Overpass API developpement

Text archives Help


[overpass] overpass-api.de with letsencyrpt certificates


Chronological Thread 
  • From: Roland Olbricht <roland.olbricht@gmx.de>
  • To: overpass@listes.openstreetmap.fr
  • Subject: [overpass] overpass-api.de with letsencyrpt certificates
  • Date: Sat, 19 Mar 2016 12:04:51 +0100

Dear all,

the public server overpass-api.de got a new certificate. I've changed the provider from StartSSL to Let's Encrypt. Please feel free to report any new problems with refused connections or certificates.

The change was necessary because the StartSSL certificate is going to expire in some days, and I didn't succeed to reconfirm to StartSSL that I am the owner of the server because StartSSL was unable to send an email to me.


As an example for a problem:

On Ubuntu 14.04 the root CA of letsencrypt isn't trusted everywhere. If you do a

wget https://overpass-api.de

you may get a message that the connection was refused. The fix is:
- download the two Letsencrypt root certificates (the base and the X1 one) [no link on purpose - it is much harder to trick a search engine than to add a rogue link to an email].
- rename them to end in *.crt and copy them to /usr/share/ca-certificates/extra/
- run "sudo dpkg-reconfigure ca-certificates"
- select the two new certificates in addition to the existing ones


For the record some notes about Letsencrypt:

It is an organisation founded by the EFF and Mozilla and has for purpose to give free baseline certificates to everybody. They succeeded by removing the cost barrier. However, the tools to make it easier for server admins are still under development and have their caveats. For example, the default tool will trigger under Ubuntu a system update and restart which is impractical for a server.

However, you can run

./letsencrypt-auto certonly --manual --email mail@example.com -d example.com -d www.example.com

on an arbitrary computer, including a VM. Thus you can avoid that the installed extra packages interfere with the production server. The service then authenticates you by checking that you can copy a file to the example.com server that is then accessible via HTTP.

Of the produced files, privkey.pem and fullchain.pem must be copied to the server and go to the Apache directives

SSLCertificateKeyFile /path/to/privkey.pem
SSLCertificateFile /path/to/fullchain.pem

Best regards,

Roland



Archive powered by MHonArc 2.6.18.

Top of page