Stop bundling snakeoil certs, possibly replace with 'Let's encrypt' integration.

[grelland]

We aren't doing anyone any favours by bundling the snakeoil certs on install: they are useless for production and https is unnecessary for dev/training, especially since browsers complain pretty loudly about fake certs.

If we need to bundle an HTTPS setup we could (optionally) include a setup for Let's encrypt which issues free 3 month certificates and comes with client software to enable pain free auto-renewal. This solution provides free and painless LEGIT certificates for the DHIS2 instance.

Of course, the cert needs to be configured for an actual domain, which makes the whole ordeal a bit more complicated... Maybe writing a short guide setup with dhis2/nginx would suffice?

[jason-p-pickering]

Sounds fine with me, but we need to tell people how to get DNS address as well.

On Tue, May 31, 2016, 10:43 Halvdan Hoem Grelland notifications@github.com wrote:

We aren't doing anyone any favours by bundling the snakeoil certs on install: they are useless for production and https is unnecessary for dev/training, especially since browsers complain pretty loudly about fake certs.

If we need to bundle an HTTPS setup we could (optionally) include a setup for Let's encrypt https://letsencrypt.com which issues free 3 month certificates and comes with client software to enable pain free auto-renewal. This solution provides free and painless LEGIT certificates for the DHIS2 instance.

Of course, the cert needs to be configured for an actual domain, which makes the whole ordeal a bit more complicated... Maybe writing a short guide setup with dhis2/nginx would suffice?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dhis2/dhis2-tools/issues/13, or mute the thread https://github.com/notifications/unsubscribe/AC1J_allk34JFCmKl-i2y2WuwTPe0-MFks5qHEkRgaJpZM4Iqm17 .

[bobjolliffe]

A few quick thoughts.

1. Jason had previously raised the suggestion of lets encrypt. Its not a bad idea - good that the issue has been documented.
2. it not that we exactly bundle snakeoil certs. Either way my feeling at the time was that it is better than the default install being http. I think in fact it has been quite effective in forcing folk to get properly ssl/tls enabled when they wouldn't have done otherwise. In that sense I think we might actually have done some favours :-)
3. I have had mixed feelings from the start about having a dhis2-nginx script at all. As I see it, it is actually outside of the scope of setting up the tomcat containers and nginx isn't even a dependency of the package. Both nginx and postgresql are not necessarily part of the same machine scope. I'd be happy to simply remove it and retain some up to date sample files which users might or might not find useful. In my experience the nginx configuration tends to get fairly rapidly customised anyway. dhis2-nginx is just really a lazy way to get started.

So your question "If we need to bundle an HTTPS setup .." is the most important. I am not sure we do. Having some skeleton samples might still be useful. Though for any kind of automated setup some kind of (probably more sophisticated) script would still be required. Feel free to contribute.

It would also be quite easy to open a second connector on tomcat for handling http requests which might be useful in training. My fear would be that it would simply open the way for folk to revert to using http in production.

Note that most training in country environments make use of copies of the production database so i wouldn't encourage the view that training is risk free.

I am open to suggestions.

On 31 May 2016 at 16:18, Jason Pickering notifications@github.com wrote:

Sounds fine with me, but we need to tell people how to get DNS address as well.

On Tue, May 31, 2016, 10:43 Halvdan Hoem Grelland < notifications@github.com> wrote:

We aren't doing anyone any favours by bundling the snakeoil certs on install: they are useless for production and https is unnecessary for dev/training, especially since browsers complain pretty loudly about fake certs.

If we need to bundle an HTTPS setup we could (optionally) include a setup for Let's encrypt https://letsencrypt.com which issues free 3 month certificates and comes with client software to enable pain free auto-renewal. This solution provides free and painless LEGIT certificates for the DHIS2 instance.

Of course, the cert needs to be configured for an actual domain, which makes the whole ordeal a bit more complicated... Maybe writing a short guide setup with dhis2/nginx would suffice?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dhis2/dhis2-tools/issues/13, or mute the thread < https://github.com/notifications/unsubscribe/AC1J_allk34JFCmKl-i2y2WuwTPe0-MFks5qHEkRgaJpZM4Iqm17

.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dhis2/dhis2-tools/issues/13#issuecomment-222721985, or mute the thread https://github.com/notifications/unsubscribe/ABFTq4bYu3XowVQvS6XXv-ytlyxyrqkBks5qHFFBgaJpZM4Iqm17 .

[simjes]

Provided Let' Encrypt guide in eb938ce. Maybe I should update it with DNS explanation/tips?

[grelland]

Great work!