You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2010/10/21 10:27:27 UTC
SSL certificates for the OFBiz demo domains
Hi,
I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849
I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue before)?
Thanks
Jacques
Re: SSL certificates for the OFBiz demo domains
Posted by James McGill <ja...@ableengineering.com>.
On Thu, Oct 21, 2010 at 7:47 PM, Sam Hamilton <sa...@sh81.com> wrote:
>
>
> Yes with a real SSL that works with all browsers now coming in around $11 a
> year or a free one that works with Firefox, Safari and Chrome perfectly why
> go to the extra effort of creating a CA?
>
>
I don't think you can obtain that $11 or free SSL Cert for private DNS
names, can you? I want to do SSL on hosts that aren't even on the
internet, let alone using names that are delegated by registrars. It is a
completely private, completely isolated internal system that happens to use
the web application architecture. That's why I would like to do it with an
internal CA, but the problem is getting the browsers to accept that CA (and
perhaps, accept *only* that CA). I realize this is beyond the scope of
OFBiz development but I thought I might not be the only OFBiz user who
deploys in an isolated environment. We'd still really like to have the
encrypted communication of SSL without the third party authentication bits.
The deployment is large enough that the step of "accepting the self-signed
certs" really is a nuisance.
--
James McGill
Phoenix AZ
Re: SSL certificates for the OFBiz demo domains
Posted by Sam Hamilton <sa...@sh81.com>.
On 22 Oct 2010, at 06:49, Scott Gray wrote:
> On 22/10/2010, at 10:52 AM, James McGill wrote:
>
>> On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray <sc...@hotwaxmedia.com>wrote:
>>
>>> On 22/10/2010, at 10:21 AM, James McGill wrote:
>>>
>>>> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <sa...@sh81.com> wrote:
>>>>
>>>>> No - just the usual error messages you would expect to see if it were
>>> the
>>>>> self signed cert we currently have installed in the demo box.
>>>>>
>>>>>
>>>>>
>>>> On a related note, I wonder if anyone has a simple cookbook example for
>>>> authorizing a self-signed cert to all the clients in a controlled,
>>> in-house
>>>> enterprise environment. We do not want to spend money on server certs
>>> for
>>>> what is strictly an internal application, but we have enough clients that
>>> it
>>>> is a problem to go through the steps of accepting a self-signed cert for
>>>> every user. I have tried making an internal CA, but I never succeeded in
>>>> getting browsers to automatically accept the CA and not ask for
>>> validation
>>>> on the server certs. I have complete control of the client, the server,
>>> and
>>>> the network, and I wish I could pre-load SSL authorization so that we
>>> have
>>>> the benefits of SSL other than the external CA part.
>>>
>>>
>>> You can configure your browser to always trust a self signed cert, google
>>> is your friend here and nothing about it is OFBiz specific. If the
>>> application is going to be accessed over the internet though then you are
>>> better off paying for a certificate which really isn't very expensive.
>>>
>>
>> Thanks -- I understand this, but doing it for hundreds of clients is a
>> pain.
>
> Not sure I follow you there, hundreds of users or hundreds of deployments?
>
> Either way, browsers are setup to only trust certain signing authorities and there is no way to bypass that without reconfiguring each browser. IMO that is the pain and if you're doing it for any more than a few users then a proper certificate begins to make sense pretty quickly.
Yes with a real SSL that works with all browsers now coming in around $11 a year or a free one that works with Firefox, Safari and Chrome perfectly why go to the extra effort of creating a CA?
>
>> That's why I want to do something like create a private CA and include it in
>> a standard configuration.
>
> Everything below is a different topic, you're asking about installing a certificate in OFBiz/Tomcat and that process is the same regardless of how it was signed. I'm pretty sure people have documented it in the wiki but I don't do it often enough to be able to give you any useful info off the top of my head.
>
>
>> Google is not all that friendly in this case. I understand SSL and Cert
>> Authority pretty well, and have been able to accomplish the desired result
>> with Apache, but not with Catalina (or OFBiz). I posted here in hopes that
>> someone had, literally, a cookbook example of how to do it.
>>
>> Our OFBiz installation is not accessible from the internet in any way
>> whatsoever. It's strictly an internal service for a manufacturing
>> facility.
>>
>> Ok, so let's say Google is my friend. I fully understand the instructions
>> here:
>> http://www.initsix.co.uk/content/how-create-internal-certificate-authority
>>
>> I get this far and then fail to spark the gap between having this CA key,
>> generated cert, and then configuring all browsers in the facility so that
>> they will accept this and any other cert signed by that CA. There is also
>> some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles
>> a keystore. I'm here to say that Google is not all that friendly on these
>> topics, and in my defense, I'm not exactly being ignorant or lazy here.
>>
>> --
>> James McGill
>> Phoenix AZ
>
Re: SSL certificates for the OFBiz demo domains
Posted by Scott Gray <sc...@hotwaxmedia.com>.
On 22/10/2010, at 10:52 AM, James McGill wrote:
> On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray <sc...@hotwaxmedia.com>wrote:
>
>> On 22/10/2010, at 10:21 AM, James McGill wrote:
>>
>>> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <sa...@sh81.com> wrote:
>>>
>>>> No - just the usual error messages you would expect to see if it were
>> the
>>>> self signed cert we currently have installed in the demo box.
>>>>
>>>>
>>>>
>>> On a related note, I wonder if anyone has a simple cookbook example for
>>> authorizing a self-signed cert to all the clients in a controlled,
>> in-house
>>> enterprise environment. We do not want to spend money on server certs
>> for
>>> what is strictly an internal application, but we have enough clients that
>> it
>>> is a problem to go through the steps of accepting a self-signed cert for
>>> every user. I have tried making an internal CA, but I never succeeded in
>>> getting browsers to automatically accept the CA and not ask for
>> validation
>>> on the server certs. I have complete control of the client, the server,
>> and
>>> the network, and I wish I could pre-load SSL authorization so that we
>> have
>>> the benefits of SSL other than the external CA part.
>>
>>
>> You can configure your browser to always trust a self signed cert, google
>> is your friend here and nothing about it is OFBiz specific. If the
>> application is going to be accessed over the internet though then you are
>> better off paying for a certificate which really isn't very expensive.
>>
>
> Thanks -- I understand this, but doing it for hundreds of clients is a
> pain.
Not sure I follow you there, hundreds of users or hundreds of deployments?
Either way, browsers are setup to only trust certain signing authorities and there is no way to bypass that without reconfiguring each browser. IMO that is the pain and if you're doing it for any more than a few users then a proper certificate begins to make sense pretty quickly.
> That's why I want to do something like create a private CA and include it in
> a standard configuration.
Everything below is a different topic, you're asking about installing a certificate in OFBiz/Tomcat and that process is the same regardless of how it was signed. I'm pretty sure people have documented it in the wiki but I don't do it often enough to be able to give you any useful info off the top of my head.
> Google is not all that friendly in this case. I understand SSL and Cert
> Authority pretty well, and have been able to accomplish the desired result
> with Apache, but not with Catalina (or OFBiz). I posted here in hopes that
> someone had, literally, a cookbook example of how to do it.
>
> Our OFBiz installation is not accessible from the internet in any way
> whatsoever. It's strictly an internal service for a manufacturing
> facility.
>
> Ok, so let's say Google is my friend. I fully understand the instructions
> here:
> http://www.initsix.co.uk/content/how-create-internal-certificate-authority
>
> I get this far and then fail to spark the gap between having this CA key,
> generated cert, and then configuring all browsers in the facility so that
> they will accept this and any other cert signed by that CA. There is also
> some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles
> a keystore. I'm here to say that Google is not all that friendly on these
> topics, and in my defense, I'm not exactly being ignorant or lazy here.
>
> --
> James McGill
> Phoenix AZ
Re: SSL certificates for the OFBiz demo domains
Posted by James McGill <ja...@ableengineering.com>.
On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray <sc...@hotwaxmedia.com>wrote:
> On 22/10/2010, at 10:21 AM, James McGill wrote:
>
> > On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <sa...@sh81.com> wrote:
> >
> >> No - just the usual error messages you would expect to see if it were
> the
> >> self signed cert we currently have installed in the demo box.
> >>
> >>
> >>
> > On a related note, I wonder if anyone has a simple cookbook example for
> > authorizing a self-signed cert to all the clients in a controlled,
> in-house
> > enterprise environment. We do not want to spend money on server certs
> for
> > what is strictly an internal application, but we have enough clients that
> it
> > is a problem to go through the steps of accepting a self-signed cert for
> > every user. I have tried making an internal CA, but I never succeeded in
> > getting browsers to automatically accept the CA and not ask for
> validation
> > on the server certs. I have complete control of the client, the server,
> and
> > the network, and I wish I could pre-load SSL authorization so that we
> have
> > the benefits of SSL other than the external CA part.
>
>
> You can configure your browser to always trust a self signed cert, google
> is your friend here and nothing about it is OFBiz specific. If the
> application is going to be accessed over the internet though then you are
> better off paying for a certificate which really isn't very expensive.
>
Thanks -- I understand this, but doing it for hundreds of clients is a
pain.
That's why I want to do something like create a private CA and include it in
a standard configuration.
Google is not all that friendly in this case. I understand SSL and Cert
Authority pretty well, and have been able to accomplish the desired result
with Apache, but not with Catalina (or OFBiz). I posted here in hopes that
someone had, literally, a cookbook example of how to do it.
Our OFBiz installation is not accessible from the internet in any way
whatsoever. It's strictly an internal service for a manufacturing
facility.
Ok, so let's say Google is my friend. I fully understand the instructions
here:
http://www.initsix.co.uk/content/how-create-internal-certificate-authority
I get this far and then fail to spark the gap between having this CA key,
generated cert, and then configuring all browsers in the facility so that
they will accept this and any other cert signed by that CA. There is also
some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles
a keystore. I'm here to say that Google is not all that friendly on these
topics, and in my defense, I'm not exactly being ignorant or lazy here.
--
James McGill
Phoenix AZ
Re: SSL certificates for the OFBiz demo domains
Posted by Scott Gray <sc...@hotwaxmedia.com>.
On 22/10/2010, at 10:21 AM, James McGill wrote:
> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <sa...@sh81.com> wrote:
>
>> No - just the usual error messages you would expect to see if it were the
>> self signed cert we currently have installed in the demo box.
>>
>>
>>
> On a related note, I wonder if anyone has a simple cookbook example for
> authorizing a self-signed cert to all the clients in a controlled, in-house
> enterprise environment. We do not want to spend money on server certs for
> what is strictly an internal application, but we have enough clients that it
> is a problem to go through the steps of accepting a self-signed cert for
> every user. I have tried making an internal CA, but I never succeeded in
> getting browsers to automatically accept the CA and not ask for validation
> on the server certs. I have complete control of the client, the server, and
> the network, and I wish I could pre-load SSL authorization so that we have
> the benefits of SSL other than the external CA part.
You can configure your browser to always trust a self signed cert, google is your friend here and nothing about it is OFBiz specific. If the application is going to be accessed over the internet though then you are better off paying for a certificate which really isn't very expensive.
Regards
Scott
Re: SSL certificates for the OFBiz demo domains
Posted by Shi Jinghai <sh...@langhua.cn>.
Hmm, if you're saying to use certification as ofbiz login, perhaps add a
crl check in the login procedure would fix your problem?
在 2010-10-21四的 14:21 -0700,James McGill写道:
> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <sa...@sh81.com> wrote:
>
> > No - just the usual error messages you would expect to see if it were the
> > self signed cert we currently have installed in the demo box.
> >
> >
> >
> On a related note, I wonder if anyone has a simple cookbook example for
> authorizing a self-signed cert to all the clients in a controlled, in-house
> enterprise environment. We do not want to spend money on server certs for
> what is strictly an internal application, but we have enough clients that it
> is a problem to go through the steps of accepting a self-signed cert for
> every user. I have tried making an internal CA, but I never succeeded in
> getting browsers to automatically accept the CA and not ask for validation
> on the server certs. I have complete control of the client, the server, and
> the network, and I wish I could pre-load SSL authorization so that we have
> the benefits of SSL other than the external CA part.
>
>
Re: SSL certificates for the OFBiz demo domains
Posted by James McGill <ja...@ableengineering.com>.
On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <sa...@sh81.com> wrote:
> No - just the usual error messages you would expect to see if it were the
> self signed cert we currently have installed in the demo box.
>
>
>
On a related note, I wonder if anyone has a simple cookbook example for
authorizing a self-signed cert to all the clients in a controlled, in-house
enterprise environment. We do not want to spend money on server certs for
what is strictly an internal application, but we have enough clients that it
is a problem to go through the steps of accepting a self-signed cert for
every user. I have tried making an internal CA, but I never succeeded in
getting browsers to automatically accept the CA and not ask for validation
on the server certs. I have complete control of the client, the server, and
the network, and I wish I could pre-load SSL authorization so that we have
the benefits of SSL other than the external CA part.
--
James McGill
Phoenix AZ
Re: SSL certificates for the OFBiz demo domains
Posted by Jacques Le Roux <ja...@les7arts.com>.
OK, looks like the good solution if there are no hidden issues and we will see...
I will suggest this to the infra team
Thanks Again Sam!
Jacques
From: "Sam Hamilton" <sa...@sh81.com>
> No - just the usual error messages you would expect to see if it were the self signed cert we currently have installed in the demo
> box.
>
>
> On 21 Oct 2010, at 20:20, Jacques Le Roux wrote:
>
>> Thanks for the tip Sam,
>>
>> Was the problem with Opera blocking (ie making it worst than nothing)?
>>
>> Jacques
>>
>>
>> Sam Hamilton wrote:
>>> You don't have to pay for SSL - http://www.startssl.com/
>>> We have used them at the last company where I worked for making internal things not error out and scare normal people - its not
>>> 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all
>>> perfect. Sam
>>> On 21 Oct 2010, at 16:35, Scott Gray wrote:
>>>> Is it really needed? I don't think anyone is going to be entering their credit card details on the site.
>>>> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough.
>>>> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before.
>>>> Although I'm glad you did, I got another server to play with at work :-) Regards
>>>> Scott
>>>> HotWax Media
>>>> http://www.hotwaxmedia.com
>>>> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote:
>>>>> Hi,
>>>>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849
>>>>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue
>>>>> before)? Thanks
>>>>> Jacques
>>
>
>
Re: SSL certificates for the OFBiz demo domains
Posted by Jacques Le Roux <ja...@les7arts.com>.
BTW I just tried. This not work (yet) in France: keep asking for a state province, we have none in France (I have asked as they
suggest) :/
Newermind: it's out of subject
Jacques
From: "Sam Hamilton" <sa...@sh81.com>
> No - just the usual error messages you would expect to see if it were the self signed cert we currently have installed in the demo
> box.
>
>
> On 21 Oct 2010, at 20:20, Jacques Le Roux wrote:
>
>> Thanks for the tip Sam,
>>
>> Was the problem with Opera blocking (ie making it worst than nothing)?
>>
>> Jacques
>>
>>
>> Sam Hamilton wrote:
>>> You don't have to pay for SSL - http://www.startssl.com/
>>> We have used them at the last company where I worked for making internal things not error out and scare normal people - its not
>>> 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all
>>> perfect. Sam
>>> On 21 Oct 2010, at 16:35, Scott Gray wrote:
>>>> Is it really needed? I don't think anyone is going to be entering their credit card details on the site.
>>>> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough.
>>>> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before.
>>>> Although I'm glad you did, I got another server to play with at work :-) Regards
>>>> Scott
>>>> HotWax Media
>>>> http://www.hotwaxmedia.com
>>>> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote:
>>>>> Hi,
>>>>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849
>>>>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue
>>>>> before)? Thanks
>>>>> Jacques
>>
>
>
Re: SSL certificates for the OFBiz demo domains
Posted by Sam Hamilton <sa...@sh81.com>.
No - just the usual error messages you would expect to see if it were the self signed cert we currently have installed in the demo box.
On 21 Oct 2010, at 20:20, Jacques Le Roux wrote:
> Thanks for the tip Sam,
>
> Was the problem with Opera blocking (ie making it worst than nothing)?
>
> Jacques
>
>
> Sam Hamilton wrote:
>> You don't have to pay for SSL - http://www.startssl.com/
>> We have used them at the last company where I worked for making internal things not error out and scare normal people - its not
>> 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all
>> perfect. Sam
>> On 21 Oct 2010, at 16:35, Scott Gray wrote:
>>> Is it really needed? I don't think anyone is going to be entering their credit card details on the site.
>>> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough.
>>> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. Although I'm glad you did, I got another server to play with at work :-) Regards
>>> Scott
>>> HotWax Media
>>> http://www.hotwaxmedia.com
>>> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote:
>>>> Hi,
>>>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849
>>>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue
>>>> before)? Thanks
>>>> Jacques
>
Re: SSL certificates for the OFBiz demo domains
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks for the tip Sam,
Was the problem with Opera blocking (ie making it worst than nothing)?
Jacques
Sam Hamilton wrote:
> You don't have to pay for SSL - http://www.startssl.com/
> We have used them at the last company where I worked for making internal things not error out and scare normal people - its not
> 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all
> perfect.
>
> Sam
>
>
> On 21 Oct 2010, at 16:35, Scott Gray wrote:
>
>> Is it really needed? I don't think anyone is going to be entering their credit card details on the site.
>>
>> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough.
>>
>> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before.
>> Although I'm glad you did, I got another server to play with at work :-)
>>
>> Regards
>> Scott
>>
>> HotWax Media
>> http://www.hotwaxmedia.com
>>
>> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote:
>>
>>> Hi,
>>>
>>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849
>>>
>>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue
>>> before)?
>>>
>>> Thanks
>>>
>>> Jacques
Re: SSL certificates for the OFBiz demo domains
Posted by Sam Hamilton <sa...@sh81.com>.
You don't have to pay for SSL - http://www.startssl.com/
We have used them at the last company where I worked for making internal things not error out and scare normal people - its not 100% compatible with all browsers, I remember that Opera had problems and still errored but Firefox, Safari and Chrome were all perfect.
Sam
On 21 Oct 2010, at 16:35, Scott Gray wrote:
> Is it really needed? I don't think anyone is going to be entering their credit card details on the site.
>
> "Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough.
>
> I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. Although I'm glad you did, I got another server to play with at work :-)
>
> Regards
> Scott
>
> HotWax Media
> http://www.hotwaxmedia.com
>
> On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote:
>
>> Hi,
>>
>> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849
>>
>> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue before)?
>>
>> Thanks
>>
>> Jacques
>>
>
Re: SSL certificates for the OFBiz demo domains
Posted by Scott Gray <sc...@hotwaxmedia.com>.
Is it really needed? I don't think anyone is going to be entering their credit card details on the site.
"Looking professional" is about the only argument for it and Tony seems to indicate that won't be enough.
I still have no idea why we needed to move the demos over to ASF infrastructure, everything was certainly easier before. Although I'm glad you did, I got another server to play with at work :-)
Regards
Scott
HotWax Media
http://www.hotwaxmedia.com
On 21/10/2010, at 9:27 PM, Jacques Le Roux wrote:
> Hi,
>
> I have asked for SSL certificates for the OFBiz demo domains: https://issues.apache.org/jira/browse/INFRA-2849
>
> I just got an answer from infra team and I'd appreciate some help to get good arguments, have you (please read in the issue before)?
>
> Thanks
>
> Jacques
>