@shields.io
• webmaster@shields.io

If we can do that, the cert is free.

Option 2: We can probably convince GlobalSign that we're an open source project if we change our license, but in general I don't like depending on handouts. We're trying to find a new business model here, we're not running a charity.

Option 3: We can buy a cert from somewhere else. GlobalSign is $250, I've used DigiCert before for $200, RapidSSL is $50. Any other favorites/advice?

[elia]

keep an eye on godaddy, I got a two yrs cert for about 7$ once

[nathany]

@olivierlacan is using DNSimple for the domain, so if we're paying for an SSL cert, it might make sense to use DNSimple for that as well.

https://dnsimple.com/pricing RapidSSL certificates from GeoTrust certs for $20/year or wildcard certs for $100/year.

If we're using Heroku for hosting, their fee for using the SSL cert is the more significant cost. https://addons.heroku.com/ssl

[nathany]

Or is SSL even that important with #111?

• Outside of GitHub it may be necessary for any page hosted under SSL (mixed content warnings), say BitBucket?
• Any service serving their own badges (eg. Travis CI) won't really need it, as they are just retrieving the badge variations from our API.

[espadrine]

@whit537 Let's say Option 1. I just checked, CC0 is absolutely acceptable.

(As a result, @olivierlacan, I have received a StartSSL campaign code that can be used to get the certificate: do you want me to give it to you? Through which channel?)

[chadwhitacre]

I've verified the shields.io domain with StartSSL (@olivierlacan was kind enough to share DNS admin privileges with me; I configured MX for Google Apps and set up a hostmaster@ address that routes to me, which is the domain verification mechanism provided by StartSSL). Tomorrow I should be able to get us a certificate and install it at Heroku for img.shields.io.

[chadwhitacre]

You successfully finished the process for your certificate. However your certificate request has been marked for approval by our personnel. Please wait for a mail notification from us within the next 3 hours (the most). We might contact you for further questions or issue the certificate within that time. Thank you for your understanding!

[chadwhitacre]

I've provisioned the SSL endpoint. I've emailed StartSSL offering to answer any questions. Once I have the certificate I'll add it to our endpoint and make the DNS change.

[chadwhitacre]

Received an email that the certificate has been issued. Now the StartSSL website is "over capacity." :cry:

[chadwhitacre]

[chadwhitacre]

sigh #111 #112

https://img.shields.io/badge/SSL-secure-green.svg

;-)

[espadrine]

@whit537 Good work! ☺

[olivierlacan]

@whit537 We only got the wildcard SSL I'm guessing, right? That explains why https://shields.io shows this:

I feel like we should have the root under SSL. I want to add a section about SSL to the homepage somewhere since some people want to avoid mixed content warnings when using badges. Makes sense @espadrine?

[espadrine]

Something to say that, yeah, the root domain doesn't have SSL, but they can totally use HTTPS for badges? Makes sense!

[nathany]

I've noticed that some wildcard certs (GoDaddy in our case, but also DNSimple afaik) do support a bare domain, which we have been using on Heroku. https://devcenter.heroku.com/articles/ssl-endpoint#root-domain