Subject: Overpass API developpement
List archive
- From: Roland Olbricht <>
- To:
- Subject: [overpass] overpass-api.de with letsencyrpt certificates
- Date: Sat, 19 Mar 2016 12:04:51 +0100
Dear all,
the public server overpass-api.de got a new certificate. I've changed the provider from StartSSL to Let's Encrypt. Please feel free to report any new problems with refused connections or certificates.
The change was necessary because the StartSSL certificate is going to expire in some days, and I didn't succeed to reconfirm to StartSSL that I am the owner of the server because StartSSL was unable to send an email to me.
As an example for a problem:
On Ubuntu 14.04 the root CA of letsencrypt isn't trusted everywhere. If you do a
wget https://overpass-api.de
you may get a message that the connection was refused. The fix is:
- download the two Letsencrypt root certificates (the base and the X1 one) [no link on purpose - it is much harder to trick a search engine than to add a rogue link to an email].
- rename them to end in *.crt and copy them to /usr/share/ca-certificates/extra/
- run "sudo dpkg-reconfigure ca-certificates"
- select the two new certificates in addition to the existing ones
For the record some notes about Letsencrypt:
It is an organisation founded by the EFF and Mozilla and has for purpose to give free baseline certificates to everybody. They succeeded by removing the cost barrier. However, the tools to make it easier for server admins are still under development and have their caveats. For example, the default tool will trigger under Ubuntu a system update and restart which is impractical for a server.
However, you can run
./letsencrypt-auto certonly --manual --email -d example.com -d www.example.com
on an arbitrary computer, including a VM. Thus you can avoid that the installed extra packages interfere with the production server. The service then authenticates you by checking that you can copy a file to the example.com server that is then accessible via HTTP.
Of the produced files, privkey.pem and fullchain.pem must be copied to the server and go to the Apache directives
SSLCertificateKeyFile /path/to/privkey.pem
SSLCertificateFile /path/to/fullchain.pem
Best regards,
Roland
- [overpass] overpass-api.de with letsencyrpt certificates, Roland Olbricht, 03/19/2016
- Re: [overpass] overpass-api.de with letsencyrpt certificates, mmd, 03/19/2016
- Re: [overpass] overpass-api.de with letsencyrpt certificates, mmd, 03/19/2016
- Re: [overpass] overpass-api.de with letsencyrpt certificates, Roland Olbricht, 03/19/2016
- Re: [overpass] overpass-api.de with letsencyrpt certificates, mmd, 03/19/2016
- Re: [overpass] overpass-api.de with letsencyrpt certificates, mmd, 03/19/2016
Archive powered by MHonArc 2.6.18.