Stop bundling snakeoil certs, possibly replace with 'Let's encrypt' integration. about dhis2-tools HOT 4 CLOSED

Sounds fine with me, but we need to tell people how to get DNS address as
well.

On Tue, May 31, 2016, 10:43 Halvdan Hoem Grelland [email protected]
wrote:

We aren't doing anyone any favours by bundling the snakeoil certs on
install: they are useless for production and https is unnecessary for
dev/training, especially since browsers complain pretty loudly about fake
certs.

If we need to bundle an HTTPS setup we could (optionally) include a setup
for Let's encrypt https://letsencrypt.com which issues free 3 month
certificates and comes with client software to enable pain free
auto-renewal. This solution provides free and painless LEGIT certificates
for the DHIS2 instance.

Of course, the cert needs to be configured for an actual domain, which
makes the whole ordeal a bit more complicated... Maybe writing a short
guide setup with dhis2/nginx would suffice?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#13, or mute the thread
https://github.com/notifications/unsubscribe/AC1J_allk34JFCmKl-i2y2WuwTPe0-MFks5qHEkRgaJpZM4Iqm17
.

from dhis2-tools.

A few quick thoughts.

1. Jason had previously raised the suggestion of lets encrypt. Its not a
   bad idea - good that the issue has been documented.
2. it not that we exactly bundle snakeoil certs. Either way my feeling at
   the time was that it is better than the default install being http. I
   think in fact it has been quite effective in forcing folk to get properly
   ssl/tls enabled when they wouldn't have done otherwise. In that sense I
   think we might actually have done some favours :-)
3. I have had mixed feelings from the start about having a dhis2-nginx
   script at all. As I see it, it is actually outside of the scope of setting
   up the tomcat containers and nginx isn't even a dependency of the package.
   Both nginx and postgresql are not necessarily part of the same machine
   scope. I'd be happy to simply remove it and retain some up to date sample
   files which users might or might not find useful. In my experience the
   nginx configuration tends to get fairly rapidly customised anyway.
   dhis2-nginx is just really a lazy way to get started.

So your question "If we need to bundle an HTTPS setup .." is the most
important. I am not sure we do. Having some skeleton samples might still
be useful. Though for any kind of automated setup some kind of (probably
more sophisticated) script would still be required. Feel free to
contribute.

It would also be quite easy to open a second connector on tomcat for
handling http requests which might be useful in training. My fear would be
that it would simply open the way for folk to revert to using http in
production.

Note that most training in country environments make use of copies of the
production database so i wouldn't encourage the view that training is risk
free.

I am open to suggestions.

On 31 May 2016 at 16:18, Jason Pickering [email protected] wrote:

Sounds fine with me, but we need to tell people how to get DNS address as
well.

On Tue, May 31, 2016, 10:43 Halvdan Hoem Grelland <
[email protected]>
wrote:

We aren't doing anyone any favours by bundling the snakeoil certs on
install: they are useless for production and https is unnecessary for
dev/training, especially since browsers complain pretty loudly about fake
certs.

If we need to bundle an HTTPS setup we could (optionally) include a setup
for Let's encrypt https://letsencrypt.com which issues free 3 month
certificates and comes with client software to enable pain free
auto-renewal. This solution provides free and painless LEGIT certificates
for the DHIS2 instance.

Of course, the cert needs to be configured for an actual domain, which
makes the whole ordeal a bit more complicated... Maybe writing a short
guide setup with dhis2/nginx would suffice?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#13, or mute the thread
<
https://github.com/notifications/unsubscribe/AC1J_allk34JFCmKl-i2y2WuwTPe0-MFks5qHEkRgaJpZM4Iqm17

.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#13 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ABFTq4bYu3XowVQvS6XXv-ytlyxyrqkBks5qHFFBgaJpZM4Iqm17
.

from dhis2-tools.

Provided Let' Encrypt guide in eb938ce. Maybe I should update it with DNS explanation/tips?

from dhis2-tools.

Great work!

from dhis2-tools.