Demo sites not available?

I have just tried to go onto the Tryton demo sites, and my browser is complaining that the certificates are not valid.

The DNS names for the demo sites don’t appear to be in the Subject Alt Names list.

All demo*.tryton.org are plain HTTP. We do not manage to create a new certificate for each new version.
Despite demo.tryton.org not being setup in nginx to listen on 443, nginx still seems to serve it as if it was tryton.org.

It is explained in http://nginx.org/en/docs/http/server_names.html#miscellaneous_names
So it is using the default tryton.org which has ssl.

Any way, there is nothing more we can do here.

No, that’s fine.

I must have automatically typed https in when entering in the url, not realizing that they were http only. Thanks.

Maybe we can requests a wildcard certificate so we can use it for the demo sites.

This will improve the image of the demo sites as they will be also server by https.

1 Like

wildcard certificate requires a validation via DNS. But as far as I can tell, there is no plugin to automate them with nsd.

Maybe it is doable with certbot-dns-rfc2136 but it is not yet packaged in Gentoo.

I successfully manage to get a wildcard certificate for tryton.org by using hooks. Here are for the record.

manual auth hook

#!/bin/bash
set -e
PATH="/var/lib/nsd"
DOMAIN=$(/usr/bin/expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)') || :
if [ -z "${DOMAIN}" ]; then
        DOMAIN=${CERTBOT_DOMAIN}
fi
ZONE="${PATH}/${DOMAIN}.zone"
INC="${PATH}/${CERTBOT_DOMAIN}.zone.acme.inc"

echo "_acme-challenge.${CERTBOT_DOMAIN}. 5 IN TXT \"${CERTBOT_VALIDATION}\"" > "${INC}"
/bin/sed -i -r 's/(.*)([0-9]{10})( ; serial.*)/echo "\1$((\2+1))\3"/ge' "${ZONE}"
/usr/sbin/nsd-control reload "${DOMAIN}" >/dev/null
/usr/sbin/nsd-control notify "${DOMAIN}" >/dev/null
/usr/bin/sleep 5

manual cleanup hook

#!/bin/bash
set -e
PATH="/var/lib/nsd"
DOMAIN=$(/usr/bin/expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)') || :
if [ -z "${DOMAIN}" ]; then
        DOMAIN=${CERTBOT_DOMAIN}
fi
ZONE="${PATH}/${DOMAIN}.zone"
INC="${PATH}/${CERTBOT_DOMAIN}.zone.acme.inc"

echo "" > "${INC}"
/bin/sed -i -r 's/(.*)([0-9]{10})( ; serial.*)/echo "\1$((\2+1))\3"/ge' "${ZONE}"
/usr/sbin/nsd-control reload "${DOMAIN}" >/dev/null
/usr/sbin/nsd-control notify "${DOMAIN}" >/dev/null

and with RFC 1035 $INCLUDE directive.

As demo are subdomain, I had to add all wildcard domain for 0, 2, 4, 6 and 8 subdomain.
So I changed website: www.tryton.org: ff776620490b