Administrator
|
Hi,
I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849 I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue before)? Thanks Jacques |
Is it really needed? I don't think anyone is going to be entering their credit card details on the site.
"Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough. I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. Although I'm glad you did, I got another server to play with at work :-) Regards Scott HotWax Media http://www.hotwaxmedia.com On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote: > Hi, > > I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849 > > I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue before)? > > Thanks > > Jacques > smime.p7s (7K) Download Attachment |
You don't have to pay for SSL - http://www.startssl.com/
We have used them at the last company where I worked for making internal things not error out and scare normal people - its not 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all perfect. Sam On 21 Oct 2010, at 16:35, Scott Gray wrote: > Is it really needed? I don't think anyone is going to be entering their credit card details on the site. > > "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough. > > I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. Although I'm glad you did, I got another server to play with at work :-) > > Regards > Scott > > HotWax Media > http://www.hotwaxmedia.com > > On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote: > >> Hi, >> >> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849 >> >> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue before)? >> >> Thanks >> >> Jacques >> > |
Administrator
|
Thanks for the tip Sam,
Was the problem with Opera blocking (ie making it worst than nothing)? Jacques Sam Hamilton wrote: > You don't have to pay for SSL - http://www.startssl.com/ > We have used them at the last company where I worked for making internal things not error out and scare normal people - its not > 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all > perfect. > > Sam > > > On 21 Oct 2010, at 16:35, Scott Gray wrote: > >> Is it really needed? I don't think anyone is going to be entering their credit card details on the site. >> >> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough. >> >> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. >> Although I'm glad you did, I got another server to play with at work :-) >> >> Regards >> Scott >> >> HotWax Media >> http://www.hotwaxmedia.com >> >> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote: >> >>> Hi, >>> >>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849 >>> >>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue >>> before)? >>> >>> Thanks >>> >>> Jacques |
No - just the usual error messages you would expect to see if it were the self signed cert we currently have installed in the demo box.
On 21 Oct 2010, at 20:20, Jacques Le Roux wrote: > Thanks for the tip Sam, > > Was the problem with Opera blocking (ie making it worst than nothing)? > > Jacques > > > Sam Hamilton wrote: >> You don't have to pay for SSL - http://www.startssl.com/ >> We have used them at the last company where I worked for making internal things not error out and scare normal people - its not >> 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all >> perfect. Sam >> On 21 Oct 2010, at 16:35, Scott Gray wrote: >>> Is it really needed? I don't think anyone is going to be entering their credit card details on the site. >>> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough. >>> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. Although I'm glad you did, I got another server to play with at work :-) Regards >>> Scott >>> HotWax Media >>> http://www.hotwaxmedia.com >>> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote: >>>> Hi, >>>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849 >>>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue >>>> before)? Thanks >>>> Jacques > |
Administrator
|
OK, looks like the good solution if there are no hidden issues and we will see...
I will suggest this to the infra team Thanks Again Sam! Jacques From: "Sam Hamilton" <[hidden email]> > No - just the usual error messages you would expect to see if it were the self signed cert we currently have installed in the demo > box. > > > On 21 Oct 2010, at 20:20, Jacques Le Roux wrote: > >> Thanks for the tip Sam, >> >> Was the problem with Opera blocking (ie making it worst than nothing)? >> >> Jacques >> >> >> Sam Hamilton wrote: >>> You don't have to pay for SSL - http://www.startssl.com/ >>> We have used them at the last company where I worked for making internal things not error out and scare normal people - its not >>> 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all >>> perfect. Sam >>> On 21 Oct 2010, at 16:35, Scott Gray wrote: >>>> Is it really needed? I don't think anyone is going to be entering their credit card details on the site. >>>> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough. >>>> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. >>>> Although I'm glad you did, I got another server to play with at work :-) Regards >>>> Scott >>>> HotWax Media >>>> http://www.hotwaxmedia.com >>>> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote: >>>>> Hi, >>>>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849 >>>>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue >>>>> before)? Thanks >>>>> Jacques >> > > |
Administrator
|
In reply to this post by samhamilton
BTW I just tried. This not work (yet) in France: keep asking for a state province, we have none in France (I have asked as they
suggest) :/ Newermind: it's out of subject Jacques From: "Sam Hamilton" <[hidden email]> > No - just the usual error messages you would expect to see if it were the self signed cert we currently have installed in the demo > box. > > > On 21 Oct 2010, at 20:20, Jacques Le Roux wrote: > >> Thanks for the tip Sam, >> >> Was the problem with Opera blocking (ie making it worst than nothing)? >> >> Jacques >> >> >> Sam Hamilton wrote: >>> You don't have to pay for SSL - http://www.startssl.com/ >>> We have used them at the last company where I worked for making internal things not error out and scare normal people - its not >>> 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all >>> perfect. Sam >>> On 21 Oct 2010, at 16:35, Scott Gray wrote: >>>> Is it really needed? I don't think anyone is going to be entering their credit card details on the site. >>>> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough. >>>> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. >>>> Although I'm glad you did, I got another server to play with at work :-) Regards >>>> Scott >>>> HotWax Media >>>> http://www.hotwaxmedia.com >>>> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote: >>>>> Hi, >>>>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849 >>>>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue >>>>> before)? Thanks >>>>> Jacques >> > > |
Administrator
|
In reply to this post by Jacques Le Roux
Oops, actually it works I had used Google AutoFill (to fill the form)
I also tried by hand but you have 1st to check another country and get back to it Jacques From: "Jacques Le Roux" <[hidden email]> > BTW I just tried. This not work (yet) in France: keep asking for a state province, we have none in France (I have asked as they > suggest) :/ > > Newermind: it's out of subject > > Jacques > > From: "Sam Hamilton" <[hidden email]> >> No - just the usual error messages you would expect to see if it were the self signed cert we currently have installed in the >> demo box. >> >> >> On 21 Oct 2010, at 20:20, Jacques Le Roux wrote: >> >>> Thanks for the tip Sam, >>> >>> Was the problem with Opera blocking (ie making it worst than nothing)? >>> >>> Jacques >>> >>> >>> Sam Hamilton wrote: >>>> You don't have to pay for SSL - http://www.startssl.com/ >>>> We have used them at the last company where I worked for making internal things not error out and scare normal people - its not >>>> 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all >>>> perfect. Sam >>>> On 21 Oct 2010, at 16:35, Scott Gray wrote: >>>>> Is it really needed? I don't think anyone is going to be entering their credit card details on the site. >>>>> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough. >>>>> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. >>>>> Although I'm glad you did, I got another server to play with at work :-) Regards >>>>> Scott >>>>> HotWax Media >>>>> http://www.hotwaxmedia.com >>>>> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote: >>>>>> Hi, >>>>>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849 >>>>>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue >>>>>> before)? Thanks >>>>>> Jacques >>> >> >> > |
In reply to this post by samhamilton
On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[hidden email]> wrote:
> No - just the usual error messages you would expect to see if it were the > self signed cert we currently have installed in the demo box. > > > On a related note, I wonder if anyone has a simple cookbook example for authorizing a self-signed cert to all the clients in a controlled, in-house enterprise environment. We do not want to spend money on server certs for what is strictly an internal application, but we have enough clients that it is a problem to go through the steps of accepting a self-signed cert for every user. I have tried making an internal CA, but I never succeeded in getting browsers to automatically accept the CA and not ask for validation on the server certs. I have complete control of the client, the server, and the network, and I wish I could pre-load SSL authorization so that we have the benefits of SSL other than the external CA part. -- James McGill Phoenix AZ |
On 22/10/2010, at 10:21 AM, James McGill wrote:
> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[hidden email]> wrote: > >> No - just the usual error messages you would expect to see if it were the >> self signed cert we currently have installed in the demo box. >> >> >> > On a related note, I wonder if anyone has a simple cookbook example for > authorizing a self-signed cert to all the clients in a controlled, in-house > enterprise environment. We do not want to spend money on server certs for > what is strictly an internal application, but we have enough clients that it > is a problem to go through the steps of accepting a self-signed cert for > every user. I have tried making an internal CA, but I never succeeded in > getting browsers to automatically accept the CA and not ask for validation > on the server certs. I have complete control of the client, the server, and > the network, and I wish I could pre-load SSL authorization so that we have > the benefits of SSL other than the external CA part. You can configure your browser to always trust a self signed cert, google is your friend here and nothing about it is OFBiz specific. If the application is going to be accessed over the internet though then you are better off paying for a certificate which really isn't very expensive. Regards Scott smime.p7s (7K) Download Attachment |
On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray <[hidden email]>wrote:
> On 22/10/2010, at 10:21 AM, James McGill wrote: > > > On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[hidden email]> wrote: > > > >> No - just the usual error messages you would expect to see if it were > the > >> self signed cert we currently have installed in the demo box. > >> > >> > >> > > On a related note, I wonder if anyone has a simple cookbook example for > > authorizing a self-signed cert to all the clients in a controlled, > in-house > > enterprise environment. We do not want to spend money on server certs > for > > what is strictly an internal application, but we have enough clients that > it > > is a problem to go through the steps of accepting a self-signed cert for > > every user. I have tried making an internal CA, but I never succeeded in > > getting browsers to automatically accept the CA and not ask for > validation > > on the server certs. I have complete control of the client, the server, > and > > the network, and I wish I could pre-load SSL authorization so that we > have > > the benefits of SSL other than the external CA part. > > > You can configure your browser to always trust a self signed cert, google > is your friend here and nothing about it is OFBiz specific. If the > application is going to be accessed over the internet though then you are > better off paying for a certificate which really isn't very expensive. > Thanks -- I understand this, but doing it for hundreds of clients is a pain. That's why I want to do something like create a private CA and include it in a standard configuration. Google is not all that friendly in this case. I understand SSL and Cert Authority pretty well, and have been able to accomplish the desired result with Apache, but not with Catalina (or OFBiz). I posted here in hopes that someone had, literally, a cookbook example of how to do it. Our OFBiz installation is not accessible from the internet in any way whatsoever. It's strictly an internal service for a manufacturing facility. Ok, so let's say Google is my friend. I fully understand the instructions here: http://www.initsix.co.uk/content/how-create-internal-certificate-authority I get this far and then fail to spark the gap between having this CA key, generated cert, and then configuring all browsers in the facility so that they will accept this and any other cert signed by that CA. There is also some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles a keystore. I'm here to say that Google is not all that friendly on these topics, and in my defense, I'm not exactly being ignorant or lazy here. -- James McGill Phoenix AZ |
On 22/10/2010, at 10:52 AM, James McGill wrote:
> On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray <[hidden email]>wrote: > >> On 22/10/2010, at 10:21 AM, James McGill wrote: >> >>> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[hidden email]> wrote: >>> >>>> No - just the usual error messages you would expect to see if it were >> the >>>> self signed cert we currently have installed in the demo box. >>>> >>>> >>>> >>> On a related note, I wonder if anyone has a simple cookbook example for >>> authorizing a self-signed cert to all the clients in a controlled, >> in-house >>> enterprise environment. We do not want to spend money on server certs >> for >>> what is strictly an internal application, but we have enough clients that >> it >>> is a problem to go through the steps of accepting a self-signed cert for >>> every user. I have tried making an internal CA, but I never succeeded in >>> getting browsers to automatically accept the CA and not ask for >> validation >>> on the server certs. I have complete control of the client, the server, >> and >>> the network, and I wish I could pre-load SSL authorization so that we >> have >>> the benefits of SSL other than the external CA part. >> >> >> You can configure your browser to always trust a self signed cert, google >> is your friend here and nothing about it is OFBiz specific. If the >> application is going to be accessed over the internet though then you are >> better off paying for a certificate which really isn't very expensive. >> > > Thanks -- I understand this, but doing it for hundreds of clients is a > pain. Either way, browsers are setup to only trust certain signing authorities and there is no way to bypass that without reconfiguring each browser. IMO that is the pain and if you're doing it for any more than a few users then a proper certificate begins to make sense pretty quickly. > That's why I want to do something like create a private CA and include it in > a standard configuration. Everything below is a different topic, you're asking about installing a certificate in OFBiz/Tomcat and that process is the same regardless of how it was signed. I'm pretty sure people have documented it in the wiki but I don't do it often enough to be able to give you any useful info off the top of my head. > Google is not all that friendly in this case. I understand SSL and Cert > Authority pretty well, and have been able to accomplish the desired result > with Apache, but not with Catalina (or OFBiz). I posted here in hopes that > someone had, literally, a cookbook example of how to do it. > > Our OFBiz installation is not accessible from the internet in any way > whatsoever. It's strictly an internal service for a manufacturing > facility. > > Ok, so let's say Google is my friend. I fully understand the instructions > here: > http://www.initsix.co.uk/content/how-create-internal-certificate-authority > > I get this far and then fail to spark the gap between having this CA key, > generated cert, and then configuring all browsers in the facility so that > they will accept this and any other cert signed by that CA. There is also > some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles > a keystore. I'm here to say that Google is not all that friendly on these > topics, and in my defense, I'm not exactly being ignorant or lazy here. > > -- > James McGill > Phoenix AZ smime.p7s (7K) Download Attachment |
On 22 Oct 2010, at 06:49, Scott Gray wrote: > On 22/10/2010, at 10:52 AM, James McGill wrote: > >> On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray <[hidden email]>wrote: >> >>> On 22/10/2010, at 10:21 AM, James McGill wrote: >>> >>>> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[hidden email]> wrote: >>>> >>>>> No - just the usual error messages you would expect to see if it were >>> the >>>>> self signed cert we currently have installed in the demo box. >>>>> >>>>> >>>>> >>>> On a related note, I wonder if anyone has a simple cookbook example for >>>> authorizing a self-signed cert to all the clients in a controlled, >>> in-house >>>> enterprise environment. We do not want to spend money on server certs >>> for >>>> what is strictly an internal application, but we have enough clients that >>> it >>>> is a problem to go through the steps of accepting a self-signed cert for >>>> every user. I have tried making an internal CA, but I never succeeded in >>>> getting browsers to automatically accept the CA and not ask for >>> validation >>>> on the server certs. I have complete control of the client, the server, >>> and >>>> the network, and I wish I could pre-load SSL authorization so that we >>> have >>>> the benefits of SSL other than the external CA part. >>> >>> >>> You can configure your browser to always trust a self signed cert, google >>> is your friend here and nothing about it is OFBiz specific. If the >>> application is going to be accessed over the internet though then you are >>> better off paying for a certificate which really isn't very expensive. >>> >> >> Thanks -- I understand this, but doing it for hundreds of clients is a >> pain. > > Not sure I follow you there, hundreds of users or hundreds of deployments? > > Either way, browsers are setup to only trust certain signing authorities and there is no way to bypass that without reconfiguring each browser. IMO that is the pain and if you're doing it for any more than a few users then a proper certificate begins to make sense pretty quickly. Yes with a real SSL that works with all browsers now coming in around $11 a year or a free one that works with Firefox, Safari and Chrome perfectly why go to the extra effort of creating a CA? > >> That's why I want to do something like create a private CA and include it in >> a standard configuration. > > Everything below is a different topic, you're asking about installing a certificate in OFBiz/Tomcat and that process is the same regardless of how it was signed. I'm pretty sure people have documented it in the wiki but I don't do it often enough to be able to give you any useful info off the top of my head. > > >> Google is not all that friendly in this case. I understand SSL and Cert >> Authority pretty well, and have been able to accomplish the desired result >> with Apache, but not with Catalina (or OFBiz). I posted here in hopes that >> someone had, literally, a cookbook example of how to do it. >> >> Our OFBiz installation is not accessible from the internet in any way >> whatsoever. It's strictly an internal service for a manufacturing >> facility. >> >> Ok, so let's say Google is my friend. I fully understand the instructions >> here: >> http://www.initsix.co.uk/content/how-create-internal-certificate-authority >> >> I get this far and then fail to spark the gap between having this CA key, >> generated cert, and then configuring all browsers in the facility so that >> they will accept this and any other cert signed by that CA. There is also >> some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles >> a keystore. I'm here to say that Google is not all that friendly on these >> topics, and in my defense, I'm not exactly being ignorant or lazy here. >> >> -- >> James McGill >> Phoenix AZ > |
In reply to this post by James McGill-5
Hmm, if you're saying to use certification as ofbiz login, perhaps add a
crl check in the login procedure would fix your problem? 在 2010-10-21四的 14:21 -0700,James McGill写道: > On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[hidden email]> wrote: > > > No - just the usual error messages you would expect to see if it were the > > self signed cert we currently have installed in the demo box. > > > > > > > On a related note, I wonder if anyone has a simple cookbook example for > authorizing a self-signed cert to all the clients in a controlled, in-house > enterprise environment. We do not want to spend money on server certs for > what is strictly an internal application, but we have enough clients that it > is a problem to go through the steps of accepting a self-signed cert for > every user. I have tried making an internal CA, but I never succeeded in > getting browsers to automatically accept the CA and not ask for validation > on the server certs. I have complete control of the client, the server, and > the network, and I wish I could pre-load SSL authorization so that we have > the benefits of SSL other than the external CA part. > > |
In reply to this post by samhamilton
On Thu, Oct 21, 2010 at 7:47 PM, Sam Hamilton <[hidden email]> wrote:
> > > Yes with a real SSL that works with all browsers now coming in around $11 a > year or a free one that works with Firefox, Safari and Chrome perfectly why > go to the extra effort of creating a CA? > > I don't think you can obtain that $11 or free SSL Cert for private DNS names, can you? I want to do SSL on hosts that aren't even on the internet, let alone using names that are delegated by registrars. It is a completely private, completely isolated internal system that happens to use the web application architecture. That's why I would like to do it with an internal CA, but the problem is getting the browsers to accept that CA (and perhaps, accept *only* that CA). I realize this is beyond the scope of OFBiz development but I thought I might not be the only OFBiz user who deploys in an isolated environment. We'd still really like to have the encrypted communication of SSL without the third party authentication bits. The deployment is large enough that the step of "accepting the self-signed certs" really is a nuisance. -- James McGill Phoenix AZ |
Free forum by Nabble | Edit this page |