From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/77683 Path: news.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.gnus.general Subject: Re: SSL certificate issues for git.gnus.org Date: Mon, 14 Mar 2011 09:59:17 +0100 Message-ID: <87y64i2i3e.fsf@latte.josefsson.org> References: <87sk71o198.fsf@lifelogs.com> <87fx2tq8nx.fsf@lifelogs.com> <87r5m6gvgb.fsf_-_@lifelogs.com> <87sjvb7p4z.fsf@lifelogs.com> <8762s7n3gq.fsf@topper.koldfront.dk> <87fwrb67zq.fsf@lifelogs.com> <87wrknlnz4.fsf@topper.koldfront.dk> <8739n80x9j.fsf@lifelogs.com> <871v2rg9g4.fsf@dod.no> <87wrkj15yb.fsf@lifelogs.com> <87bp1m3kpx.fsf@lifelogs.com> <87lj0ne2cq.fsf@latte.josefsson.org> <877hc663xo.fsf@latte.josefsson.org> <87sjuuiqj0.fsf@lifelogs.com> <87lj0mfbca.fsf@latte.josefsson.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1300093275 11186 80.91.229.12 (14 Mar 2011 09:01:15 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Mon, 14 Mar 2011 09:01:15 +0000 (UTC) To: ding@gnus.org Original-X-From: ding-owner+M26006@lists.math.uh.edu Mon Mar 14 10:01:11 2011 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Pz3eJ-0005OM-3V for ding-account@gmane.org; Mon, 14 Mar 2011 10:01:11 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1Pz3dB-0002kb-LQ; Mon, 14 Mar 2011 04:00:01 -0500 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1Pz3d7-0002kB-DV for ding@lists.math.uh.edu; Mon, 14 Mar 2011 03:59:57 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtp (Exim 4.72) (envelope-from ) id 1Pz3cp-0006OF-4v for ding@lists.math.uh.edu; Mon, 14 Mar 2011 03:59:52 -0500 Original-Received: from yxa-v.extundo.com ([213.115.69.139]) by quimby.gnus.org with esmtp (Exim 4.72) (envelope-from ) id 1Pz3cj-0008KP-Hr for ding@gnus.org; Mon, 14 Mar 2011 09:59:33 +0100 Original-Received: from latte.josefsson.org (c80-216-4-108.bredband.comhem.se [80.216.4.108]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p2E8xHIg019356 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Mon, 14 Mar 2011 09:59:24 +0100 OpenPGP: id=B565716F; url=http://josefsson.org/key.txt Mail-Copies-To: nobody X-Hashcash: 1:22:110314:ding@gnus.org::9RoFnh49KNL7I3Uu:6TFG In-Reply-To: (Lars Magne Ingebrigtsen's message of "Sun, 13 Mar 2011 23:24:16 +0100") User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/23.2 (gnu/linux) X-Spam-Status: No, score=-0.8 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_96_XX,RDNS_DYNAMIC,SPF_FAIL autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on yxa-v.extundo.com X-Virus-Scanned: clamav-milter 0.96.5 at yxa-v X-Virus-Status: Clean X-Spam-Score: -1.9 (-) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:77683 Archived-At: Lars Magne Ingebrigtsen writes: > Simon Josefsson writes: > >> I have made the request -- but Lars will need to approve it. > > (Sorry for the tardy response -- I've been building Ikea shelves for a > week now.) > > I got the cacert email, and clicked through, and it said > > "Your domain has been verified. You can now start issuing certificates > for this domain." Thanks -- it seems approved alright. >> Lars, to generate the git.gnus.org certificate, please run something >> like this and send me the CSR at the bottom (it is fine to post to the >> list, it is not security sensitive) and I'll paste the request through >> cacert and get a certificate back: > > PKCS #10 Certificate Request Information: Thanks, here is the certificate: -----BEGIN CERTIFICATE----- MIIE0TCCArmgAwIBAgIDAMjmMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTEwMzE0MDg1MTEyWhcNMTMwMzEz MDg1MTEyWjAXMRUwEwYDVQQDEwxnaXQuZ251cy5vcmcwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC3t+RplIRbxvdt6FtrGy1IJFTrHz5g5Jnx80yja/4M kyVcqOM8BO1bbCysTyobmnext5F1U9cJ0oLnCwa20Sm79PyzUvsp1iscw2CDgmlb SpOashuWgE48N7i2NmMYHgzKzGyn8sqOJvbazsxrK3E7s1dVcjqDctii0hOmdGZ7 JKxA02blVLbfvXK1xvZL5X77tcW9WX+H3Vr4FuE6K+3vJPlUyNefa5rJ0FRqcLbV k4oc+ZrfFDrSBfhXsiEvpgQdwviU573992A+jlnG/cSFFMTD4cdKOM3OjZjAMRHX t2SuQt3wJ9vb2Uex/zGRNoNz8fByjPrBtWjMO9cz6X29AgMBAAGjgegwgeUwDAYD VR0TAQH/BAIwADA0BgNVHSUELTArBggrBgEFBQcDAgYIKwYBBQUHAwEGCWCGSAGG +EIEAQYKKwYBBAGCNwoDAzALBgNVHQ8EBAMCBaAwMwYIKwYBBQUHAQEEJzAlMCMG CCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzBdBgNVHREEVjBUggxn aXQuZ251cy5vcmegGgYIKwYBBQUHCAWgDgwMZ2l0LmdudXMub3JnggxnaXQuZ251 cy5vcmegGgYIKwYBBQUHCAWgDgwMZ2l0LmdudXMub3JnMA0GCSqGSIb3DQEBBQUA A4ICAQBEQ0M46NbqXlYYjSi+RH/wQ/Z4gbtLKG5uHZSV3V7RUUl6IgerXPDiGkF0 CwPXzD2K7A/qRWtsR9ymxDqyMYpBZMpP7dzIN5AJzAuIaUUCBoU3CIwLHOlirAyx 1Ks+qLfQFQ7CI3gnpebzkdC/QGMd4R+AaCMzvW10Gvg2V6xyfhreQ43g6zj5jLpQ mcylstzvGrnN6I+YjL6FVOAD6zYNX+rxy/Q0YdXM8u0Tz1lMe1SDx6XGwojdH1uf 9eUTIB0J0+woKm+VIrrKcSWxKCnzUpSfw7985No+uuxzRhqD58rXOQrjkddQcXlk Wxf5QXqXuLYl5rGrQFSDBONDKuOIN30908JUidzsuWHBzUWQ+9rom2hvRq+NeYWf vjdtADDt8+cAsmw6FMDaqpf867J5TOeV5KA2BbTXb/V5rfe0kNAwPSKbHs7aUPsS 3SPdeCEGemV+J0WcB3MfhvvkaFwVclTr41FToX4ECFVuIJTfN8ZKdT74/XsrVGM9 a+jmmELarhpfLR4c2HexaACkn+GyNMuFOo9tDyg/W/uWrJjbrK2RKZynulP6C9O4 23Zv08PB1Sy7hikZSMhBNJiEr36G+peqc/0qFweVUcIg/2saZMhDzJf8P8xnPgzL +Kwzb5FCUZpauiEH9YRyta5MlcRHTER7G2yWLH0LBVNwBz0KcA== -----END CERTIFICATE----- It is not strictly needed, but you may want to make the web server send the following as an intermediate certificate too: http://www.cacert.org/certs/class3.txt Then clients only have to trust the root CACert CA without also knowing the intermediate CACert certificate. I suspect most clients already trust the intermediate CACert CA anyway though. If you are using apache with mod_gnutls (Debian libapache2-mod-gnutls) just concatenate the git.gnus.org PEM blob above with the PEM blob in the URL above into a text file and then point to the files like this: GnuTLSEnable on GnuTLSCertificateFile /etc/ssl/private/git.gnus.org-chain.pem GnuTLSKeyFile /etc/ssl/private/git.gnus.org-key.pem GnuTLSPriorities NORMAL /Simon