Talk:SAC Meeting 2018-05-10

From OSGeo
Revision as of 02:41, 29 April 2018 by Robe (talk | contribs)
Jump to navigation Jump to search
   07:00:09	robe2:	meeting starting now
   07:00:36	MartinSpott:	robe2: is anybody here except us two ? ;-)
   07:00:43	robe2:	Guess first topic is hardware. But Alex isn't here
   07:01:15	robe2:	I know he said he was going to send for purchase since no -1s, does any one know if he's done that
   07:02:20	robe2:	MartinSpott TemptorSent is here I think
   07:02:36	MartinSpott:	The new quote is slightly different from the past ones, because it doesn't contain any SSD stuff - did I get this correctly ?
   07:02:45	markusN:	Morning!
   07:02:47	MartinSpott:	Moggeeeen !
   07:02:53	robe2:	Hi Markus
   07:03:00	MartinSpott:	repeating myself:
   07:03:02	MartinSpott:	The new quote is slightly different from the past ones, because it doesn't contain any SSD stuff - did I get this correctly ?
   07:03:25	MartinSpott:	That's fine with me, if nobody objects
   07:04:31	robe2:	MartinSpott I thought it still had SSD via the Optane component.
   07:04:39	MartinSpott:	Ah, now I see
   07:04:46	MartinSpott:	*** Addiotional ....
   07:05:04	MartinSpott:	fine, go for it
   07:05:24	robe2:	I'm a bit clueless about the whole Optane thing
   07:05:45	MartinSpott:	I suspect it's "cool" ;-)
   07:05:49	robe2:	but there seemed to be hardware whores arguing so I figured they'd come up with something good
   07:06:07	MartinSpott:	At least it doesn't hurt
   07:06:45	robe2:	Next topic funtoo. Too bad TemptorSent couldn't keep his eyes open :)
   07:06:56	TemptorSent:	Hello MartinSpott!
   07:07:11	robe2:	TemptorSent you're alive and awake :)
   07:07:14	TemptorSent:	Hello all.
   07:07:17	markusN:	hi TemptorSent
   07:07:27	MartinSpott:	Do we still need to retire one of the old machines before activating the new one ?
   07:07:33	MartinSpott:	Hi TemptorSent
   07:07:35	robe2:	MartinSpott no
   07:07:49	robe2:	OSUOSL said they have plenty of space last I recall
   07:08:04	MartinSpott:	Oh, how nice
   07:08:25	robe2:	so we this will be an extra we can start moving stuff too at our own pace
   07:08:45	TemptorSent:	That's refreshing.
   07:09:07	robe2:	any more questions about Optane - TemptorSent I think knows a lot about it as he was one of the whores arguing
   07:10:19	robe2:	okay guess no more questions - next topic funtoo host
   07:10:26	MartinSpott:	go ahed
   07:10:28	MartinSpott:	ahead
   07:10:39	robe2:	MartinSpott you know what SSL ldap.osgeo.org is using?
   07:11:03	MartinSpott:	wait a second, I'm mixing names
   07:11:04	robe2:	I was trying to setup SSH via LDAP on funtoo, but ldapsearch is failing with key not trusted
   07:11:18	MartinSpott:	the former was COMODO I think, the current is ....
   07:12:05	robe2:	that's what I thought. As when I copied over the osgeo star bundle from osgeo6 and put on other servers I had setup and set in ldap.config if worked fine
   07:12:17	robe2:	I had done the same on funtoo and it didn't work.
   07:12:27	TemptorSent:	TLS trace: SSL_connect:SSLv3 read server hello A
   07:12:27	TemptorSent:	TLS certificate verification: depth: 2, err: 2, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   07:12:27	TemptorSent:	TLS certificate verification: Error, unable to get issuer certificate
   07:12:27	TemptorSent:	TLS trace: SSL3 alert write:fatal:unknown CA
   07:12:35	robe2:	TemptorSent it occurred to me maybe it's not using the bundle I referenced
   07:12:47	TemptorSent:	TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).
   07:13:11	robe2:	TemptorSent is there a way to tell which bundle. Maybe it's cache
   07:13:13	robe2:	cached
   07:13:31	TemptorSent:	Hmm, I don't recall off hand.
   07:13:36	robe2:	I had originally use the ca-certificates one I saw in the folder and when that didn't work I downloaded the one I use
   07:14:57	robe2:	MartinSpott TemptorSent can you see this page - https://git.osgeo.org/gitea/osgeo/osgeo_funtoo/wiki/Configuring-SSH-LDAP-on-the-Host
   07:15:01	MartinSpott:	didn't the star package contain the entire bundle ?
   07:15:14	robe2:	MartinSpott yes it did
   07:15:26	robe2:	and it worked on all the debians I have setup
   07:15:39	TemptorSent:	Yeah, I'm only seeing two signatures in that bundle.
   07:15:51	robe2:	so I suspect this is a funtoo specific issue that it's using some other barebones bundle rather than the one I specified in ldap.config
   07:16:23	robe2:	This is the file I changed - /etc/openldap/ldap.conf
   07:16:30	TemptorSent:	It should be using the system pems I would think, which have a cert for AddTrust it appears
   07:16:49	robe2:	I know it's at least reading it for ldap.osgeo.org since to do the ldapsearch I don't need to specify the -H
   07:17:08	TemptorSent:	Ahh, /etc/ssl/openssl.cnf :)
   07:17:50	robe2:	ah okay I wonder if maybe that's always used and I had thought it was the ldap one used, but others had an already full bundle
   07:18:09	robe2:	TemptorSent did you just edit that or you want me too?
   07:18:17	TemptorSent:	I have not edited.
   07:18:26	robe2:	okay I'll edit
   07:18:56	robe2:	MartinSpott can you check to see if you can get into the funtoo server -- it's tech_dev@funtoo.osgeo.org
   07:19:04	robe2:	hopefully I didn't screw up adding your key
   07:19:23	MartinSpott:	looks like I'm in
   07:19:57	MartinSpott:	BTW, where can I read more about OSGeo using FunToo containers ?
   07:20:08	MartinSpott:	There wasn't much I could find
   07:21:16	TemptorSent:	We haven't gotten much written up as of yet other than meeting logs and some notes.
   07:21:25	MartinSpott:	ok
   07:21:41	robe2:	https://www.funtoo.org/LXD#PART_II_-_LXD_Installation
   07:21:42	sigabrt:	Title: LXD - Funtoo (at www.funtoo.org)
   07:21:45	MartinSpott:	To me the intention isn't clear, that why I was asking
   07:22:13	robe2:	oh we were going to put NextCloud, Weblate
   07:22:29	robe2:	basically things we want to experiment with and once they are good we could move to osuosl
   07:22:36	MartinSpott:	Is it "container as a paid service" ?
   07:22:53	TemptorSent:	Funtoo is providing a fairly substatinial amount of resources and infrastructure for us to build out and stage some of our services.
   07:22:54	robe2:	though in future we may use it for production stuff,right now just experiments
   07:23:26	robe2:	MartinSpott well technically they aren't changing us for use of hardware, but if we like we'd give them some sort of donation like we do for OSUOSL
   07:23:31	TemptorSent:	MartinSpott - At the moment, it's being provided as an in-kind donation.
   07:23:42	MartinSpott:	I see
   07:23:45	strk:	hi
   07:23:49	robe2:	So they gave us a host container and we are doing the lxd within lxd thing
   07:23:50	TemptorSent:	hi strk :)
   07:23:51	strk:	are you in a meeting ?
   07:23:54	MartinSpott:	strk: Moin
   07:23:59	strk:	hi MartinSpott
   07:24:00	TemptorSent:	Good timing!
   07:24:01	robe2:	hi strk we were just discussing funtoo with MartinSpott
   07:24:06	markusN:	hi strk
   07:24:09	strk:	hey
   07:24:13	MartinSpott:	"lxd within lxd", really ?
   07:24:14	robe2:	and I was still fiddling with setting up ldap ssh
   07:24:18	strk:	ouch, I wanted to take a quick look, now I seem to be stuck :P
   07:24:44	robe2:	strk you can get in tech_dev@funtoo.osgeo.org
   07:24:47	TemptorSent:	MartinSpott Yep, nested containers.
   07:25:11	robe2:	I don't have the ldap ssh configured yet. I ran into a stumbling block which TemptorSent might have figured out so going to try
   07:25:34	robe2:	strk you can get to here - https://git.osgeo.org/gitea/osgeo/osgeo_funtoo/wiki/Configuring-SSH-LDAP-on-the-Host
   07:25:43	TemptorSent:	Yeah, I don't recall how openssl wants to handle bundles by default.
   07:26:26	robe2:	TemporSent so in theory if I build local containers -- e.g. if I get this hardware thing - https://antsle.com/
   07:26:28	sigabrt:	Title: antsle: The Private Cloud Server, Designed for Developers. (at antsle.com)
   07:26:50	TemptorSent:	Yeah, I was looking at that -- pretty slick case!
   07:26:56	robe2:	I can copy over the containers etc. It looks like a cute device and cheap end is only $1000 so was going to get it for my dev experiments
   07:27:13	robe2:	yah its so cute and Leo was sold on no noise :)
   07:27:14	TemptorSent:	I almost bought one of those -D boards a while back, but it was too much money at the time.
   07:27:40	TemptorSent:	They've gotten more reasonable it seems, but memory went the other way.
   07:28:49	TemptorSent:	No noise would be nice.
   07:29:10	MartinSpott:	robe2: which sort of LDAP authentiation did you try to establish ?
   07:29:44	robe2:	well I just did an ldapsearch
   07:29:59	MartinSpott:	ah, and it failed ?
   07:30:10	robe2:	I don't think I have all the pieces in place yet cause I was trying to map the packages to gen too / fun too and they namespace theirs
   07:30:25	TemptorSent:	robe2 -- um, check that ldap config again perhaps?
   07:30:48	robe2:	so for example I had installed sudo emerge sys-auth/nss-pam-ldapd
   07:31:07	robe2:	I assume that combines both the nss-ldapd and pad-ldapd that we normally install
   07:31:22	MartinSpott:	nss != pam
   07:31:25	robe2:	MartinSpott yah with the ssl key can't be authenticated
   07:31:57		* markusN just FYI: on an off here, mainly for nextcloud item
   07:32:08	robe2:	MartinSpott I know that but looks like they combined the packaged in funtto -- you saw link I posted above?
   07:32:22	MartinSpott:	robe2: no, password protected ....
   07:32:33	robe2:	?
   07:33:28	robe2:	so I still need - sudo emerge sys-auth/pam-ldap
   07:33:42	TemptorSent:	Nextcloud is up in a subcontainer :)
   07:33:43	MartinSpott:	The gitea page you posted above is password protected - which annoys me, I just didn't complain
   07:33:48	robe2:	that one didn't have an ldapd at the end and I thought you had mentioned the one without ldapd is old
   07:34:16	robe2:	MartinSpott oh are you able to get in? all osgeo folks should be able to.
   07:34:33	MartinSpott:	yup, pam/nss_ldap runs as root which is why GnuTLS complains
   07:35:00	robe2:	I can unprotect the repo nothing secret in there anyway. Want me to do that
   07:35:00	MartinSpott:	pam/nss_ldap*d* uses a user-space daemon
   07:35:43	MartinSpott:	robe2: It's up to you
   07:35:59	robe2:	MartinSpott what do you recommend?
   07:36:32	MartinSpott:	I just think that having a second Wiki and making common stuff passwort-protected is, well, not very elegant
   07:36:33	robe2:	I'm still a bit clueless about what each role plays
   07:37:06	robe2:	Well it's specific to funtoo at moment so not quite so common :)
   07:37:29	MartinSpott:	a *third* Wiki, BTW
   07:37:44	robe2:	you mean cause we have trac too :)
   07:37:59	robe2:	Yah strk was arguing with me about that too :)
   07:38:29	robe2:	gitea wiki is a lot easier to edit than wiki.osgeo.org (e.g. I can do shift tab and move a whole stream of text)
   07:38:40	MartinSpott:	osgeo ~ # nc -nv ldap.osgeo.org ldaps
   07:38:40	MartinSpott:	Can't parse ldap.osgeo.org as an IP address
   07:39:01	robe2:	and .. I liked the idea of having the page that described setup of server be with the configs we will eventually store
   07:39:21	TemptorSent:	osgeo /etc/openldap # ping ldap.osgeo.org
   07:39:21	TemptorSent:	PING ldap.osgeo.org (140.211.15.58) 56(84) bytes of data.
   07:39:21	TemptorSent:	64 bytes from secure.osgeo.osuosl.org (140.211.15.58): icmp_seq=1 ttl=52 time=49.6 ms
   07:39:57	TemptorSent:	robe2 I can't disagee with that last, but we should probably consider standardizing that across all our config repos then.,
   07:40:00	MartinSpott:	TemptorSent: yes, but apparently there's still something wrong with the resolver
   07:40:36	TemptorSent:	Noted. We can poke at that out of band.
   07:40:55	MartinSpott:	Agreed
   07:41:09	MartinSpott:	Note that this might be the root cause
   07:41:11	TemptorSent:	robe2, shall we move on to Nextcloud?
   07:41:16	robe2:	yes
   07:41:19	TemptorSent:	MartinSpott Agreed.
   07:41:24	robe2:	markusN you around
   07:41:56	MartinSpott:	Markus ! Markus ! Markus !
   07:42:00	MartinSpott:	;-)
   07:42:07	robe2:	I thnk markusN wanted to be involved in the talk hate to start without him being awake
   07:42:16	MartinSpott:	markusN: Oh, please get back to us
   07:42:31	MartinSpott:	Next time we're having a beer I promisre not to be late again ;-)
   07:42:57	robe2:	even beer is not waking him hope.
   07:43:03	TemptorSent:	Okay, let's give him a few to notice his ears are burning.
   07:43:04	robe2:	markusN is hopelessly out of it.
   07:43:22	MartinSpott:	robe2: Coffee might be more appropriate at this time of day
   07:43:26	robe2:	Let's skip nextcloud and go on to next topic and when he wakes up we can go back to it
   07:43:55	robe2:	next topic is the whole managing word press thing
   07:43:55	MartinSpott:	robe2: I suspect it's already past midgnight in your place, right ?
   07:44:04	robe2:	jive[m] any chance you are awake?
   07:44:15	robe2:	it's 3:44 AM
   07:44:24	MartinSpott:	ouch
   07:44:32	MartinSpott:	sorry about that
   07:44:39	robe2:	but I'm wide awake my sleep schedule is not normal
   07:45:11	robe2:	it's not even a regular sleep
   07:45:16	TemptorSent:	I'm on a second wind here :)
   07:45:45	robe2:	anyway getting back to gitea wordpress thing for foss4g2018 we are managing their main site now
   07:46:39	robe2:	I had setup a production and staging on web18a and just configure cron to pull every 5 minutes / prod /staging in gitea https://git.osgeo.org/gitea/osgeo/FOSS4G2018_WordPress
   07:46:53	robe2:	I think that is working okay for them. Was going to do the same for www.osgeo.org
   07:47:21	robe2:	strk and TemptorSent I presume you think we should have a production and staging branch
   07:47:37	robe2:	and strk of coures expects me to learn to do webhooks right
   07:48:12	robe2:	MartinSpott have any thoughts on that or have no opinion
   07:48:19	MartinSpott:	I
   07:48:46	MartinSpott:	I'm still trying to figure out how the setup actually looks like
   07:48:55	TemptorSent:	Yes, I think it is wise to have an active 'live' branch, a 'staging' branch, and a 'testing' branch for messign around with.
   07:48:59	MartinSpott:	but I think I'm not much involved at all
   07:49:27	strk:	sorry I was discracted
   07:49:32	robe2:	right now its a very dum setup
   07:49:42	MartinSpott:	The main website runs on a VM and it's hosting FOSS4G as well, correct ?
   07:49:55	strk:	MartinSpott: I'd love to hear a summary of what's going on with your osgeo work
   07:50:02	robe2:	for FOSS4G2018 it's just a cron git pull for staging / production branches that runs every 5 minutes on the server
   07:50:05	strk:	but probably an email would be best
   07:50:28	strk:	like, any advancement in dismissing those VMs we were supposed to drop looong ago ?
   07:50:31	robe2:	for www.osgeo.org it's not really under git at all, I have to synch it (so that shouldn't be too bad) since it's the same files
   07:50:57	robe2:	it's only the themes and some basic configs I have under git cause all the plugins change to frequently and are updated whenever a security update
   07:51:19	robe2:	strk what vms the cloudvps.com?
   07:51:37	robe2:	I sent them a note saying stop billing us we want to end service (granted I should have done that a month ago)
   07:51:44	strk:	robe2: osgeo3 or was it osgeo4
   07:51:55	strk:	or both ?
   07:52:02	robe2:	oh you are talking about those
   07:52:16	strk:	yeah, those things that end up being open issues for decades...
   07:52:23	strk:	like Wiki/LDAP
   07:52:23	robe2:	MartinSpott know what's going on with those. I presume we still have them and some things offloaded
   07:52:38	strk:	it's fun to open new things but maintainance should also involve closing others :)
   07:52:45	robe2:	that was going to be next topic
   07:53:10	MartinSpott:	Unfortunately my OSGeo work got lower priority for a couple of weeks due to internal project work at the company. Hopefully that'll change after May 9th
   07:53:12	strk:	great (I thought the meeting was basically over :)
   07:53:26	markusN:	now back
   07:53:29	robe2:	strk no we are only half way thru items
   07:53:45	robe2:	markusN we saved nextcloud for you so now we can switch back to nextcloud
   07:54:06	robe2:	TemptorSent anything to report on Nextcloud front?
   07:54:32	markusN:	cool. thanks much :-)
   07:54:56		* markusN had a quick family gathering in the kitchen, to not de-socialize completely at home :p
   07:55:08	TemptorSent:	No problem markusN.
   07:55:09	robe2:	:)
   07:55:42	MartinSpott:	one half of our family is still asleep
   07:55:51	markusN:	same here
   07:55:55	robe2:	last we left off we were having issues with ldap
   07:56:11	robe2:	though I think maybe the issues are related to the other ldap issue MartinSpott mentioned
   07:56:15		* strk is alone today
   07:56:17	strk:	just dog
   07:56:43	TemptorSent:	Okay, so what we have currently for Nextcloud is essentially a minimally configured host with nextcloud and all of its deps happily installed sitting in a lxd subcontainer.
   07:56:45	robe2:	just dog a small dog or big one
   07:56:45	strk:	I don't remember if ldap was self-signed
   07:56:51	strk:	small dog
   07:57:00	robe2:	strk I don't think it was self-signed
   07:57:13	strk:	so Nextcloud is giving file space to all OSGeo users ?
   07:57:22	strk:	or does it support any "groups" ?
   07:57:26	TemptorSent:	It's intende for board use.
   07:57:28	robe2:	MartinSpott thinks it uses comodo. so issue on funtoo is the cert bundle it's using is missing a lot of authorities
   07:57:37	strk:	is there a board LDAP group ?
   07:57:51	strk:	or are groups managed locally for nextcloud ?
   07:57:57	strk:	(like gitea implmeents its own groups)
   07:58:41	robe2:	I forget if I saw board or not
   07:58:42	robe2:	https://osgeo.host.funtoo.org/nextcloud/
   07:58:43	TemptorSent:	I believe the certs on the host are current and based on debians, so that shouldn't be the issue there.
   07:58:56	strk:	still not nextcloud.osgeo.org ?
   07:59:00	robe2:	when I logged in with admin account I was able to get the query of all the groups and users from ldap
   07:59:22	strk:	untrusted SSL cert, with both URLs
   07:59:29	markusN:	(just FYI/OT: the German gov switches with 300k users to nextcloud, see eg https://www.heise.de/ix/meldung/Bundescloud-Open-Source-mit-Nextcloud-statt-Dropbox-oder-Google-Drive-4026111.html )
   07:59:31	sigabrt:	Title: Bundescloud: Open-Source mit Nextcloud statt Dropbox oder Google Drive | iX (at www.heise.de)
   07:59:35	TemptorSent:	I haven't setup the rewrite for that, but feel free.
   07:59:38	strk:	300k, wow!
   07:59:38	markusN:	I hope it will be eventually nextcloud.osgeo.org
   07:59:51	markusN:	300k _gov_ users :-)
   07:59:52	robe2:	strk that just points at nginx. We haven't gotten the internal routing on the container working yet
   08:00:18	strk:	nor letsencrypt, looks like
   08:00:23	robe2:	but yes nextcloud.osgeo.org is a CName for osgeo.host.funtoo.org
   08:00:25	TemptorSent:	Actually, it's passign through fine :)
   08:00:37	robe2:	so once we have the internal thingy working we'll be all set
   08:00:44	strk:	I didn't force Firefox to load it
   08:00:53	markusN:	what is the issue with letsencrypt (just curious)
   08:00:58		* strk is subborn, no self-signed certs >:(
   08:01:08	robe2:	TemptorSent so can you change it so https://nextcloud.osgeo.org is exposed to the nextcloud
   08:01:14	TemptorSent:	We just need to generate a request for it and dump it on the webserve to get the key.
   08:01:17	strk:	right, it's so easy with apache - my guess: issue is these kids want to use something "cooler" :P
   08:01:18	robe2:	then we can get a letsencrypt cert for it
   08:01:36	markusN:	that's easy indeed with apache
   08:01:38	TemptorSent:	robe2 it's just a nginx rewrite rule in the outer container I believe
   08:01:47	strk:	seriously, did you want to try the centralized approach TemptorSent ?
   08:01:55	strk:	MartinSpott: TemptorSent was thinking about putting all certs on the same machine
   08:02:01	strk:	markusN: ^
   08:02:07	strk:	(wrong nick completion)
   08:02:18	TemptorSent:	All cert requests anyway.
   08:02:27	strk:	ah, right
   08:02:31	strk:	feels better
   08:02:41	strk:	so certs are still local, just the "letsencrypt" setup would be centralized
   08:02:47	strk:	right, was that the idea ?
   08:02:49	TemptorSent:	Yup.
   08:02:55	MartinSpott:	strk: do you mean putting all certs on the main host container and terminating SSL there ?
   08:02:59	robe2:	this seems like a surprisingly good time to meet :)
   08:03:37	robe2:	though I guess we should alternate cause this is a time I think jive[m] and wildintellect can't make
   08:03:48	TemptorSent:	No MartinSpott - just having letsencrypt updater running on a single host and having the various servers pass through the WKT url.
   08:03:55	strk:	we've to balance maintainability, I mean... for SAC members (current and future) it should be easy to deal with / troubleshoot etc.
   08:04:01	strk:	so if you do anything complex it should be carefully documented on the wiki
   08:04:32	strk:	robe2: indeed, I was really only here by chance :)
   08:04:49	MartinSpott:	TemptorSent: I havve to admit I don't know how this is supposed to work - simply because I don't know much about letsencrypt mechanics
   08:05:16		* markusN has only certbot experience
   08:05:36		* robe2 only has certbot experience
   08:05:41	TemptorSent:	Yeah, we'd just let certbot run in standalone mode on a single host (secure?)
   08:05:59	robe2:	but it would need to impersonate all the subdomains
   08:06:04	robe2:	right
   08:06:18	TemptorSent:	Then the individual servers expose the WKT as a passthroug to that.
   08:06:23	robe2:	so not clear how that bit would work if we aren't getting a wildcard cert
   08:06:42	TemptorSent:	Because each server would have the correct WKT for it's request.
   08:06:47	robe2:	wildintellect seemed against a wildcard cert not clear what his argument was about it too easy to compromise
   08:06:58	robe2:	WKT?
   08:07:01	TemptorSent:	Wildcard certs are a bad idea.
   08:07:02	markusN:	did anyone already try letsencrypt's wildcard support?
   08:07:17	markusN:	oh
   08:07:19	MartinSpott:	I simply need to understand the meaning of this WKT in this context
   08:07:33	robe2:	sorry all I think of is well-known text whic I presume is not what that acronymy stands for in this context
   08:07:40	TemptorSent:	Well Known Text -- essentially. The URL that letsencrypt checks to see if you indeed controll your host.
   08:07:59	MartinSpott:	ah
   08:08:25	robe2:	but doesn't the url have to reside on the domain asking?
   08:08:28	MartinSpott:	But you still need to provide a certificate on every instance which is terminating SSL
   08:08:32	MartinSpott:	correct ?
   08:08:38	TemptorSent:	Right.
   08:08:42	robe2:	so don't see how that would work unless everything proxies thru secure
   08:08:44	TemptorSent:	Just a single cerbot instance.
   08:08:45	strk:	so each server would have to setup an alias/redirect for the /.well-known/acme-challenge/ url
   08:08:55	strk:	to be served by the centralized letsencrypt service
   08:08:55	robe2:	ah
   08:08:56	TemptorSent:	Yup.
   08:08:57	strk:	right ?
   08:09:11	robe2:	okay that makes sense now okay understood
   08:09:18	MartinSpott:	TemptorSent: "Yup" to proxying ?
   08:09:41	TemptorSent:	Alias/proxy that single URL
   08:09:49	robe2:	so that folder would be alias to secure
   08:09:56	robe2:	and can't be a regular redirect
   08:10:09	TemptorSent:	Actually, it MAY work with redirects.
   08:10:41	TemptorSent:	But proxy is easy enough for that, and reliable.
   08:11:17	MartinSpott:	TemptorSent: I still don't understand how each individual service would get their SSL certificate, may I ask you to draw a little chart to be discussed next meeting ?
   08:11:42	MartinSpott:	Containing the paths for 'regular' traffic and the letsencrypt stuff ?
   08:11:43	robe2:	a chart would be good and to put on the wiki
   08:11:56	robe2:	though it's clear in my mind now how it works
   08:12:07	TemptorSent:	Sure... Actually, I think I can sorta put it on one line of ascii:
   08:12:30	robe2:	one line in ascii looks good
   08:12:51	strk:	scp ?
   08:13:07	strk:	to install the cert from letsencrypt.osgeo.org to <service>.osgeo.org server...
   08:13:40	robe2:	secure -> certbot renew -> certbot writes to .well-known folder -> certbot confirms new file is there accessible via http:/whatever.osgeo.org/well-known/...
   08:14:09	robe2:	well rather not certbot confirming but letsencrypt authority
   08:14:10	TemptorSent:	A,B,C are webhosts, S is secure L is LetsEncrypt: L requests A/.well-known/acme-challenge which replies with S/.well-known/acme-challenge
   08:14:57	robe2:	so instead of WKT should be WKA :)
   08:15:17	TemptorSent:	Yeah, the URL itself is the WKT :)
   08:15:44	robe2:	and the strk scp thing, secure scps the cert to the respective webserver
   08:16:08	TemptorSent:	After a successful request, the certbot fires off scp.
   08:16:17	MartinSpott:	robe2: Exactly this is the mising link
   08:16:26	MartinSpott:	missing
   08:16:37	TemptorSent:	Oh, sorry -- thought the ssl side was the confusion :)
   08:17:00	MartinSpott:	no, the entire picture wasn't clear ;-)
   08:17:20	TemptorSent:	Gotcha --
   08:17:28	robe2:	yah the acme challenge response protocol is fairly new
   08:17:47	robe2:	when I get it using other ssl providers it's always a manual thing
   08:17:56	TemptorSent:	SSL requests handled in-band, scp to copy the key to the host trigged by the callback runs out of band.
   08:17:56	robe2:	but certbot has it all nicely automated for you
   08:18:51	TemptorSent:	It's pretty slick actually, much nicer than the old PITA way of authing.
   08:19:08	robe2:	TemportorSent so all that said can we go ahead and get a letsencrypt for nextcloud.osgeo.org and repoint that for nextcloud use
   08:19:46	TemptorSent:	robe2 Sure -- do you have the LE account info so we don't have to set up yet another?
   08:19:54	robe2:	yah the way other providers implement it is clumsy and manual
   08:20:05	robe2:	LE account?
   08:20:11	robe2:	I never use one
   08:20:11	TemptorSent:	LetsEncrypt
   08:20:19	robe2:	well I always have to type in my email address
   08:20:31	TemptorSent:	Hmm, the OSGeo stuff isn't all under one?
   08:20:56	robe2:	didn't know under one was a thing aside from wildcard
   08:21:20		* robe2 fears she's been doing it all wrong
   08:21:24	TemptorSent:	The're not too clear on it actually.
   08:21:39	TemptorSent:	I just try to avoid setting things up repeatedly :)
   08:21:44	TemptorSent:	Doesn't much matter I guess.
   08:21:59	robe2:	yah I mean certbot seems to keep track of all
   08:22:16	robe2:	so certbot renew as I recall will renew all that need renewing on the same server
   08:22:29	robe2:	though I have on my calendar to confirm it's working when it comes due
   08:23:16	TemptorSent:	robe2 in that case, emerge app-crypt/certbot-nginx :)
   08:25:11	TemptorSent:	Hmm, is the ldap cert for ldap.osgeo.org or secure.osgeo.org?
   08:25:41	TemptorSent:	er secure.osgeo.osuosl.org rather
   08:27:50	robe2:	I think they are the same
   08:28:05	TemptorSent:	Reverse-lookup may be biting us.
   08:28:17	TemptorSent:	I'll have to look at that when I'm a bit more alive :)
   08:28:46	MartinSpott:	Litte question: did you plan to discuss yet another topic today ?
   08:28:49	TemptorSent:	LDAP and SSL while heading into seriously too tired realm is dangerous for all involved :)
   08:29:09	TemptorSent:	Wiki thoughts I think?
   08:30:14	TemptorSent:	I believe we had a tenative plan there from our last discussion and need to make a testing clone of the running system to work on.
   08:31:47	robe2:	MartinSpott yes we were going to discuss the LDAP / Wiki
   08:31:55	robe2:	I guess the question is where will we put this clone
   08:32:17	robe2:	Do we just wait till the new hardware comes in and maybe the clone eventually becomes the real new thing
   08:32:35	robe2:	cuase I imagine ldap is old and the wiki is definitely old
   08:32:45		* strk broomed the house
   08:32:48	TemptorSent:	No, we'll need to wipe the clone out and refresh it right before we actually do the switch for real.
   08:32:50	MartinSpott:	Considering #165, I think it always boils down to: Who's having the skills to modify the Wiki login page ?
   08:33:33	TemptorSent:	I can probably hack the wiki stuff if needed, but I'd prefer not to be the lynchpin on that.
   08:33:44	robe2:	is that a php or phython thing page
   08:33:46	MartinSpott:	hehe
   08:33:49	MartinSpott:	PHP
   08:34:07	TemptorSent:	Yeah, I'm painfully familiar with PHP, just rusty and bit out of date.
   08:34:43	MartinSpott:	From my perspective it makes little difference wether it's being update in-place or setup new: The resource to modify the Wiki is the bottleneck
   08:34:44	robe2:	so the idea is whenever anyone logs into the wiki rewrite the login to legacy_osgeoname or something
   08:34:44	strk:	re LE Auth... I'm afraid I used my own one
   08:34:51	TemptorSent:	I used to write significant php librarires and applications, but I'd rather not go back there :)
   08:34:51	robe2:	I forgot the workflow of it
   08:34:55	strk:	at least, I'm often getting expiration reminders for postgis.net
   08:35:01	robe2:	I can look at page I think my php skills are decent
   08:35:23	strk:	for letslecnrypt can you please register letsencrypt.osgeo.org and use that point for redirects ?
   08:35:40	robe2:	strk I put my email address in for all the ones I setup :)
   08:35:41	TemptorSent:	We rewrite all names when we move the db.
   08:35:49	strk:	not sure itshould be secure VM rather than somewhere else (in case "secure" is not so much accessible)
   08:35:49	MartinSpott:	If we had PHP developer ressources, we could already have the issue ironed you years ago
   08:35:55	MartinSpott:	the Wiki/LDAP I mean
   08:36:15	strk:	can we pay a MediaWiki developer for the task ?
   08:36:24	strk:	I tried asking the LDAP plugin author but he never replied..
   08:36:30	TemptorSent:	Okay, let me dunk my php-skillz in some phosphoric and wirewheel the scale off.
   08:36:35	robe2:	yah I don't think the difficulty would be on the PHP side
   08:36:43	robe2:	would be more on the Wiki structure side
   08:36:48	MartinSpott:	robe2: agreed
   08:36:56	TemptorSent:	That should be pretty easy on the db side of things.
   08:37:14	robe2:	I don't think I have access to the wiki database
   08:37:16	TemptorSent:	A db dump, some mangling, and a reload with an update script.
   08:37:21	MartinSpott:	I can do some PHP as well, but my changes never showed up on the place I expected them to do :-)
   08:37:33	TemptorSent:	*lol* Yeah, php is bad for that.
   08:37:35	robe2:	I think in last meeting I tried logging in and got greeted with German "hello you are not authorized"
   08:37:57	MartinSpott:	TemptorSent: to me it's been the way MediaWiki works
   08:37:58	robe2:	so I was going to look at the db structure but of course the German message says "No no"
   08:37:58	TemptorSent:	We need a sandbox to experiment with it safely.
   08:38:33	robe2:	MartinSpott did you install wiki?
   08:38:38	MartinSpott:	robe2: yes
   08:38:50	robe2:	okay so you're the Geman saying "no no"
   08:38:52	TemptorSent:	I don't even want to think about touching live data until we can reliably run our migration in 30 mins or less.
   08:39:14	MartinSpott:	robe2: I didn't do so by intention
   08:39:27	robe2:	agreed so MartinSpott any chance you can give me access or a backup
   08:39:52	TemptorSent:	Then, ideally we drop the old offline, create the new instance, migrate, and bring it back up in a half hour or less of total downtime, with an immediate revert possible.
   08:40:04	robe2:	I think we'd want to upgrade wiki as well as test migration right
   08:40:08	MartinSpott:	A MediaWiki dump or a DB dump ? MediaWiki is preferred, I guess
   08:40:22	TemptorSent:	Both, really.
   08:40:23	robe2:	Db dump for now
   08:40:33	robe2:	but yah we'd need both eventually
   08:40:35	strk:	what do you want to do with the dump ?
   08:40:39	strk:	matching between LDAP and local ?
   08:40:39	TemptorSent:	But the DB is where the real work will be.
   08:40:56	TemptorSent:	Figuring out how to do the rewriting in one fell swoop.
   08:41:00	robe2:	I just wanted to see how db is structured (since I am a db programmer more than a regular web programmer)
   08:41:09	strk:	we won't find all matches
   08:41:16	strk:	some (no idea how many) will match by email
   08:41:21	strk:	but others will just not have a match
   08:41:25	robe2:	strk well we weren't going to match right just rename
   08:41:32	TemptorSent:	We're not even going to try to match them.
   08:41:44	robe2:	I just want to make sure their is no crazy linkage (like lacking ref integrity)
   08:41:44	strk:	what's the plan then ?
   08:42:03	robe2:	word press was a mess total lack of respect for referential integrity
   08:42:14	strk:	I'd love to see staging.wiki.osgeo.org with the LDAP plugin installed and configured, to see what it does for us
   08:42:31	robe2:	yah that would be the first
   08:42:32	TemptorSent:	Rename all wiki accounts with a prefix such as _OWU_ (_OldWikiUser_)
   08:42:39	strk:	ah ok
   08:42:46	strk:	and next step ?
   08:42:55	strk:	as we do want merging between accounts
   08:42:58	strk:	and use meaningful names in history of changes
   08:43:01	strk:	ie: new names
   08:43:02	robe2:	yah and in theory rename can happen in db but need to make sure there are no loose ends in other tables
   08:43:04	TemptorSent:	then when users try to login, we force them straight to the osgeo login.
   08:43:21	strk:	ok, let's say they have one, so they login
   08:43:23	strk:	what happens next ?
   08:43:40	TemptorSent:	Once they're logged in with their ldap account, they get asked if there are wiki accounts to merge, and if so, asks for username and password.
   08:43:40	strk:	they need to claim their old identity too
   08:43:50	strk:	is this done already by the plugin ?
   08:43:50	robe2:	we show the ldap screen and force them to log in again :)
   08:44:09	TemptorSent:	We prepend the prefix to the username they specify, verify it, and then run merge_users tool.
   08:44:35	strk:	ok so this is NOT part of the plugin but of the envisioned development to be done ?
   08:45:04	TemptorSent:	Just the trick to get the old account and merge_users (the plugin)
   08:46:23	MartinSpott:	Folks, we need to tell between a) ideas on the logic and b) actual implementation
   08:46:24	TemptorSent:	We can even get tricky and detect them trying to log in with an old name and tell them what to do.
   08:46:47	MartinSpott:	Suggestions on a) have been around for years
   08:46:48	TemptorSent:	Yeah, need to see the DB to determine how much work is actually required on that end.
   08:46:59	TemptorSent:	The login itself is fairly easy.
   08:47:21	MartinSpott:	Ok, I'll provide the required dumps within a few days
   08:47:37	MartinSpott:	Then show us wether the logic actually works ;-)
   08:47:40	TemptorSent:	So we set it up and everyone will be logging in fresh, using ldap only.
   08:48:04	TemptorSent:	Yeah, it's all theoreticall until the code start flying.
   08:48:12		* MartinSpott short break
   08:48:34	robe2:	hmm we probably should be ending the meeting
   08:48:39	robe2:	almost 2 hrs already
   08:48:50	TemptorSent:	But at worst, we'd have a wiki with all existing content present, with prefixed names, and users logging in using ldap.
   08:48:51	robe2:	anything else people want to discuss before we adjourn
   08:49:28	TemptorSent:	The automerging feature is a nice thing to have, but doesn't prevent the migration if push comes to shove.
   08:49:41	markusN:	I'd suggest to write this up on the SAC page, in order to develop pros and cons
   08:49:56	TemptorSent:	It's already mostly layed out in the bug IIRC?
   08:50:05	markusN:	which #?
   08:50:11	TemptorSent:	robe2 Can you append the notes from this meeting?
   08:50:18	TemptorSent:	#165 IIRC?
   08:50:34	TemptorSent:	Don't have it in front of me, something near that :)
   08:50:51	robe2:	yah will do after
   08:51:09	robe2:	https://wiki.osgeo.org/wiki/SAC_Meeting_2018-04-29
   08:51:10	sigabrt:	Title: SAC Meeting 2018-04-29 - OSGeo (at wiki.osgeo.org)
   08:51:23	markusN:	https://trac.osgeo.org/osgeo/ticket/165
   08:51:24	sigabrt:	Title: #165 (Wiki LDAP integration) – OSGeo (at trac.osgeo.org)
   08:51:25	markusN:	bingo
   08:51:27	robe2:	I haven't added anything yet -- feel free to update with the key points
   08:52:15	TemptorSent:	Okay, just notes RE DB dumps and sandbox clone needs.
   08:52:23	robe2:	I think he last set of topics we can't discuss because no movment or people involved not here
   08:52:38	robe2:	yah knock yourself out
   08:52:43	MartinSpott:	robe2: Next Meeting: Which one is correct ? Saturday or the link behind ?
   08:53:12	robe2:	definitely not saturday
   08:53:20	MartinSpott:	ok, Thursday then
   08:53:29	TemptorSent:	Oh, Website "Friends" page?
   08:53:35	robe2:	I was going to move to Thursday so alternate between Thursday and Sunday
   08:53:49	MartinSpott:	ack
   08:53:53	markusN:	ok
   08:54:00	TemptorSent:	Anything we need to do on that item immediately?
   08:54:11	MartinSpott:	I'll provide dumps
   08:54:40		* markusN needs to go
   08:54:47	TemptorSent:	Thank you MartinSpott -- I'll get some eyeballs on them and take a look at the wiki code.
   08:54:48		* markusN waves
   08:54:55	MartinSpott:	If the extensions don't break - are available for current MediaWiki - , I might update the current instance in-place
   08:54:56	TemptorSent:	Take care markusN!
   08:55:15	MartinSpott:	I'l check carefully beforehand
   08:55:24	robe2:	okay updated the next meet time
   08:55:30	TemptorSent:	If that's sanely feasible, it would probably make the migration easier.
   08:55:38	MartinSpott:	Yup
   08:55:45	TemptorSent:	Thanks.
   08:55:56	MartinSpott:	I'll always have a current backup available
   08:56:08	markusN:	thanks to all!
   08:56:16	MartinSpott:	cu Markus
   08:56:18	robe2:	thanks markusN
   08:56:37	markusN:	didn't contribute much
   08:56:55	robe2:	well your interest is always appreciated
   08:58:02	TemptorSent:	Looks like I've got some poking to do at the resolver and SSL setup to see if something is amis, or just not the config I'm used to.
   08:58:09	robe2:	TemptorSent I'm lost which line in openssl.cnf to edit
   08:58:23	robe2:	all seem like the certs for the server (not certificate authority bundle)
   08:58:27	MartinSpott:	robe2: Did you close the meeting ?
   08:58:47	TemptorSent:	Not yet..
   08:58:53	MartinSpott:	ok
   08:58:58	TemptorSent:	Please do :)
   08:59:05	robe2:	yah it's closing slowly
   08:59:16	robe2:	I think I did actually but TemptorSent missed it :)
   08:59:26	robe2:	meeting adjourned
   08:59:32	TemptorSent:	:)
   08:59:39	TemptorSent:	Okay, after-hours.
   08:59:57	MartinSpott:	thanks for joining so late/early
   09:00:07	robe2:	np
   09:00:32	TemptorSent:	I'm honestly a bit too tired to debug openssl/openldap right now -- it' will likely be painfully obviouls in the morning with a cup of coffee :)
   09:00:59	TemptorSent:	Spent the day turning over the garden beds, so I'm wiped.