docker
docker copied to clipboard
georchestra
Migrate away from georchestra-127-0-1-1.traefik.me in the traefik docker compose file
Recently the certificate used for georchestra-127-0-1-1.traefik.me in the default traefik docker compose file was revoked by the Let's Encrypt entity.
This is an issue because on some browser that actually check for revoked certificates the page did not load anymore, it returns a big error: SEC_ERROR_REVOKED_CERTIFICATE and no easy way to bypass the error.
I sent a message to the maintainer of traefik.me, and he confirmed the revocation:
In the future, I would propose to migrate from this custom TLS certificate because this pause some issues for developers that just want georchestra to work. The error message couldn't be "bypass" easily.
Possible solutions:
- Use a self-signed certificate with a custom domain, could still be http://traefik.me or https://nip.io, or we could have a subdomain for that under georchestra.org like localhost.georchestra.org.
Or buy a domain just for that, usually domains do not cost that much, for example a.ovhcost 2€/month: https://www.ovhcloud.com/fr/domains/tld/ovh/. We just have to point to 127.0.0.1 that's it.
The user will be presented with a warning, but that's ok for local development and everyone should expect to have this error when working with a software installed locally. - Only use HTTP not HTTPS with a custom domain, this may not work as some components have HTTPS hardcoded in it. But this has the upside of not requiring any certificate and will work for everyone, minus the warning in the browser but it's easily "bypassable".
Thanks for the investigation Emilien !
HTTP is not desirable at all. We want to be as close as possible with a production environment.
Self Signed is also the source of problems with several browsers.
There's no good solution. I do not see any urgency in changing how things work today.
When the "Bring your own Domain" solution is live, it may be worth to give it try !
I'd say there is an emergency there. Treafik.me certificate seems to be revoked half the time, which really disrupts the docker composition.
And using self-signed certificate with georchestra-127-0-1-1.traefik.me doesn't work on my browser because of some HSTS stuff. That's really a mess
I still think that having the option to run simple HTTP would be nice for dev & discovery (new users) purposes. Do you know which services have https hardcoded ?
I still think that having the option to run simple HTTP would be nice for dev & discovery (new users) purposes. Do you know which services have https hardcoded ?
Well technically everywhere there is HTTPS here: https://github.com/search?q=repo%3Ageorchestra%2Fdatadir%20https&type=code
Ideally the protocol should never be specified, scheme-relative URL like //mydomain.com/test instead of https://mydomain.com/test should be used.
See here for a detailed explanation: https://stackoverflow.com/questions/35265762/scheme-relative-url
And using self-signed certificate with georchestra-127-0-1-1.traefik.me doesn't work on my browser because of some HSTS stuff. That's really a mess
Odd because there are no HSTS headers in georchestra nor on traefik.me main domain.
Why not switching to georchestra-127-0-0-1.georchestra.org (that we manage) instead of traefik's ?
Why not switching to georchestra-127-0-0-1.georchestra.org (that we manage) instead of traefik's ?
If one day you were to implement HSTS on georchestra.org (the norm is to apply to all subdomains) then everyone that try to setup a self-signed certificate that it is not trusted by the browser will get an error that can't be bypassed.
If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), the user agent must terminate the connection (RFC 6797 section 8.4, Errors in Secure Transport Establishment) and should not allow the user to access the web application (section 12.1, No User Recourse).
source: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
If one day you were to implement HSTS on georchestra.org (the norm is to apply to all subdomains) then everyone that try to setup a self-signed certificate that it is not trusted by the browser will get an error that can't be bypassed.
Let's buy georchestra-demo.org then ;-)