The open-mpi.org web site was hosted by an Apache server that served several other IU-related domains. So it's quite possible that they can't share the private key with us.
---- An update: I got the letsencrypt certificates to work on the web site, but there's two minor downsides: 1. They have to be renewed every three months. 2. #1 wouldn't be much of a problem, except that our hosting provider charges $10 to install certificates (note: we chose this type of "they do all the sysadmin" hosting provider specifically because we specifically do not want to have to sysadmin/keep patched/etc. the web server stack). However, off-list, someone has volunteered to get 3 year certificates for us. We're following up with this generous donor to see if it will work out. Stay tuned, everyone... > On Jul 31, 2016, at 5:25 AM, Gilles Gouaillardet > <gilles.gouaillar...@gmail.com> wrote: > > a CSR is the signature of the server public key by the certificate authority. > > unless the same private key was used for https servers of open-mpi.org and > non open-mpi.org domains, I do not think IU providing the server key pair is > an issue. > > Cheers, > > Gilles > > On Sunday, July 31, 2016, Bennet Fauber <ben...@umich.edu> wrote: > Is the web server's private key, used to generate the CSR, also > needed? If so, perhaps IU cannot share that. > > > > On Sat, Jul 30, 2016 at 11:09 PM, Gilles Gouaillardet > <gilles.gouaillar...@gmail.com> wrote: > > Jeff, > > > > if my understanding is correct, https requires open-mpi.org is the only > > (httpd) domain served on port 443 for a given IP (e.g. no shared hosting) > > a certificate is based on host name (e.g. www.open-mpi.org) and can > > contains wildcards (e.g. *.open-mpi.org) > > so if the first condition is met, then you should be able to reuse the > > certificate that was previously used at UI. > > > > makes sense ? > > > > Cheers, > > > > Gilles > > > > On Sunday, July 31, 2016, Jeff Squyres (jsquyres) <jsquy...@cisco.com> > > wrote: > >> > >> I knew about letsencrypt (it's sponsored by my own company, Cisco -- > >> huzzah!). But I (apparently foolishly) didn't think SSL was important, and > >> didn't want to bother with figuring out how to do all the SSL-sysadmin-ish > >> things. :-) > >> > >> I just poked around with letsencrypt.org; it looks actually pretty simple > >> (even on a hosted site where we have limited ssh access to the web server > >> itself -- I used https://github.com/Neilpang/acme.sh and it worked like a > >> champ). > >> > >> PSA: If you have an http web site, you should go look at letsencrypt.org. > >> > >> I'll look at getting www.open-mpi.org back to https shortly. > >> > >> > >> > >> > >> > On Jul 30, 2016, at 12:51 PM, Craig Inches <open...@xayto.net> wrote: > >> > > >> > There is a free service for certificates, two that I know of infact. > >> > > >> > https://www.startssl.com/ and https://letsencrypt.org/ > >> > > >> > Startssl is more your tradition cert request process and lets encrypt is > >> > a project for automated free certificates but if sysadmin'ing is not your > >> > primary thing then I would say go with Start! I use them for all my > >> > sites. > >> > > >> > Also Durga, the SSL is at a preceding step to the redirect, it is > >> > confirmed before establishing the http connection. > >> > > >> > Cheers, Craig > >> > > >> > On Sat, Jul 30, 2016 at 12:39:23PM -0400, dpchoudh . wrote: > >> > > >> > Hi Jeff and all Disclaimer: I know next to nothing about how the web > >> > works. Having said that, would it not be possible to redirect an https > >> > request to a http request? I believe apache mod-rewrite can do it. Or > >> > does > >> > this certificate check happens even before the rewrite? Regards Durga > >> > > >> > The woods are lovely, dark and deep; but I have promises to keep. And > >> > kilometers to go before I sleep; and kilometers to go before I sleep. On > >> > Sat, Jul 30, 2016 at 12:31 PM, Jeff Squyres (jsquyres) > >> > <[1]jsquy...@cisco.com> wrote: > >> > > >> > Meh. That's a good point. We might have to pony up the cost for > >> > the certificates, then. :-( > >> > (Indiana University provided all this stuff to us for free; now that > >> > the community has to pay for our own hosting, the funding has to > >> > come from some where). > >> > Please bear with us -- all this sysadmin/infrastructure stuff is > >> > completely unrelated to do with our real jobs (i.e., software > >> > development of Open MPI); we're doing all this migration work on > >> > nights, weekends, and sometimes while waiting for lengthy > >> > compiles. We didn't think of the Google-will-have-https-links > >> > issue. :-\ > >> > > On Jul 30, 2016, at 12:27 PM, Bennet Fauber <[2]ben...@umich.edu> > >> > wrote: > >> > > > >> > > Thanks, Jeff, > >> > > > >> > > Just to note, though, many, many links in Google searches will > >> > have > >> > > the https address. > >> > > > >> > > -- bennet > >> > > > >> > > > >> > > On Sat, Jul 30, 2016 at 12:21 PM, Jeff Squyres (jsquyres) > >> > > <[3]jsquy...@cisco.com> wrote: > >> > >> Hmm. Sorry about this; we just moved the web site from Indiana > >> > University to Host Gator (per > >> > [4]http://www.open-mpi.org/community/lists/devel/2016/06/19139.php). > >> > >> > >> > >> I thought I had disabled https for the web site last night when I > >> > did the move -- I'll have to check into this. > >> > >> > >> > >> For the meantime, please just use [5]http://www.open-mpi.org/. > >> > >> > >> > >> > >> > >> > >> > >>> On Jul 30, 2016, at 11:25 AM, Bennet Fauber > >> > <[6]ben...@umich.edu> wrote: > >> > >>> > >> > >>> I am getting a certificate error from > >> > [7]https://www.open-mpi.org/ > >> > >>> > >> > >>> The owner of [8]www.open-mpi.org has configured their website > >> > improperly. > >> > >>> To protect your information from being stolen, Firefox has not > >> > >>> connected to this website. > >> > >>> > >> > >>> and if I go to advanced and ask about the certificate, it says > >> > >>> > >> > >>> The certificate is only valid for the following names: > >> > >>> *.[9]hostgator.com, [10]hostgator.com > >> > >>> > >> > >>> > >> > >>> Is this something I have done to myself? > >> > >>> _______________________________________________ > >> > >>> users mailing list > >> > >>> [11]users@lists.open-mpi.org > >> > >>> [12]https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > >> > >> > >> > >> > >> -- > >> > >> Jeff Squyres > >> > >> [13]jsquy...@cisco.com > >> > >> For corporate legal information go to: > >> > [14]http://www.cisco.com/web/about/doing_business/legal/cri/ > >> > >> > >> > >> _______________________________________________ > >> > >> users mailing list > >> > >> [15]users@lists.open-mpi.org > >> > >> [16]https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > > _______________________________________________ > >> > > users mailing list > >> > > [17]users@lists.open-mpi.org > >> > > [18]https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > -- > >> > Jeff Squyres > >> > [19]jsquy...@cisco.com > >> > For corporate legal information go to: > >> > [20]http://www.cisco.com/web/about/doing_business/legal/cri/ > >> > _______________________________________________ > >> > users mailing list > >> > [21]users@lists.open-mpi.org > >> > [22]https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > > >> > References > >> > • jsquy...@cisco.com > >> > > >> > • ben...@umich.edu > >> > > >> > • jsquy...@cisco.com > >> > > >> > • http://www.open-mpi.org/community/lists/devel/2016/06/19139.php > >> > > >> > • http://www.open-mpi.org/ > >> > > >> > • ben...@umich.edu > >> > > >> > • https://www.open-mpi.org/ > >> > > >> > • http://www.open-mpi.org/ > >> > > >> > • http://hostgator.com/ > >> > > >> > • http://hostgator.com/ > >> > > >> > • users@lists.open-mpi.org > >> > > >> > • > >> > https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > > >> > • jsquy...@cisco.com > >> > > >> > • http://www.cisco.com/web/about/doing_business/legal/cri/ > >> > > >> > • users@lists.open-mpi.org > >> > > >> > • > >> > https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > > >> > • users@lists.open-mpi.org > >> > > >> > • > >> > https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > > >> > • jsquy...@cisco.com > >> > > >> > • http://www.cisco.com/web/about/doing_business/legal/cri/ > >> > > >> > • users@lists.open-mpi.org > >> > > >> > • > >> > https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > > >> > _______________________________________________ > >> > users mailing list > >> > users@lists.open-mpi.org > >> > https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > > >> > > >> > _______________________________________________ > >> > users mailing list > >> > users@lists.open-mpi.org > >> > https://rfd.newmexicoconsortium.org/mailman/listinfo/users > >> > >> > >> -- > >> Jeff Squyres > >> jsquy...@cisco.com > >> For corporate legal information go to: > >> http://www.cisco.com/web/about/doing_business/legal/cri/ > >> > >> _______________________________________________ > >> users mailing list > >> users@lists.open-mpi.org > >> https://rfd.newmexicoconsortium.org/mailman/listinfo/users > > > > > > _______________________________________________ > > users mailing list > > users@lists.open-mpi.org > > https://rfd.newmexicoconsortium.org/mailman/listinfo/users > _______________________________________________ > users mailing list > users@lists.open-mpi.org > https://rfd.newmexicoconsortium.org/mailman/listinfo/users > _______________________________________________ > users mailing list > users@lists.open-mpi.org > https://rfd.newmexicoconsortium.org/mailman/listinfo/users -- Jeff Squyres jsquy...@cisco.com For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/ _______________________________________________ users mailing list users@lists.open-mpi.org https://rfd.newmexicoconsortium.org/mailman/listinfo/users
