Demo sites not available?

dave · January 27, 2020, 11:58am

I have just tried to go onto the Tryton demo sites, and my browser is complaining that the certificates are not valid.

The DNS names for the demo sites don’t appear to be in the Subject Alt Names list.

ced · January 27, 2020, 12:16pm

All demo*.tryton.org are plain HTTP. We do not manage to create a new certificate for each new version.
Despite demo.tryton.org not being setup in nginx to listen on 443, nginx still seems to serve it as if it was tryton.org.

ced · January 27, 2020, 12:21pm

It is explained in Server names
So it is using the default tryton.org which has ssl.

Any way, there is nothing more we can do here.

dave · January 27, 2020, 12:28pm

No, that’s fine.

I must have automatically typed https in when entering in the url, not realizing that they were http only. Thanks.

pokoli · January 27, 2020, 12:33pm

Maybe we can requests a wildcard certificate so we can use it for the demo sites.

This will improve the image of the demo sites as they will be also server by https.

ced · January 27, 2020, 1:44pm

wildcard certificate requires a validation via DNS. But as far as I can tell, there is no plugin to automate them with nsd.

ced · January 27, 2020, 1:48pm

Maybe it is doable with certbot-dns-rfc2136 but it is not yet packaged in Gentoo.

ced · February 1, 2020, 4:51pm

I successfully manage to get a wildcard certificate for tryton.org by using hooks. Here are for the record.

manual auth hook

#!/bin/bash
set -e
PATH="/var/lib/nsd"
DOMAIN=$(/usr/bin/expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)') || :
if [ -z "${DOMAIN}" ]; then
        DOMAIN=${CERTBOT_DOMAIN}
fi
ZONE="${PATH}/${DOMAIN}.zone"
INC="${PATH}/${CERTBOT_DOMAIN}.zone.acme.inc"

echo "_acme-challenge.${CERTBOT_DOMAIN}. 5 IN TXT \"${CERTBOT_VALIDATION}\"" > "${INC}"
/bin/sed -i -r 's/(.*)([0-9]{10})( ; serial.*)/echo "\1$((\2+1))\3"/ge' "${ZONE}"
/usr/sbin/nsd-control reload "${DOMAIN}" >/dev/null
/usr/sbin/nsd-control notify "${DOMAIN}" >/dev/null
/usr/bin/sleep 5

manual cleanup hook

#!/bin/bash
set -e
PATH="/var/lib/nsd"
DOMAIN=$(/usr/bin/expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)') || :
if [ -z "${DOMAIN}" ]; then
        DOMAIN=${CERTBOT_DOMAIN}
fi
ZONE="${PATH}/${DOMAIN}.zone"
INC="${PATH}/${CERTBOT_DOMAIN}.zone.acme.inc"

echo "" > "${INC}"
/bin/sed -i -r 's/(.*)([0-9]{10})( ; serial.*)/echo "\1$((\2+1))\3"/ge' "${ZONE}"
/usr/sbin/nsd-control reload "${DOMAIN}" >/dev/null
/usr/sbin/nsd-control notify "${DOMAIN}" >/dev/null

and with RFC 1035 $INCLUDE directive.

As demo are subdomain, I had to add all wildcard domain for 0, 2, 4, 6 and 8 subdomain.
So I changed website: www.tryton.org: ff776620490b