We had a kind offer on -users to pay for a wildcard SSL cert for theforeman.org, which we can use to protect our package downloads, GPG
public key downloads etc.
The way they'd like to do this is to donate the cash via PayPal for the
value of the certificate (~$450, 3yr) and we order and pay for it.
Does anybody have a PayPal account set up and associated with the project?
I vaguely remember a donate button being present on an old website or
Redmine. If not, I could set one up for this purpose - not to hold
money for long, or solicit donations in general, but to temporarily hold
the one-off donation and purchase the certificate.
> We had a kind offer on -users to pay for a wildcard SSL cert for
> theforeman.org, which we can use to protect our package downloads, GPG
> public key downloads etc.
>
> The way they'd like to do this is to donate the cash via PayPal for the
> value of the certificate (~$450, 3yr) and we order and pay for it.
>
> Does anybody have a PayPal account set up and associated with the project?
>
> I vaguely remember a donate button being present on an old website or
> Redmine. If not, I could set one up for this purpose - not to hold
> money for long, or solicit donations in general, but to temporarily hold
> the one-off donation and purchase the certificate.
Just in case I can save someone some $currency, letsencrypt.org is
scheduled to be released some time between now and the end of the year.
> We had a kind offer on -users to pay for a wildcard SSL cert for
> theforeman.org, which we can use to protect our package downloads, GPG
> public key downloads etc.
>
> The way they'd like to do this is to donate the cash via PayPal for the
> value of the certificate (~$450, 3yr) and we order and pay for it.
>
> Does anybody have a PayPal account set up and associated with the project?
>
> I vaguely remember a donate button being present on an old website or
> Redmine. If not, I could set one up for this purpose - not to hold
> money for long, or solicit donations in general, but to temporarily hold
> the one-off donation and purchase the certificate.
>
In the past, I've used my personal paypal to expense dns registration,
hosting etc… I suggest you setup one for the project.
thanks,
Ohad
···
On Wed, Oct 28, 2015 at 12:02 PM, Dominic Cleal wrote:
>
> > We had a kind offer on -users to pay for a wildcard SSL cert for
> > theforeman.org, which we can use to protect our package downloads, GPG
> > public key downloads etc.
> >
> > The way they'd like to do this is to donate the cash via PayPal for the
> > value of the certificate (~$450, 3yr) and we order and pay for it.
> >
> > Does anybody have a PayPal account set up and associated with the project?
> >
> > I vaguely remember a donate button being present on an old website or
> > Redmine. If not, I could set one up for this purpose - not to hold
> > money for long, or solicit donations in general, but to temporarily hold
> > the one-off donation and purchase the certificate.
> >
> In the past, I've used my personal paypal to expense dns registration,
> hosting etc… I suggest you setup one for the project.
Wouldn't you need some kind of legal entity to open a Paypal account
for? Maybe there's a F/OSS foundation out there that could accept
donations on the project's behalf.
···
On Wed, Oct 28, 2015 at 03:21:17PM +0200, Ohad Levy wrote:
> On Wed, Oct 28, 2015 at 12:02 PM, Dominic Cleal wrote:
Stephen mentioned this in the -users thread - the issue is that we'd
need to either: get an extra IPv4 address per vhost that we have
(theforeman.org, deb, yum, downloads, possibly stagingdeb), or use a
wildcard. letsencrypt don't plan on offering wildcards at launch.
···
On 28/10/15 11:16, Daniel Lobato Garcia wrote:
> On 10/28, Dominic Cleal wrote:
>>> We had a kind offer on -users to pay for a wildcard SSL cert
>>> for theforeman.org, which we can use to protect our package
>>> downloads, GPG public key downloads etc.
>>>
>>> The way they'd like to do this is to donate the cash via PayPal
>>> for the value of the certificate (~$450, 3yr) and we order and
>>> pay for it.
>>>
>>> Does anybody have a PayPal account set up and associated with
>>> the project?
>>>
>>> I vaguely remember a donate button being present on an old
>>> website or Redmine. If not, I could set one up for this
>>> purpose - not to hold money for long, or solicit donations in
>>> general, but to temporarily hold the one-off donation and
>>> purchase the certificate.
> Just in case I can save someone some $currency, letsencrypt.org is
> scheduled to be released some time between now and the end of the
> year.
>
> Maybe we could wait to get one of these for free?
Which is a massive shame, because I'd really like to use letsencrypt.
I guess the obvious followup question is this: are the IPs or the
wildcard more expensive? I assume we could add athernet aliases to the
web host, so if extra IPs are cheaper, perhaps it still makes sense to
use letsencypt?
Greg
···
On 28 October 2015 at 11:29, Dominic Cleal wrote:
>> Just in case I can save someone some $currency, letsencrypt.org is
>> scheduled to be released some time between now and the end of the
>> year.
>>
>> Maybe we could wait to get one of these for free?
>
> Stephen mentioned this in the -users thread - the issue is that we'd
> need to either: get an extra IPv4 address per vhost that we have
> (theforeman.org, deb, yum, downloads, possibly stagingdeb), or use a
> wildcard. letsencrypt don't plan on offering wildcards at launch.
The wildcard is almost certainly more expensive, but I don't know the
fees for additional IPv4 addresses on Rackspace without opening a
ticket. The cost for those would come out of our donation budget from
Rackspace.
My only concern is that they have to be manually requested (with proof
of an SSL cert) and so it might make a DR situation with the web server
harder to fix since we'd have to get new IPs allocated, and if we opted
to move it to another service then we'd need extra IPs there too.
···
On 28/10/15 11:40, Greg Sutcliffe wrote:
> On 28 October 2015 at 11:29, Dominic Cleal wrote:
>>> Just in case I can save someone some $currency, letsencrypt.org is
>>> scheduled to be released some time between now and the end of the
>>> year.
>>>
>>> Maybe we could wait to get one of these for free?
>>
>> Stephen mentioned this in the -users thread - the issue is that we'd
>> need to either: get an extra IPv4 address per vhost that we have
>> (theforeman.org, deb, yum, downloads, possibly stagingdeb), or use a
>> wildcard. letsencrypt don't plan on offering wildcards at launch.
>
> Which is a massive shame, because I'd really like to use letsencrypt.
> I guess the obvious followup question is this: are the IPs or the
> wildcard more expensive? I assume we could add athernet aliases to the
> web host, so if extra IPs are cheaper, perhaps it still makes sense to
> use letsencypt?
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >>
> >>> We had a kind offer on -users to pay for a wildcard SSL cert
> >>> for theforeman.org, which we can use to protect our package
> >>> downloads, GPG public key downloads etc.
> >>>
> >>> The way they'd like to do this is to donate the cash via PayPal
> >>> for the value of the certificate (~$450, 3yr) and we order and
> >>> pay for it.
> >>>
> >>> Does anybody have a PayPal account set up and associated with
> >>> the project?
> >>>
> >>> I vaguely remember a donate button being present on an old
> >>> website or Redmine. If not, I could set one up for this
> >>> purpose - not to hold money for long, or solicit donations in
> >>> general, but to temporarily hold the one-off donation and
> >>> purchase the certificate.
> >>>
> >> In the past, I've used my personal paypal to expense dns
> >> registration, hosting etc… I suggest you setup one for the
> >> project.
> >
> > Wouldn't you need some kind of legal entity to open a Paypal
> > account for?
>
> Yes, it'd have to be done in an individual's name (e.g. me).
>
> > Maybe there's a F/OSS foundation out there that could accept
> > donations on the project's behalf.
>
> The Software Freedom Conservancy (https://sfconservancy.org/) is the
> main one I'm aware of, and I'm interested in seeing the project under
> such an organisation in the future. I don't know if this helps much
> in the immediate/short term.
>
Oh, that's exactly the kind of thing I was thinking of, what would it
take to get Foreman to join?
···
On Wed, Oct 28, 2015 at 03:10:29PM +0000, Dominic Cleal wrote:
> On 28/10/15 13:44, Stephen Benjamin wrote:
> > On Wed, Oct 28, 2015 at 03:21:17PM +0200, Ohad Levy wrote:
> >> On Wed, Oct 28, 2015 at 12:02 PM, Dominic Cleal > >> wrote:
You can pretty much rely on SNI nowadays. I expect most Foreman users
use sufficiently recent browsers / software so I don't think you need
extra IPs.
···
On Wed, Oct 28, 2015 at 11:45:58AM +0000, Dominic Cleal wrote:
> On 28/10/15 11:40, Greg Sutcliffe wrote:
> > On 28 October 2015 at 11:29, Dominic Cleal wrote:
> >>> Just in case I can save someone some $currency, letsencrypt.org is
> >>> scheduled to be released some time between now and the end of the
> >>> year.
> >>>
> >>> Maybe we could wait to get one of these for free?
> >>
> >> Stephen mentioned this in the -users thread - the issue is that we'd
> >> need to either: get an extra IPv4 address per vhost that we have
> >> (theforeman.org, deb, yum, downloads, possibly stagingdeb), or use a
> >> wildcard. letsencrypt don't plan on offering wildcards at launch.
> >
> > Which is a massive shame, because I'd really like to use letsencrypt.
> > I guess the obvious followup question is this: are the IPs or the
> > wildcard more expensive? I assume we could add athernet aliases to the
> > web host, so if extra IPs are cheaper, perhaps it still makes sense to
> > use letsencypt?
>
> The wildcard is almost certainly more expensive, but I don't know the
> fees for additional IPv4 addresses on Rackspace without opening a
> ticket. The cost for those would come out of our donation budget from
> Rackspace.
>>
>>> We had a kind offer on -users to pay for a wildcard SSL cert
>>> for theforeman.org, which we can use to protect our package
>>> downloads, GPG public key downloads etc.
>>>
>>> The way they'd like to do this is to donate the cash via PayPal
>>> for the value of the certificate (~$450, 3yr) and we order and
>>> pay for it.
>>>
>>> Does anybody have a PayPal account set up and associated with
>>> the project?
>>>
>>> I vaguely remember a donate button being present on an old
>>> website or Redmine. If not, I could set one up for this
>>> purpose - not to hold money for long, or solicit donations in
>>> general, but to temporarily hold the one-off donation and
>>> purchase the certificate.
>>>
>> In the past, I've used my personal paypal to expense dns
>> registration, hosting etc… I suggest you setup one for the
>> project.
>
> Wouldn't you need some kind of legal entity to open a Paypal
> account for?
Yes, it'd have to be done in an individual's name (e.g. me).
> Maybe there's a F/OSS foundation out there that could accept
> donations on the project's behalf.
The Software Freedom Conservancy (https://sfconservancy.org/) is the
main one I'm aware of, and I'm interested in seeing the project under
such an organisation in the future. I don't know if this helps much
in the immediate/short term.
···
On 28/10/15 13:44, Stephen Benjamin wrote:
> On Wed, Oct 28, 2015 at 03:21:17PM +0200, Ohad Levy wrote:
>> On Wed, Oct 28, 2015 at 12:02 PM, Dominic Cleal >> wrote:
I've also been thinking about that (specifically, Karen Sandler gave a
keynote at an event in Edinburgh, which got me thinking…)
We'd probably have to clarify our governance structure (so that the
SFC can see who the project leaders are, and how they're selected). I
don't think we really need to change anything, only write it down -
something that is on my todo list for the website anyway.
Additionally, since the SFC expects 10% of donations to cover costs,
and we don't get many (any?) donations, we may have to figure out how
that would work.
I'm risking derailing this thread re: certificates here - perhaps we
should start a new discussion?
Greg
···
On 28 October 2015 at 15:58, Stephen Benjamin wrote:
The Software Freedom Conservancy (https://sfconservancy.org/) is the
main one I’m aware of, and I’m interested in seeing the project under
such an organisation in the future. I don’t know if this helps much
in the immediate/short term.
Oh, that’s exactly the kind of thing I was thinking of, what would it
take to get Foreman to join?
That's true. We would need to check our supported OS package managers
too, since apt and yum clients may use it.
···
On 28/10/15 13:02, Ewoud Kohl van Wijngaarden wrote:
> On Wed, Oct 28, 2015 at 11:45:58AM +0000, Dominic Cleal wrote:
>> On 28/10/15 11:40, Greg Sutcliffe wrote:
>>> On 28 October 2015 at 11:29, Dominic Cleal wrote:
>>>>> Just in case I can save someone some $currency, letsencrypt.org is
>>>>> scheduled to be released some time between now and the end of the
>>>>> year.
>>>>>
>>>>> Maybe we could wait to get one of these for free?
>>>>
>>>> Stephen mentioned this in the -users thread - the issue is that we'd
>>>> need to either: get an extra IPv4 address per vhost that we have
>>>> (theforeman.org, deb, yum, downloads, possibly stagingdeb), or use a
>>>> wildcard. letsencrypt don't plan on offering wildcards at launch.
>>>
>>> Which is a massive shame, because I'd really like to use letsencrypt.
>>> I guess the obvious followup question is this: are the IPs or the
>>> wildcard more expensive? I assume we could add athernet aliases to the
>>> web host, so if extra IPs are cheaper, perhaps it still makes sense to
>>> use letsencypt?
>>
>> The wildcard is almost certainly more expensive, but I don't know the
>> fees for additional IPv4 addresses on Rackspace without opening a
>> ticket. The cost for those would come out of our donation budget from
>> Rackspace.
>
> You can pretty much rely on SNI nowadays. I expect most Foreman users
> use sufficiently recent browsers / software so I don't think you need
> extra IPs.
>
> https://en.wikipedia.org/wiki/Server_Name_Indication#No_support
You can keep those on HTTP for a bit. IMHO the most important part is projects.theforeman.org since you can enter a password there.
···
On Wed, Oct 28, 2015 at 01:03:45PM +0000, Dominic Cleal wrote:
> On 28/10/15 13:02, Ewoud Kohl van Wijngaarden wrote:
> > On Wed, Oct 28, 2015 at 11:45:58AM +0000, Dominic Cleal wrote:
> >> On 28/10/15 11:40, Greg Sutcliffe wrote:
> >>> On 28 October 2015 at 11:29, Dominic Cleal wrote:
> >>>>> Just in case I can save someone some $currency, letsencrypt.org is
> >>>>> scheduled to be released some time between now and the end of the
> >>>>> year.
> >>>>>
> >>>>> Maybe we could wait to get one of these for free?
> >>>>
> >>>> Stephen mentioned this in the -users thread - the issue is that we'd
> >>>> need to either: get an extra IPv4 address per vhost that we have
> >>>> (theforeman.org, deb, yum, downloads, possibly stagingdeb), or use a
> >>>> wildcard. letsencrypt don't plan on offering wildcards at launch.
> >>>
> >>> Which is a massive shame, because I'd really like to use letsencrypt.
> >>> I guess the obvious followup question is this: are the IPs or the
> >>> wildcard more expensive? I assume we could add athernet aliases to the
> >>> web host, so if extra IPs are cheaper, perhaps it still makes sense to
> >>> use letsencypt?
> >>
> >> The wildcard is almost certainly more expensive, but I don't know the
> >> fees for additional IPv4 addresses on Rackspace without opening a
> >> ticket. The cost for those would come out of our donation budget from
> >> Rackspace.
> >
> > You can pretty much rely on SNI nowadays. I expect most Foreman users
> > use sufficiently recent browsers / software so I don't think you need
> > extra IPs.
> >
> > https://en.wikipedia.org/wiki/Server_Name_Indication#No_support
>
> That's true. We would need to check our supported OS package managers
> too, since apt and yum clients may use it.
> > >> The wildcard is almost certainly more expensive, but I don't know the
> > >> fees for additional IPv4 addresses on Rackspace without opening a
> > >> ticket. The cost for those would come out of our donation budget from
> > >> Rackspace.
> > >
> > > You can pretty much rely on SNI nowadays. I expect most Foreman users
> > > use sufficiently recent browsers / software so I don't think you need
> > > extra IPs.
> > >
> > > https://en.wikipedia.org/wiki/Server_Name_Indication#No_support
> >
> > That's true. We would need to check our supported OS package managers
> > too, since apt and yum clients may use it.
>
> You can keep those on HTTP for a bit. IMHO the most important part is
> projects.theforeman.org since you can enter a password there.
If no one opposes SNI - at least for the web portion, not the repos
[1], I have access to the closed beta of letsencrypt.org. They have
whitelisted theforeman.org for us. We can start with Redmine and the
main web now if you want.
[1] - I have not found anything conclusive about apt & yum support for
SNI
···
>
> --
> You received this message because you are subscribed to the Google Groups "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>>>>> The wildcard is almost certainly more expensive, but I
>>>>> don't know the fees for additional IPv4 addresses on
>>>>> Rackspace without opening a ticket. The cost for those
>>>>> would come out of our donation budget from Rackspace.
>>>>
>>>> You can pretty much rely on SNI nowadays. I expect most
>>>> Foreman users use sufficiently recent browsers / software so
>>>> I don't think you need extra IPs.
>>>>
>>>> https://en.wikipedia.org/wiki/Server_Name_Indication#No_support
>>>
>>>
>>>>
That's true. We would need to check our supported OS package managers
>>> too, since apt and yum clients may use it.
>>
>> You can keep those on HTTP for a bit. IMHO the most important
>> part is projects.theforeman.org since you can enter a password
>> there.
>
>
> If no one opposes SNI - at least for the web portion, not the
> repos [1], I have access to the closed beta of letsencrypt.org.
> They have whitelisted theforeman.org for us. We can start with
> Redmine and the main web now if you want.
This would be projects.theforeman.org, so hopefully your whitelist
covers it. Timo mentioned on IRC yesterday that the subdomain might
need whitelisting explicitly.
It'll need to make some changes to foreman-infra to get the SSL
configs in our regular, non-Redmine vhosts. What would you need to
create a cert for theforeman.org itself - a CSR?
> [1] - I have not found anything conclusive about apt & yum support
> for SNI
I think this is going to depend on whether they're using GnuTLS or
OpenSSL, and if the latter, which versions.